那为什么叫脏牛呢,是因为这是linux的COW:copy on write 写时复制机制存在缺陷(dirty)，而COW和cow谐音,所以也叫脏牛(dirtyCOW).使用脏牛，我们可在用户态下用普通用户的身份改写任意任何目录下任意用户的任意文件，甚至包括root用户的文件。试想如果给passwd文件追加一行有root权限的用户信息，就能轻松获取root权限。这个洞价值很高,据说几年前市面上有些安卓ROOT APP,采用的核心技术就是这个洞。
Share this mapping. Updates to the mapping are visible to other processes that mapthis file, andare carried through to the underlying file. (To precisely control when updates are carried through to the underlying filerequires the use of msync(2).)
Create a private copy-on-write mapping. Updates to the mapping are notvisible to other processes mapping the same file, andare notcarried through to the underlying file. It isunspeci‐fied whether changes made to the fileafter the mmap() call are visible inthe mapped region.
madvise函数形如：int madvise(caddr_t addr, size_t len, int advice);在POC中，madvise所在的线程用来释放mmap出来的内存映射区和他对应的物理页，其中advice参数最为关键，摘录man文档对MADV_DONTNEED的一部分解释如下：
MADV_DONTNEED Do not expect access in the near future. (For the time being, the application is finished with the given range, so the kernel can free resources associated with it.)预计再未来的一段时间不会再访问这块内存(目前程序已经结束，所以内核可以释放相应的资源)
/proc/$pid/mem shows the contents of $pid's memory mapped the same way as in the process, i.e., the byte at offset x in the pseudo-file is the same as the byte at address x in the process. If an address is unmapped in the process, reading from the corresponding offset in the file returns EIO (Input/output error). For example, since the first page in a process is never mapped (so that dereferencing a NULL pointer fails cleanly rather than unintendedly accessing actual memory), reading the first byte of /proc/$pid/mem always yield an I/O error.