The Android kernel mitigations obstacle race

A great article by Man Yue Mo about exploiting a race condition that leads to a use-after-free vulnerability in the Qualcomm GPU driver for Samsung Galaxy Z Flip3.

The researcher widened the race window to hit the bug reliably, and then bypassed kCFI, automatic variable initialization, and Samsung RKP in the exploit.

TripleCross

A Linux eBPF rootkit providing a backdoor with command and control (C2) capabilities, library injection, execution hijacking, persistence, and hiding.

[CVE-2022-34918] A crack in the Linux firewall

An article by Arthur Mongodin about exploiting a slab-buffer-overflow in the netfilter subsystem.

The exploit uses the unlinking technique from Lam Jun Rong's io_uring exploit.

Corrupting memory without memory corruption

An article by Man Yue Mo about exploiting CVE-2022-20186, an integer overflow in the Arm Mali GPU driver.

The bug allows mapping arbitrary physical pages to the GPU memory with both read and write access. The exploit gets arbitrary kernel code execution on Pixel 6, disables SELinux, and gains root.

PAWNYABLE: Linux Kernel Exploitation

A series of articles in Japanese by ptr-yudai covering various Linux kernel exploitation techniques.

The quantum state of Linux kernel garbage collection CVE-2021-0920 (Part I)

Xingyu Jin published an article describing the root cause of a race condition in the garbage collection for SCM_RIGHTS.

This bug is used for Android exploitation in the wild.

CVE-2022-29582, an io_uring vulnerability

A detailed and well-written article by Awarau and David Bouman about exploiting a slab use-after-free vulnerability in the io_uring subsystem.

The exploit leverages a cross-cache attack and msg_msg spraying to overwrite a tls_context object and execute a ROP chain to gain root.

Reviving Exploits Against Cred Structs - Six Byte Cross Cache Overflow to Leakless Data-Oriented Kernel Pwnage

FizzBuzz101 published an article describing a solution of their corCTF challenge Cache of Castaways.

The PoC exploit implemented a cross cache overflow attack against cred structs in isolated slabs.

CoRJail: From Null Byte Overflow To Docker Escape Exploiting poll_list Objects In The Linux Kernel

D3v17 published an article describing the solution of their corCTF challenge CoRJail.

The PoC exploit used a single null-byte out-of-bounds write to corrupt a poll_list object in the kmalloc-4k slab cache and obtain an arbitrary free primitive.

It allowed the researcher to corrupt a user_key_payload structure and get out-of-bounds read.

Finally the researcher used the arbitrary free primitive to corrupt a pipe_buffer structure and hijack the kernel control flow to escape the container.

DirtyCred

A talk by Zhenpeng Lin about an exploitation technique for memory corruptions called DirtyCred.

The technique works by freeing an unprivileged credentials object via a memory corruption and allocating a privileged one in the same slot.

Android Universal Root: Exploiting xPU Drivers

A talk about exploiting Android devices with PowerVR GPUs.

E'rybody Gettin' TIPC: Demystifying Remote Linux Kernel Exploitation

A talk by Sam Page about attempts to exploit CVE-2022-0435, a remotely-triggerable stack overflow in the TIPC protocol.

An exploit primitive in the Linux kernel inspired by DirtyPipe

A brief denoscription of an exploitation technique inspired by the DirtyPipe vulnerability.

The technique works by overwriting the flags field of a pipe_buffer object with PIPE_BUF_FLAG_CAN_MERGE via a memory corruption. This allows changing the contents of an arbitrary read-only file via the splicing trick used by DirtyPipe.

SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)

A detailed write-up by Cedric Halbronn, Alex Plaskett, and Fidgeting Bits about exploiting a slab use-after-free bug in the netfilter subsystem.

Sanitizing the Linux kernel: On KASAN and other Dynamic Bug-finding Tools

Slides from a talk by Andrey Konovalov about Sanitizers — a family of Linux kernel bug detectors.

The talk covers:

🐧 Implementation of the Generic mode of KASAN
🔥 Brief overview of other Sanitizers
🗡 Tips on extending KASAN and KMSAN to find more bugs

How I started chasing speculative type confusion bugs in the kernel and ended up with 'real' ones

Jakob Koschel gave a talk (slides, video) at the Linux Plumbers Conference about the tool for discovering speculative type confusion bugs in the Linux kernel. He described how this research suddenly led to the kernel upgrading from C89 to C11.

Attacking the Android kernel using the Qualcomm TrustZone

An article by Tamir Zahavi-Brunner about exploiting the Android kernel via a memory corruption in the Qualcomm's TrustZone implementation.

[CVE-2022-1786] A Journey To The Dawn

A thrilling article by kylebot about exploiting a race condition that leads to a double-free in the io_uring subsystem and winning a kCTF bounty.

The exploit uses novel techniques: overwriting binfmt structures instead of modprobe_path and using fork and msleep to safely return to userspace after executing a ROP chain.

pipe_buffer arbitrary read write

Awarau published an article describing the arbitrary read/write technique using pipe_buffer.

Canary in the Kernel Mine: Exploiting and Defending Against Same-Type Object Reuse

An article by Mathias Krause about creating a mitigation for same-type same-address use-after-free bugs affecting the file and cred structures. Mathias also provided a set of exploits that was used to test the mitigation.

A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain

An article by Maddie Stone covering an exploit chain for Exynos-based Samsung phones that relies on two kernel bugs.

The exploit bypasses KASLR by triggering a warning and reading the report from the kernel log. The exploit then uses a use-after-free of the file structure in the DECON driver to gain AARW by controlling addr_limit.