CVE-2023-2008 - Analyzing and exploiting a bug in the udmabuf driver

An article about exploiting a logical bug in the fault handler implementation of udmabuf mappings.

The exploit shared by Eloi Sanfelix gains root on Ubuntu. Triggering the bug requires the user to be in the kvm group.

Breaking the Code - Exploiting and Examining CVE-2023-1829 in cls_tcindex Classifier Vulnerability

An article by Vu Thi Lan about exploiting a slab use-after-free bug in the netfilter subsystem.

The shared exploit gains root on Ubuntu.

UNCONTAINED: Uncovering Container Confusion in the Linux Kernel

A paper (overview) by Jakob Koschel, Pietro Borrello, et al. about finding type confusion bugs in container_of invocations.

Dirty Pagetable: A Novel Exploitation Technique To Rule Linux Kernel

An article by Nicolas Wu about the Dirty Pagetable exploitation technique.

Dirty Pagetable enables using a slab bug to overwrite userspace Page Table Entries and gain arbitrary read/write access to physical memory.

To demonstrate the technique, Nicolas Wu and Ye Zhang wrote a few exploits, including one for CVE-2023-21400, a racy slab double-free in the io_uring subsystem. The exploit gains root on Pixel 7.

No CVE for this bug which has never been in the official kernel

Javier P Rufo published an article about exploiting a slab use-after-free bug in the ptrace subsystem via a cross-cache attack.

A new method for container escape using file-based DirtyCred

An article by Choo Yi Kai about escaping a Docker container by overwriting /proc/sys/kernel/modprobe via the DirtyCred exploitation technique.

The article also describes a way to delay the page fault handler via FALLOC_FL_PUNCH_HOLE for winning a race condition, similar to the commonly-used userfaultfd and FUSE–based techniques.

StackRot (CVE-2023-3269): Linux kernel privilege escalation vulnerability

An article by Ruihan Li about exploiting StackRot — a locking bug in the virtual memory management subsystem that leads to a UAF-by-RCU vulnerability.

The author also shared an exploit that acquires root privileges in the Google kCTF challenge.

GameOver(lay): Easy-to-exploit local privilege escalation vulnerabilities in Ubuntu Linux

An article by Sagi Tzadik and Shir Tamari about finding and exploiting two logical bugs in the OverlayFS implementation on Ubuntu kernels.

Bad io_uring: A New Era of Rooting for Android

Slides from a talk by Zhenpeng Lin about exploiting an invalid-free bug in the io_uring subsystem on Android.

The shared exploit gains root on Pixel 6 and Samsung Galaxy S22

Make KSMA Great Again: The Art of Rooting Android devices by GPU MMU features

Slides from a talk by Yong Wang about adapting the Kernel Space Mirroring Attack to the Arm Mali GPU MMU.

Linux Kernel Exploit (CVE-2022–32250) with mqueue

An article about exploiting a slab use-after-free bug in the netfilter subsystem.

The shared exploit escalates privileges to root on the Ubuntu kernel.

CVE-2023-3389 - LinkedPoll

Querijn Voet published an article about exploiting a race condition causing a use-after-free in the io_uring subsystem.

Old bug, shallow bug: Exploiting Ubuntu at Pwn2Own Vancouver 2023

An article by Tanguy Dubroca about exploiting a stack out-of-bounds bug in the netfilter subsystem (yet again).

The shared exploit gains root privileges on Ubuntu.

CVE-2023-4273: a vulnerability in the Linux exFAT driver

An article by Maxim Suhanov about bypassing the kernel lockdown by exploiting a stack buffer-overflow in the exFAT driver.

Rustproofing Linux

Four-part article describing the vulnerability classes that may exist in the Linux kernel modules written in Rust language.

▪️Part 1 is about leaking kernel addresses

▪️Part 2 describes race conditions

▪️Part 3 discusses integer overflows

▪️Part 4 goes through shared memory bugs

Tickling and unleashing ksmbd

Two articles about fuzzing and remotely exploiting ksmbd — the Linux kernel SMB module — by notselwyn.

The first article describes how the author used syzkaller and KCOV for coverage-guided fuzzing of ksmbd.

The second article demonstrates how to exploit two of the found bugs: a null-pointer-dereference that leads to a DoS and an out-of-bounds read that leads to an info-leak.

Analyzing a Modern In-the-wild Android Exploit

An article by Seth Jenkins about analyzing the kernel privilege escalation stage of an Android exploit detected in the wild.

The analyzed stage used a locking bug in the ALSA subsystem and a poorly designed interface feature of the Mali GPU driver to achieve an arbitrary read/write primitive from the system_server context.

kernel-hardening-checker

My open source tool for checking the security hardening options of the Linux kernel got a new name: kernel-hardening-checker.

Now it supports checking:

1️⃣ Kconfig options (compile-time)
2️⃣ Kernel cmdline arguments (boot-time)
3️⃣ Sysctl parameters (runtime)

Escaping the Google kCTF Container with a Data-Only Exploit

An article by h0mbre about exploiting a use-after-free on struct file in the io_uring subsystem.

The exploit uses a cross-cache attack to reclaim the freed struct file with a pipe buffer, fakes two different file structs to gain arbitrary address read and write, gets root privileges, and escapes the kernelCTF container.

Enable MTE on Pixel 8

Instructions for enabling Memory Tagging Extension for the kernel on Pixel 8 by Kees Cook.

The instructions describe how to enable kernel MTE in the reporting mode. Enabling MTE as a mitigation for kernel memory corruptions requires additionally passing kasan.fault=panic to the kernel command-line as pointed out by Andrey Konovalov.

MTE as a kernel mitigation is still an experimental feature and requires improvements as previously pointed out by Mark Brand.

Exploring Linux's New Random Kmalloc Caches

An article by sam4k about the new CONFIG_RANDOM_KMALLOC_CACHES mitigation.

The article gives an overview of the currently used slab exploitation techniques, provides a deep analysis of the CONFIG_RANDOM_KMALLOC_CACHES implementation, and reasons about how the new mitigation affects the existing techniques.