Android Security Bulletin — March 2021
A bug in the
https://source.android.com/security/bulletin/2021-03-01#kernel-components
A bug in the
xt_qtaguid netfilter module and a bunch of bugs in Qualcomm drivers.https://source.android.com/security/bulletin/2021-03-01#kernel-components
Kernel Electric-Fence (KFENCE)
KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel, was merged for Linux 5.12.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/dev-tools/kfence.rst
KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel, was merged for Linux 5.12.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/dev-tools/kfence.rst
Exploiting Kernel Races Through Taming Thread Interleaving
A Black Hat talk about using interrupts to widen race windows when exploiting race conditions. By Yoochan Lee.
Video: https://www.youtube.com/watch?v=5M3WhLVLCzs
Slides: https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf
A Black Hat talk about using interrupts to widen race windows when exploiting race conditions. By Yoochan Lee.
Video: https://www.youtube.com/watch?v=5M3WhLVLCzs
Slides: https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf
YouTube
Exploiting Kernel Races through Taming Thread Interleaving
A kernel race condition vulnerability is difficult to exploit, because thread interleaving is non-deterministic and cannot be controlled. Thus, conventional exploitation techniques against kernel races simply attempt to brute force, i.e., keep exploiting…
Fuzzing the Linux kernel
The talk I gave yesterday about Linux kernel fuzzing. A part of the Linux Foundation Mentorship Series. Covers the general theory behind fuzzing and the approaches to fuzzing the Linux kernel in particular.
Video: https://youtube.com/watch?v=4IBWj21tg-c
Slides: https://linuxfoundation.org/wp-content/uploads/2021-Linux-Foundation-Mentorship-Series_-Fuzzing-the-Linux-Kernel.pdf
The talk I gave yesterday about Linux kernel fuzzing. A part of the Linux Foundation Mentorship Series. Covers the general theory behind fuzzing and the approaches to fuzzing the Linux kernel in particular.
Video: https://youtube.com/watch?v=4IBWj21tg-c
Slides: https://linuxfoundation.org/wp-content/uploads/2021-Linux-Foundation-Mentorship-Series_-Fuzzing-the-Linux-Kernel.pdf
YouTube
Mentorship Session: Fuzzing the Linux Kernel
Exploiting CVE-2020-11239 in Android
A detailed article about exploiting the Android vulnerability CVE-2020-11239, which is a use-after-free in the Qualcomm kgsl driver
https://securitylab.github.com/research/one_day_short_of_a_fullchain_android
A detailed article about exploiting the Android vulnerability CVE-2020-11239, which is a use-after-free in the Qualcomm kgsl driver
https://securitylab.github.com/research/one_day_short_of_a_fullchain_android
Exploiting CVE-2021-27365 in the Linux kernel iSCSI implementation
This vulnerability is a heap buffer overflow that was introduced to the Linux kernel 15 years ago.
https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html?m=1
This vulnerability is a heap buffer overflow that was introduced to the Linux kernel 15 years ago.
https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html?m=1
Grimm-Co
New Old Bugs in the Linux Kernel
Introduction Dusting off a few new (old) vulns Have you ever been casually perusing the source code of the Linux kernel and thought to ...
Undocumented x86 instructions in Intel CPUs revealed
These instructions fully control the microarchitectural state of Intel CPUs. They can even modify the microcode!
https://twitter.com/_markel___/status/1373059797155778562?s=19
These instructions fully control the microarchitectural state of Intel CPUs. They can even modify the microcode!
https://twitter.com/_markel___/status/1373059797155778562?s=19
Twitter
Mark Ermolov
Wow, we (+@h0t_max and @_Dmit) have found two undocumented x86 instructions in Intel CPUs which completely control microarchitectural state (yes, they can modify microcode)
Android Security Bulletin — January 2021
A fix for an uninitialized memory disclosure in core files, two fixes for speculative execution bugs, and a bunch of fixes for Qualcomm drivers.
A note regarding one of the latter: "There are indications that CVE-2020-11261 may be under limited, targeted exploitation."
https://source.android.com/security/bulletin/2021-01-01#kernel-compoents
https://source.android.com/security/bulletin/2021-01-01#qualcomm-components
A fix for an uninitialized memory disclosure in core files, two fixes for speculative execution bugs, and a bunch of fixes for Qualcomm drivers.
A note regarding one of the latter: "There are indications that CVE-2020-11261 may be under limited, targeted exploitation."
https://source.android.com/security/bulletin/2021-01-01#kernel-compoents
https://source.android.com/security/bulletin/2021-01-01#qualcomm-components
👍1
KFENCE — Detecting memory bugs in production kernels
A blog post about KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel.
https://thomasw.dev/post/kfence/
A blog post about KFENCE, a low-overhead sampling-based memory safety error detector for the Linux kernel.
https://thomasw.dev/post/kfence/
Thomas
KFENCE - Detecting memory bugs in production kernels
On February 26 this year KFENCE was merged into the upstream kernel source, ready for release in Linux 5.12. KFENCE is basically a low-overhead address sanitizer, but actually so low-overhead that it can run in production kernels on live systems whereas the…
Security things in Linux v5.9
A list of security-related updates that were merged into Linux kernel version 5.9. Composed by Kees Cook.
https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/
A list of security-related updates that were merged into Linux kernel version 5.9. Composed by Kees Cook.
https://outflux.net/blog/archives/2021/04/05/security-things-in-linux-v5-9/
Android Security Bulletin — April 2021
A use-after-free in the block subsystem; what looks like a side-channel info-leak in ICMP; and a couple of bugs in Qualcomm components, including a bug in sockev netlink driver.
https://source.android.com/security/bulletin/2021-04-01#kernel-components
https://source.android.com/security/bulletin/2021-04-01#qualcomm-components
A use-after-free in the block subsystem; what looks like a side-channel info-leak in ICMP; and a couple of bugs in Qualcomm components, including a bug in sockev netlink driver.
https://source.android.com/security/bulletin/2021-04-01#kernel-components
https://source.android.com/security/bulletin/2021-04-01#qualcomm-components
BleedingTooth: Exploiting Bluetooth RCE in the Linux kernel
BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.
https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup
BleedingTooth is a set of zero-click vulnerabilities in the Linux Bluetooth subsystem that can allow an unauthenticated remote attacker in short distance to execute arbitrary code with kernel privileges on vulnerable devices.
https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup
security-research
BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution
This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.
Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel
I've published the article about exploiting CVE-2021-26708 for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP.
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
PoC exploit demo video: https://www.youtube.com/watch?v=EC8PFOYOUgU
I've published the article about exploiting CVE-2021-26708 for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP.
https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html
PoC exploit demo video: https://www.youtube.com/watch?v=EC8PFOYOUgU
Alexander Popov
Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel
CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. I discovered and fixed them in January 2021. In this article I describe how to exploit them for local privilege escalation on Fedora 33 Server…
Rust in the Linux kernel
An RFC patch series that adds Rust support to the kernel has been posted. It aims to provide wrappers for the core kernel APIs and allow implementing kernel modules in safe Rust.
The series includes a work-in-progress Rust implementation of the Android binder driver.
See the cover letter for the high-level design outline and the blog post for a deeper explanation of the implementation of an example module.
Cover letter: https://lore.kernel.org/lkml/20210414184604.23473-1-ojeda@kernel.org/
Blog post: https://security.googleblog.com/2021/04/rust-in-linux-kernel.html
An RFC patch series that adds Rust support to the kernel has been posted. It aims to provide wrappers for the core kernel APIs and allow implementing kernel modules in safe Rust.
The series includes a work-in-progress Rust implementation of the Android binder driver.
See the cover letter for the high-level design outline and the blog post for a deeper explanation of the implementation of an example module.
Cover letter: https://lore.kernel.org/lkml/20210414184604.23473-1-ojeda@kernel.org/
Blog post: https://security.googleblog.com/2021/04/rust-in-linux-kernel.html
Google Online Security Blog
Rust in the Linux kernel
Posted by Wedson Almeida Filho, Android Team In our previous post , we announced that Android now supports the Rust programming language...
Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits
A research about introducing vulnerabilities into the kernel while pretending to fix bugs. The researchers succeeded.
This research was done last year, but subsequent (seemingly unrelated) work by the same authors is now causing a lot of drama in the Linux kernel community.
Paper: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Drama: https://twitter.com/gregkh/status/1384785747874656257
A research about introducing vulnerabilities into the kernel while pretending to fix bugs. The researchers succeeded.
This research was done last year, but subsequent (seemingly unrelated) work by the same authors is now causing a lot of drama in the Linux kernel community.
Paper: https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf
Drama: https://twitter.com/gregkh/status/1384785747874656257
GitHub
qiushiwu.github.io/papers/OpenSourceInsecurity.pdf at main · QiushiWu/qiushiwu.github.io
Contribute to QiushiWu/qiushiwu.github.io development by creating an account on GitHub.
A foray into Linux kernel exploitation on Android
An article describing an attempt to exploit the pvrsrvkm driver on an Alcatel 1S 2019.
https://mcyoloswagham.github.io/linux/
An article describing an attempt to exploit the pvrsrvkm driver on an Alcatel 1S 2019.
https://mcyoloswagham.github.io/linux/
mcyoloswagham.github.io
A foray into Linux kernel exploitation on Android
In November of 2020, I decided to dive into the world of Android, more specifically the linux kernel. I did this because earlier in the year, around February, I broke my old phone during a skiing trip and hastily bought a cheap android phone, the Alcatel…
Android Security Bulletin — May 2021
A bug in TTY reported by Jann Horn a while ago and a bunch of bugs in Qualcomm drivers as usual.
https://source.android.com/security/bulletin/2021-05-01#kernel-components
https://bugs.chromium.org/p/project-zero/issues/detail?id=2125&can=1&q=linux%20kernel&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids&sort=-id
https://source.android.com/security/bulletin/2021-05-01#qualcomm-components
A bug in TTY reported by Jann Horn a while ago and a bunch of bugs in Qualcomm drivers as usual.
https://source.android.com/security/bulletin/2021-05-01#kernel-components
https://bugs.chromium.org/p/project-zero/issues/detail?id=2125&can=1&q=linux%20kernel&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary&cells=ids&sort=-id
https://source.android.com/security/bulletin/2021-05-01#qualcomm-components
CVE-2021-32606: CAN ISOTP local privilege escalation
Exploiting a race condition in ISOTP CAN sockets.
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md
Exploiting a race condition in ISOTP CAN sockets.
https://github.com/nrb547/kernel-exploitation/blob/main/cve-2021-32606/cve-2021-32606.md
Fuzzing the Linux kernel
The talk I gave about Linux kernel fuzzing at PHDays 2021. Roughly the same content as the Linux Foundation Mentorship talk, but organized differently.
Slides: https://docs.google.com/presentation/d/19JaXHFMT-R2le6x-vPKw5D1Cxlw2aLtxHEIDwWBNXCQ/edit?usp=sharing
Video: https://standoff365.com/phdays10/schedule/tech/fuzzing-the-linux-kernel/
The talk I gave about Linux kernel fuzzing at PHDays 2021. Roughly the same content as the Linux Foundation Mentorship talk, but organized differently.
Slides: https://docs.google.com/presentation/d/19JaXHFMT-R2le6x-vPKw5D1Cxlw2aLtxHEIDwWBNXCQ/edit?usp=sharing
Video: https://standoff365.com/phdays10/schedule/tech/fuzzing-the-linux-kernel/
Google Docs
2021, PHDays: Fuzzing the Linux kernel
Fuzzing the Linux kernel Andrey Konovalov, xairy.io May 20th 2021
Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux Kernel
I've published the video of my talk for Zer0Con 2021: https://m.youtube.com/watch?v=EMcjHfceX44
And I gave this talk in Russian for live audience at PHDays 2021. Video: https://standoff365.com/phdays10/schedule/tech/4-bytes-of-power-exploiting-cve-2021-26708-in-the-linux-kernel
I've published the video of my talk for Zer0Con 2021: https://m.youtube.com/watch?v=EMcjHfceX44
And I gave this talk in Russian for live audience at PHDays 2021. Video: https://standoff365.com/phdays10/schedule/tech/4-bytes-of-power-exploiting-cve-2021-26708-in-the-linux-kernel
YouTube
Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux Kernel
My talk at Zer0Con 2021.
Abstract:
CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. These vulnerabilities were discovered and fixed by Alexander Popov. In this talk, he will describe how to…
Abstract:
CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. These vulnerabilities were discovered and fixed by Alexander Popov. In this talk, he will describe how to…
A Nerve-Racking Bug Collision in Samsung's NPU Driver
An exploit write-up by Gyorgy Miru for another bug in the Samsung NPU driver. Unlike the vmalloc-based exploits published by P0 and others, this one relies on a race condition leading to a slab-out-of-bounds write.
https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/
An exploit write-up by Gyorgy Miru for another bug in the Samsung NPU driver. Unlike the vmalloc-based exploits published by P0 and others, this one relies on a race condition leading to a slab-out-of-bounds write.
https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/
labs.taszk.io
[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver
Last summer I have discovered several vulnerabilities in the implementation of Samsung's NPU device driver. While I was working on completing my proof of concept exploit