• LK - Modern Linux Kernel 0,1-day Unkind-Exploitations Review

    posted by zer0day tl;dr Last time, I posted about 1-day vulnerability CVE-2017-5123, waitid() arbitrary R/W with null-deref on LK v4.13.x/~v4.14.0-rc4. It just happened because there’s no any sanity check whether input space (*infop exactly) is kernel-land or user-land. Also, you can find other good payloads that include sandbox-bypass like chrome-sandbox...


  • LK v4.17.x - qlist_free_all - kernel paging request

    qlist_free_all - unable to handle kernel paging request posted & found by zer0day tl;dr Found on LK v4.17.0+. Call Trace (Dump) Here’s a syzkaller’s report. BUG: unable to handle kernel paging request at 00000be050002008 PGD 0 P4D 0 Oops: 0000 [#1] SMP KASAN PTI CPU: 0 PID: 10987 Comm: udevd...


  • LK v4.17.x - kmem_cache_alloc - general page fault

    kmem_cache_alloc - general page fault posted & found by zer0day tl;dr Found on LK v4.17.0+. leaded to null-dereference. Not analyzed yet… Call Trace (Dump) Here’s a syzkaller’s report. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN...


  • LK v4.17.x - ext4_data_block_valid - uaf

    ext4_data_block_valid - use after free Read posted & found by zer0day tl;dr Found in LK v4.17.0+. Interesting one… :) Call Trace (Dump) Here’s dmesg. [ 198.171416] EXT4-fs (sda): re-mounted. Opts: noblock_validity,,errors=continue [ 198.171520] ================================================================== [ 198.173422] BUG: KASAN: use-after-free in ext4_data_block_valid+0x2c1/0x320 [ 198.174371] Read of size 8 at addr ffff880065ee36a8...


  • LK v4.17.x - dev_watchdog - warn

    dev_watchdog - warning posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.17.0+. Call Trace (Dump) Here’s a syzkaller’s report. ------------[ cut here ]------------ NETDEV WATCHDOG: eth0 (e1000): transmit queue 0 timed out WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:461 dev_watchdog+0x919/0xa40 net/sched/sch_generic.c:460 Kernel panic - not...