• LKE - tutorial - Stack based Overflow

    Linux Kernel Exploitation Tutorial - 2 tl;dr In this article, we gonna exploit a LK module which has a stack overflow vulnerability with bypassing SMEP. Background Before we start, there’re some concepts for bypassing those protections. SMEP/SMAP : Supervisor Mode Execution/Access Protection. Which means, userland code cannot be executed by...


  • LKE - tutorial - NULL dereference

    Linux Kernel Exploitation Tutorial - 1 Case Let’s get down to the point, this time, i’ll give an example code which has a NULL dereference vulnerability. Testing Environment is like below. zero@ubuntu:~$ uname -a Linux ubuntu 4.16.0-041600rc1-generic #201802120030 SMP Mon Feb 12 00:31:33 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux zero@ubuntu:~$...


  • LK v4.16.x - pfifo_fast_enqueue - kernel paging request

    pfifo_fast_enqueue - unable to handle kernel paging request posted & found by zer0day tl;dr I just got this bug from syzkaller today on LK v4.16.0-rc1. Call Trace (Dump) Here’s a Dump. IP: qdisc_qstats_cpu_qlen_inc include/net/sch_generic.h:717 [inline] IP: pfifo_fast_enqueue+0xce/0x130 net/sched/sch_generic.c:638 PGD 5f758067 P4D 5f758067 PUD 5f759067 PMD 7fa34067 PTE 800000003a9f7060 Oops: 0000...


  • LK v4.16.x - seq_read - deadlock

    seq_read - possible circular locking (leading to deadlock) posted & found by zer0day tl;dr I’ll just add a Call Trace (Dump) only because it isn’t important as well and the dump will explain sufficiently :). Call Trace (Dump) WARNING: possible circular locking dependency detected 4.16.0-rc1+ #15 Not tainted ------------------------------------------------------ syz-executor2/10621...


  • LK v4.16.x - fifo_open - deadlock

    fifo_open - possible circular locking (leading to deadlock) posted & found by zer0day tl;dr I’ll just add a Call Trace (Dump) only because it isn’t important as well and the dump will explain sufficiently :). Call Trace (Dump) WARNING: possible circular locking dependency detected 4.16.0-rc1+ #15 Not tainted ------------------------------------------------------ syz-executor4/30664...