• LK v4.15.x - sidtab_search_core - null dereference

    selinux/sidtab_search_core - null dereference by GPF posted & found by zer0day tl;dr Actually, i got this bug with ‘syzkaller’ about a month ago (on v4.15.0-rc4) and have forgotten it, but now on v4.15.0-rc8, same bug is triggered by my poc code, so i wrote about it :). First of all,...


  • LK - prlimit64 - kernel panic

    prlimit64 (leading to kernel panic) posted & found by zer0day tl;dr W4F, not serious :). I just found a crash on LK v4.15.x (maybe the most of LKs). Actually, it’s obvious that it has to be happened. Because, resizing limitation of MSGQUEUE to 0 and calling socket$xxx repeatedly, in result,...


  • LK v4.15.x - unwind_orc - stack out-of-bounds

    unwind_orc - read 8 bytes stack oob in unwind_next_frame posted & found by zer0day tl;dr I just found the bug(?) stack oob (8 bytes read) in unwind_orc. So i just tested it on the latest LK (v4.15.0-rc4 currently), and it worked. But i found the commit about this bug(?). He(Commiter)...


  • LK v4.15.x - spinlock recursion, deadlock

    spin-lock recursion bug (leading to deadlock) posted & found by tl;dr There’s no any recursion check on spin-lock where i found (not exact). So when executed recursively, deadlock is triggered. It needs to check current and calling thread id so that avoiding deadlock at recursive cases. Below is p-sudo code...


  • LKE v4.13.x - waitid() LPE

    Linux Kernel waitid() Local Privilege Escalation posted by zer0day, 10/29/2017 tl;dr Some days ago, i just saw this vulnerability somewhere in google. It’s about Kernel Exploitation, CVE-2017-5123. Maybe It works on 4.14.0-rc1 ~ 4.14.0-rc4 and the latest released version is 4.14.0-rc7 and stable build is 4.13.10 (2017/11/2). The reasons for...