• LK v4.17.x - unregister_netdevice - warn

    unregister_netdevice - waiting for DEV to become free posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.17.0-rc1. Call Trace (Dump) Here’s a dmesg. ... [ 292.993864] unregister_netdevice: waiting for lo to become free. Usage count = 5 ... PoC Later… End


  • LK v4.17.x - shrink_dcache_parent - soft lockup

    shrink_dcache_parent - soft lockup posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.17.0-rc1. Similar symptom prev ver patch Call Trace (Dump) Here’s a dmesg. [ 124.038017] watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [syz-executor2:2903] [ 124.039236] Modules linked in: [ 124.039711] irq event...


  • LK v4.17.x - __sctp_v6_cmp_addr - oobs

    __sctp_v6_cmp_addr - slab out of bounds Read posted & found by zer0day tl;dr Found in LK v4.17.0-rc1. slab-out-of-bounds in __sctp_v6_cmp_addr, 8 bytes read. Demo Log zero@zer0day:/tmp$ gcc -o poc poc.c zero@zer0day:/tmp$ ./poc [ 53.074578] ================================================================== [ 53.077133] BUG: KASAN: slab-out-of-bounds in __sctp_v6_cmp_addr+0x3e4/0x440 [ 53.079233] Read of size 8 at addr...


  • LK v4.16.x - process_preds - uaf/oobs

    process_preds - slab out of bounds Write / use after free Read/Write posted & found by zer0day tl;dr Found in LK v4.16.0. Interesting one… :) Call Trace (Dump) Here’s dmesg. zero@zer0day:/tmp$ uname -a Linux zer0day 4.16.0+ #30 SMP Fri Apr 13 14:35:45 KST 2018 x86_64 GNU/Linux zero@zer0day:/tmp$ id uid=1000(zero) gid=1000(zero)...


  • LK v4.16.x - xxx - memory leak

    xxx - memory leak posted & found by zer0day tl;dr Found on LK v4.16.x. Leaked bytes seem like the part of the Kprobe-tracing event logs. > /sys/kernel/debug/tracing/events/kprobes/myprobe/format ... print fmt: "(%lx) dfd=%lx filename=%lx flags=%lx mode=%lx", REC->__probe_ip, REC->dfd, REC->filename, REC->flags, REC->mode ... Maybe,`that file cannot be opened without root perm, but...