• LK v4.16.x - alloc_vmap_area - kernel paging request

    alloc_vmap_area - unable to handle kernel paging request posted & found by zer0day tl;dr Found on LK v4.16.0. Seems weird… Call Trace (Dump) Here’s a dmesg. [ 420.823887] BUG: unable to handle kernel paging request at ffffffffffffffd0 [ 420.824743] PGD 29e24067 P4D 29e24067 PUD 29e26067 PMD 0 [ 420.825278] Oops:...


  • LK v4.16.x - uprobe_perf_close - uaf

    uprobe_perf_close - use after free Read posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.16.0. I didn’t analyze yet.. Call Trace (Dump) Here’s a syzkaller report. BUG: KASAN: use-after-free in uprobe_perf_close+0x3de/0x520 kernel/trace/trace_uprobe.c:1048 Read of size 4 at addr ffff88007a4baf0c by task syzkaller591669/2952 CPU: 1 PID:...


  • LK v4.16.x - skb_release_data - uaf

    skb_release_data - use after free Write posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.16.0. I didn’t analyze yet.. Call Trace (Dump) Here’s a syzkaller report. BUG: KASAN: use-after-free in atomic_sub_return include/asm-generic/atomic-instrumented.h:258 [inline] BUG: KASAN: use-after-free in skb_release_data+0x15f/0x740 net/core/skbuff.c:559 Write of size 4 at addr...


  • LK v4.16.x - xxx - slab overwritten

    xxx - slab padding overwritten posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.16.0. Just another slab stuffs… I didn’t analyze yet. Call Trace (Dump) [ 232.959395] BUG selinux_file_security (Not tainted): Padding overwritten. 0x00000000ee4aa18f-0x000000003704f4a5 [ 232.960284] ----------------------------------------------------------------------------- [ 232.960284] [ 232.961111] Disabling lock debugging due...


  • LK v4.16.x - strlen - oobs

    strlen - slab out of bounds Read posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.16.0. I didn’t analyze yet. Interesting one… :) Call Trace (Dump) [ 66.494709] BUG: KASAN: slab-out-of-bounds in strlen+0x8e/0xa0 [ 66.495406] Read of size 1 at addr ffff88007be71348 by task syz-executor0/12148...