• LK v4.16.x - copyout - uaf

    copyout - use after free Read posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.16.0-rc7. Maybe, I think it’s not the one…, just happened by weird kernel options… Call Trace (Dump) Here’s a dump. [ 46.055481] BUG: KASAN: use-after-free in copyout+0x78/0xb0 [ 46.056136] Read of...


  • LK v4.16.x - iptunnel_handle_offloads - uaf

    iptunnel_handle_offloads - use after free Read posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.16.0-rc7. Nor verified yet, also, maybe happened by kinda options… Call Trace (Dump) Here’s a syzkaller report. BUG: KASAN: use-after-free in skb_is_gso include/linux/skbuff.h:4031 [inline] BUG: KASAN: use-after-free in iptunnel_handle_offloads+0x4ee/0x620 net/ipv4/ip_tunnel_core.c:170 Read...


  • LK v4.16.x - dev_hard_start_xmit - soft lockup

    dev_hard_start_xmit - soft lockup posted & found by zer0day tl;dr Found in LK v4.16.0-rc7. CPU#0 stuck for 30s. Call Trace (Dump) Here’s a dump. [ 268.822032] Modules linked in: [ 268.822287] irq event stamp: 10299 [ 268.822555] hardirqs last enabled at (10298): [<0000000006ab7d5b>] restore_regs_and_return_to_kernel+0x0/0x30 [ 268.823301] hardirqs last disabled at...


  • LK v4.16.x - kaslr bypass (memleak)

    About my recent founds :) found & posted by zer0day tl;dr I found a bug, memory leak on v4.16.0-rc5. (KASLR Bypass). Maybe, it works on many LKs (i didn’t check all of them yet). (Of course, it’s not kptr_restrict stuff :)) Except this, there’re some bugs, also memleak. But i...


  • LK v4.16.x - mon_bin_vma_fault - dead lock

    mon_bin_vma_fault - dead lock posted & found by zer0day tl;dr Got from syzkaller & Found in LK v4.16.0-rc6. Call Trace (Dump) [ 105.403185] WARNING: possible circular locking dependency detected [ 105.403862] 4.16.0-rc6+ #21 Not tainted [ 105.404291] ------------------------------------------------------ [ 105.404959] syz-executor4/18491 is trying to acquire lock: [ 105.405516] (&rp->fetch_lock){+.+.}, at:...