Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel

Author: Alexander Popov, Positive Technologies CVE-2021-26708 is assigned to five race condition bugs in the virtual socket implementation of the Linux kernel. I discovered and fixed them in January 2021. In this article I describe how to exploit them for local privilege escalation on Fedora 33 Server for x86_64, bypassing SMEP and SMAP. Today I gave a talk at Zer0Con 2021 on this topic (slides). I like this exploit. The race condition can be … Continue reading Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel

Linux kernel heap quarantine versus use-after-free exploits

It’s 2020. Quarantines are everywhere – and here I’m writing about one, too. But this quarantine is of a different kind. In this article I’ll describe the Linux Kernel Heap Quarantine that I developed for mitigating kernel use-after-free exploitation. I will also summarize the discussion about the prototype of this security feature on the Linux Kernel Mailing List (LKML). Use-after-free in the Linux kernel Use-after-free … Continue reading Linux kernel heap quarantine versus use-after-free exploits

CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem

This article discloses exploitation of CVE-2019-18683, which refers to multiple five-year-old race conditions in the V4L2 subsystem of the Linux kernel. I found and fixed them at the end of 2019. I gave a talk at OffensiveCon 2020 about it (slides). Here I’m going to describe a PoC exploit for x86_64 that gains local privilege escalation from the kernel thread context (where the userspace is not … Continue reading CVE-2019-18683: Exploiting a Linux kernel vulnerability in the V4L2 subsystem

Case study: Searching for a vulnerability pattern in the Linux kernel

This short article describes the investigation of one funny Linux kernel vulnerability and my experience with Semmle QL and Coccinelle, which I used to search for similar bugs. The kernel bug Several days ago my custom syzkaller instance got an interesting crash. It had a stable reproducer and I started the investigation. Here I will take the opportunity to say that syzkaller is an awesome … Continue reading Case study: Searching for a vulnerability pattern in the Linux kernel

How STACKLEAK improves Linux kernel security

STACKLEAK is a Linux kernel security feature initially developed by Grsecurity/PaX. I\’m working on introducing STACKLEAK into the Linux kernel mainline. This article describes the inner workings of this security feature and why the vanilla kernel needs it. In short, STACKLEAK is needed because it mitigates several types of Linux kernel vulnerabilities, by:  Reducing the information that can be revealed to an attacker by kernel … Continue reading How STACKLEAK improves Linux kernel security