A collection of my notes and resources for learning kernel exploitation.
- CVE-2023-0179
nftables
and CVE-2022-1015 link
Each userspace file descriptor is a reference to the Open File Table in the kernel. The kernel must keep track of these references to be able to know when any given file structure is no longer used and can be freed; that is done using the f_count
field.
Unix-domain sockets are use for inter-process communication. Processes can pass a fd to another through SCM_RIGHTS messages:
- Create a new reference to the file struct behind the sending file descriptor through
sendmsg()
syscall (implemented asunix_stream_sendmsg
in the kernel). - Queue the reference until recevier accepts the connection.
- Receiver decrements the reference to file.
=> If both sides close their sockets before accepting the inflight references, they will lose the only visible references to the file structs.
=> Those file structures will have a permanently elevated reference count
and can never be freed.
Kernel mitigations:
- When a
file
structure corresponding to a Unix-domain socket gains a reference from anSCM_RIGHTS
datagram, theinflight
field of the correspondingunix_sock
structure is incremented. - When the other side accepts that reference,
inflight
is decremented.
(Examples of usage)[https://unixism.net/2020/04/io-uring-by-example-part-1-introduction/].