Linux-kernel

A collection of my notes and resources for learning kernel exploitation.

Dirty

1. Dirty Pagetable
2. Dirty Pagetable CTF chal
3. DirtyCred Remastered
4. DirtyPipe:
   1. Official author: https://dirtypipe.cm4all.com
   2. https://www.aquasec.com/blog/deep-analysis-of-the-dirty-pipe-vulnerability/
   3. https://vsociety.medium.com/the-de-vinci-of-dirtypipe-local-privilege-escalation-cve-2022-0847-e0e391d2727b

Netfilter/nftables

1. CVE-2023-0179
   • Part 2
2. nftables and CVE-2022-1015 link

File descriptors

Each userspace file descriptor is a reference to the Open File Table in the kernel. The kernel must keep track of these references to be able to know when any given file structure is no longer used and can be freed; that is done using the f_count field.

SCM_RIGHTS

Unix-domain sockets are use for inter-process communication. Processes can pass a fd to another through SCM_RIGHTS messages:

1. Create a new reference to the file struct behind the sending file descriptor through sendmsg() syscall (implemented as unix_stream_sendmsg in the kernel).
2. Queue the reference until recevier accepts the connection.
3. Receiver decrements the reference to file.

=> If both sides close their sockets before accepting the inflight references, they will lose the only visible references to the file structs.

=> Those file structures will have a permanently elevated reference count and can never be freed.

Kernel mitigations:

1. When a file structure corresponding to a Unix-domain socket gains a reference from an SCM_RIGHTS datagram, the inflight field of the corresponding unix_sock structure is incremented.
2. When the other side accepts that reference, inflight is decremented.

io_uring

Authors' paper.

(Examples of usage)[https://unixism.net/2020/04/io-uring-by-example-part-1-introduction/].