Davide Ornaghi

Here is a more up-to-date syz description of your favorite subsystem nftables, happy fuzzing! https://t.co/Nz6QYWDn2g

While testing and fixing a couple of NPDs in nftables, I found that reusing the subsystem after crashing triggers a UAF read on the previously freed task_struct when reacquiring the commit mutex, maybe worth a look? https://t.co/Nr4ZoeRbsK

I've written my first blog post on exploiting the Linux kernel, with bonus digressions on internals and rabbit holes. Hope you enjoy the fancy graphics! https://t.co/8yZ0yrjCCP https://t.co/AmMjrvIKF2

Exciting news! 🚀 Just dropped my blogpost unveiling the universal Linux kernel LPE PoC for CVE-2024-1086 (working on v5.14 - v6.7) used for pwning Debian, Ubuntu, and KernelCTF Mitigation instances, including novel techniques like Dirty Pagedirectory 🧵 https://t.co/zFimVzjgYB

Added two less known PE payloads to the project: core_pattern overwrite and syscall hooking (inspired by CVE-2022-0435)! https://t.co/Tz58TGEbgS

Experimenting with mappable zero pages and privesc techniques for my DECnet vuln, still a WIP https://t.co/GP3xPnFgAW

CVE-2023-3338 represents a series of issues I found in the Linux DECnet Layer (a 20-year-old protocol) that caused it to be removed from all LTS releases, the most obvious one being this NPD https://t.co/Jao0NkzRX2

Quick gdb tip to access per-cpu variables in case lx_per_cpu doesn't work: x __per_cpu_offset[$lx_current().cpu] + (unsigned long) var

Great opportunity to have fun with Linux pwning in the beautiful Bergamo!

Spent hours trying to mask timer interrupts on gdb to prevent LAPIC events when all I had to do was update QEMU

Writing CodeQL queries that actually do what you expect feels like magic

Why is SystemTap so hard to run on custom kernels ☹️