Shift

The bug itself is esoteric, it's a UAF but there is no alloc or free at all. How is this possible? Simply put, the variable is allocated on the stack and freed by the OS itself whenever an esoteric condition happens by the OS. I hope you'd enjoy this one https://t.co/bcyOompRs2

Following my previous post, I wrote another blog on a futex bug that was patched not long ago. It allowed any attacker with an untrusted selinux context to elevate privileges given the right instruments.

permalink: https://t.co/7ydgs2cqus rss available too.

We live in interesting times. Last month Linux patched a core uaf in the epoll subsystem, we rarely see these kind of bugs. As i like these kind of bugs, i wrote a few words about it here: https://t.co/XIiPU7LSSN

I tried working on this bug only without an infoleak and tried to turn it into a one shot universal root primitive but I did not succeed, I never managed to leak data. You can read the blog and see my attempts at exploiting this, i encourage anyone to try too.

The race itself is pretty tight, but with the right IPI interrupts and some magic it is possible to take control of ep->refs or a mutex_unlock slowpath (providing u an arbitrary kfree primitive), there are other paths available for exploitation.