-
Notifications
You must be signed in to change notification settings - Fork 414
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kernelCTF: Add CVE-2024-41010 LTS #128
Conversation
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
b2e2b9f
to
43a5a81
Compare
Hello @0xTen Thanks for your submission. May I ask a few questions? Under the section "kmalloc-cg-512 -> kmalloc-cg-1k" "We can now overlap a msg_msg with our skbuf->data object." Is it that you add another msg_msg to the same queue(which overwrites skb->data) then read until the end of msg linked list to leak pointers from kmalloc-cg-1k? Then after leaking you write to skb->data since the msg_msg overlaps in order to free a msg_msg in another queue with the current one to end up at a double free in kmalloc-cg-1k? |
Your understanding is generally correct except for:
Here is very detailed explanation that hopefully will give you a very deep understanding of what is going on: For context, msg_msg and msg_msgseg are allocated when sending ipc messages and are deallocated by receiving ipc messages. Also, skbuf->data is allocated by sending data on one end of a unix socket pair and is deallocated by receiving the data on the other end of the socket pair. Getting to kmalloc-cg-512 in the first placeBasically, at that stage I receive from the mqueue that contains the overwritten msg_msgseg (let's call it mqueue A) only to free the skbuf->data object (residing in kmalloc-cg-512) whose pointer I discovered in the previous step (using if_inaddr). After that, you can forget about the previous steps and the corrupted msg_msgseg, because what follows is bug agnostic:
Getting from kmalloc-512 to kmalloc-cg-1kNow that we have a fully controllable msg_msg object (which belongs to mqueue B) in kmalloc-cg-512, in order to go from that to kmalloc-cg-1k I do the following things:
Going from that to rootAt this point I have a similar scenario as I had on kmalloc-cg-512, which is a dangling skbuf->data object that can be overlapped with any struct I want and I will be able to edit that struct. I overlap it with pipe_buffer to control the pipe_buffer->page pointer and get arb r/w on kernel memory. |
thanks |
Hey 0xTen! Thank you for your submission! It looks well documented and easy to read. One question: why did you choose to scan the kernel memory to leak kASLR & find the modprobe address instead of using a ROP chain with target-specific symbol addresses? Was this scanning technique stable as well? |
No description provided.