Linux Kernel Exploitation: Attack of the Vsock

Going for the pipe spray is a kinda weird technique, and I'm honestly surprised that it worked. Usually just the fact that you are able to spray over the allocation at all isn't enough, and you also have to worry about your sprayed data containing additional pointers or things that also have to be valid.

I probably would have gone for turning the UaF into an type confusion style attack: if you spray more sockets you'll end up with two files, the original and the new one, that have aliased sk members, but the vsock code will incorrectly cast the new one to a `vsock_sock`. From there you can probably find some other socket type that puts controllable data over some field that vsock treats as a pointer or vice versa, and use it as both a kaslr leak and data-only r/w primitive.

"Weâ€™ve Got a Panic!"

Looks like we've got an encoding issue too.

> So I set off on a journey that would lower my GPA and occasionally leave me questioning my sanity

Amazing! Sacrificing GPA for projects is always a good time

Good write-up. I liked your RSA tutorial too: https://hoefler.dev/content/RSA.pdf

The Linux Kernel has millions of LoCs. There'll always be bugs.

It's about time to look at a sane design, such as seL4[0].

https://sel4.systems/About/seL4-whitepaper.pdf

[stub for offtopicness]

yet another "use-after-free" sploit

Rust for Linux, wen?

It's a damn shame the current maintainers are so hostile to its adoption that many of the original rust 4 linux folks have left the project.