r2con2020-ctf-kernel exploit.
Recently I found a challenge from r2con at Eloi Sanfelix's Github account. I gave it a try.
The vulnerability was RESIZE
functionality doesn't lock sock_buf_t
object while other functionalities sufficiently lock. This leads to a race condition between RESIZE
and SEND
functionalities.
While window is really small, using userfaultfd
blocks copy_to/from_user
and provides us as much as time we need.
Overwriting an existing sock_buf_t
object enables us to gain arbitrary read/write. Sending buffer same size as buf->size
increments write->index
to buf->size
and it becomes 0 again, because of modulus operation. This primitive is helpful since we need to use read/write multiple times.
Based on solution of 2019 challenge: Eloi Sanfelix r2con2019 Solution
References: