About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

CVE-2024-27815- 1441

Joseph Ravichandran (Ravi)Posted 1 Year Ago
  • Within portions of the BSD kernel, the mbuf object is used in networking. It consists of a header and data, which are both fixed size. _MSIZE is used for the total message of the buffer and MLEN is used for the size of the data portion of the buffer.
  • The vulnerability exists within a bcopy where it copies the socket address into the message buffer. Instead of using MLEN for the length check (224) it uses the full size of the buffer (255), including the header. This creates a buffer overflow of 31 bytes.
  • The reason for the bug is likely a confusion between the two length types. This makes sense that it got through code review!
  • The proof of concept for this requires 3 syscalls, which is fairly simple! I'm surprised that something like syskaller didn't find this. The crash trace shows that this corrupts an mbuf after their data.
  • The bug is a super simple buffer overflow. To find it, it required a deep attention to detail on sizes. Naming of variables correctly is important :)

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed