Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The Linux kernel is a wonderfully complicated place. Many of the vulnerabilities found only make sense with a deep understanding of the eco-system; this is one of those cases.

Inside of the Linux kernel, the function fd_install makes a file descriptor available in userland. Once the code is in userland, it is important NOT to use this file descriptor anymore! This is because the user could free the resource themselves.

For example, fd_install(fd, file); would be called. Then, some time later, the same file descriptor is used to do something else to the file. However, in this small time window, the file descriptor could be freed with a call to close(fd), resulting in a use after free.

The author has an interesting note on exploitation! Most people would use this to try to get a memory corruption primitive to get code execution. However, there is an easier way: since the file descriptors are the same size and use a dedicated slab cache.

By triggering this vulnerability, the file descriptor may point to some other file, such as /etc/shadow. It is so wild that this memory corruption bug is extremely trivial to exploit by using the program itself for the primitive.

Of note, this vulnerability was found in 3 places in the Linux kernel, with only one of them being super exploitable. Overall, I enjoyed the write up, as the bug is very clear. Additionally, the exploitation of this bug is fascinating, since it gets an impactful result with little effort.