0ctf 2017 kernel pwn knote write up
2024-10-07 08:02:21
UAF due to using hlist_add_behind() without checking.
There is a pair locker(mutex_lock) at delete_note(), but isn’t at edit_note_time().
And it doesn’t check the flag before hlist_add_behind() in insert_note().
for(;;) {
/* add before a larger epoch */
iter = hlist_entry(node, struct note_t, next);
if (iter->epoch > epoch) {
hlist_add_before(&(note->next), node);
flag = true;
break;
}
if (node->next == NULL)
break;
node = node->next;
}
/* at behind the last node */
// if (!flag) <-- patch...
// it can lead to hlist broken.
hlist_add_behind(&(note->next), node);
Exploitation:
1. UaF
First we could free arbitrary object (eg. tty_struct) via any vulnerabilities,
re-allocate fake object with evil functions or rop gadgets.
Finally we can call related function in user mode.
2. kernel info leak
should use the kzalloc() instead of kmalloc()
最新文章
- 关系数据库SQL之可编程性存储过程
- POJ1129Channel Allocation[迭代加深搜索 四色定理]
- matplotlib 安装与使用
- mysql数据库版本引发的问题
- grails的layouts模板页面使用
- Java ZK image 處理
- ExtJS FormPanel不执行校验
- .net google calendar
- ssh-keygen+ssh-copy-id 在linux下实现ssh无密码登录访问
- Android 4.4(KitKat)中VSync信号的虚拟化
- mysqli_set_charset和SET NAMES优劣分析
- kbhit()的三个测试
- Maven基础
- 在JDBC中使用Java8的日期LocalDate、LocalDateTime
- 超级好用的前端开发测试Chrome插件-WEB前端助手(FeHelper)
- Sptringboot 添加子项目
- 并查集(我根本不会切板子啊喂QWQ长文)(大雾
- struct和[]byte的转换,注意结构体内变量首字母一定大写
- Python算法——递归思想
- webdriver简介及浏览器的驱动