zoukankan      html  css  js  c++  java
  • 0ctf 2017 kernel pwn knote write up

    UAF due to using hlist_add_behind() without checking.

    There is a pair locker(mutex_lock) at delete_note(), but isn’t at edit_note_time().

    And it doesn’t check the flag before hlist_add_behind() in insert_note().

        for(;;) {
            /* add before a larger epoch */
            iter = hlist_entry(node, struct note_t, next);
            if (iter->epoch > epoch) {
                hlist_add_before(&(note->next), node);
                flag = true;
                break;
            }
    
            if (node->next == NULL)
                break;
    
            node = node->next;
        }
    
        /* at behind the last node */
        // if (!flag)  <-- patch...
    	// it can lead to hlist broken.
        hlist_add_behind(&(note->next), node);
    

    Exploitation:

    1. UaF 

      First we could free arbitrary object (eg. tty_struct) via any vulnerabilities,
    re-allocate fake object with evil functions or rop gadgets.
    Finally we can call related function in user mode.

    2. kernel info leak

      should use the kzalloc() instead of kmalloc()

  • 相关阅读:
    C++中的异常
    Hadoop YARN介绍
    js处理层级数据结构的一些总结
    Python数据结构
    Python的编码风格
    Python流程控制
    java中面试可能会问的问题
    深度学习
    Pescal Triangle Two
    Pascal Triangle
  • 原文地址:https://www.cnblogs.com/bittorrent/p/6680249.html
Copyright © 2011-2022 走看看