Linux Kernel Exploitation: Attack of the Vsock
36 comments
·April 30, 2025klysm
anyfoo
I really liked the old German university concept, the one before we just took over Bachelor/Master.
Throughout my CS studies, I was just collecting "tickets" (very hard to translate the actual word, "Schein"), which basically just attested that you have passed a course. They (often) had a grade on it, but it did not matter. Instead, once in the middle ("pre-diploma") and once at the very end of your time at university, you'd have oral exams. And those determined your grade. To attend them, you needed the right combination of "tickets".
The glaring downside of this system is that if you had a bad time in those few months of your very final exams, you could screw up your entire grade.
The upside of it, is that I was free (and encouraged) to pursue whatever I wanted, without each course risking to have an effect on my "GPA". I had way more tickets than I needed in the end, and still time and energy to pursue whatever else I wanted (playing with microcontrollers etc.).
klysm
I had a couple of classes in USA uni that worked quite similarly. The professor said we can take the quizzes if we want, and if we didn't then the later quizzes would constitute more of your grade. The ultimate play was to only take the final quiz.
cherryteastain
> The ultimate play was to only take the final quiz.
This is how a lot of British undergrad courses ('modules') work. One giant exam at the very end determining everything; no quizzes, no problem sheets, no midterms.
xen2xen1
Would not be a surprise if AI brought this back.
dudus
As a teacher once told me.
"Never let school limit your education"
nzeid
For those wondering this is a common paraphrase of Grant Allen and Mark Twain. Here we say "Never let school get in the way of a good education."
technothrasher
I learned a ton while at my university. Much of it was outside of my classwork.
chc4
Going for the pipe spray is a kinda weird technique, and I'm honestly surprised that it worked. Usually just the fact that you are able to spray over the allocation at all isn't enough, and you also have to worry about your sprayed data containing additional pointers or things that also have to be valid.
I probably would have gone for turning the UaF into an type confusion style attack: if you spray more sockets you'll end up with two files, the original and the new one, that have aliased sk members, but the vsock code will incorrectly cast the new one to a `vsock_sock`. From there you can probably find some other socket type that puts controllable data over some field that vsock treats as a pointer or vice versa, and use it as both a kaslr leak and data-only r/w primitive.
benwilber0
> I probably would have gone for turning the UaF into an type confusion style attack
I'm aware that Linux is nearly 40 years old at this point, and C is even decades older. But it is mind-boggling to me that we're still talking about UAFs and jumping from dangling pointers to get privileged executions in the 21st century.
(rewrite it in Rust)
null
mperham
"We’ve Got a Panic!"
Looks like we've got an encoding issue too.
nyanpasu64
I'm confused. The page has a HTML5 doctype, and https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/... says that UTF-8 is the only valid encoding for HTML5 documents, yet Firefox interprets the page as Windows-1252 or such until I "Repair Text Encoding". https://webhint.io/docs/user-guide/hints/hint-meta-charset-u... says you're supposed to include a <meta charset="utf-8"> or optionally Content-Type header.
shakna
If you don't have a charset set, then you'll get the fallback for IE compatibility.
You should pretty much always use one.
aaronmdjones
The server is responding with
Content-Type: text/html
The document itself also lacks a declared character set.
klysm
I thought this was a joke at corrupting the data intentionally
snvzz
The Linux Kernel has millions of LoCs. There'll always be bugs.
It's about time to look at a sane design, such as seL4[0].
Dwedit
Yay Rop Chains!
dang
[stub for offtopicness]
cyberpunk
Cool writeup, and you have exceptional taste in fonts.
ohc
I can't read the dark blue links on the black background
gerdesj
Engage reading mode and relax.
inquirerGeneral
[dead]
las_balas_tres
For the love of god please change the blue on black text to something more readable
yapyap
The dark blue on black reads absolutely terribly
neuronflux
Try the Reader View feature of Firefox.
waltercool
[dead]
null
xyst
yet another "use-after-free" sploit
Rust for Linux, wen?
It's a damn shame the current maintainers are so hostile to its adoption that many of the original rust 4 linux folks have left the project.
doug713705
Did they start their own project ? Linux is free, just fork it.
klysm
The 'just' doesn't belong in front of 'fork'.
xen2xen1
Rust, the new "I use Arch, BTW"
> So I set off on a journey that would lower my GPA and occasionally leave me questioning my sanity
Amazing! Sacrificing GPA for projects is always a good time