[HN Gopher] Linux Kernel Exploitation: Attack of the Vsock
___________________________________________________________________
Linux Kernel Exploitation: Attack of the Vsock
Author : todsacerdoti
Score : 102 points
Date : 2025-04-30 19:03 UTC (3 hours ago)
(HTM) web link (hoefler.dev)
(TXT) w3m dump (hoefler.dev)
| klysm wrote:
| > So I set off on a journey that would lower my GPA and
| occasionally leave me questioning my sanity
|
| Amazing! Sacrificing GPA for projects is always a good time
| dudus wrote:
| As a teacher once told me.
|
| "Never let school limit your education"
| technothrasher wrote:
| I learned a ton while at my university. Much of it was
| outside of my classwork.
| nzeid wrote:
| For those wondering this is a common paraphrase of Grant
| Allen and Mark Twain. Here we say "Never let school get in
| the way of a good education."
| anyfoo wrote:
| I really liked the old German university concept, the one
| before we just took over Bachelor/Master.
|
| Throughout my CS studies, I was just collecting "tickets" (very
| hard to translate the actual word, "Schein"), which basically
| just attested that you have passed a course. They (often) had a
| grade on it, but it did not matter. Instead, once in the middle
| ("pre-diploma") and once at the very end of your time at
| university, you'd have oral exams. And _those_ determined your
| grade. To attend them, you needed the right combination of
| "tickets".
|
| The glaring downside of this system is that if you had a bad
| time in those few months of your very final exams, you could
| screw up your entire grade.
|
| The upside of it, is that I was free (and encouraged) to pursue
| whatever I wanted, without each course risking to have an
| effect on my "GPA". I had way more tickets than I needed in the
| end, and still time and energy to pursue whatever else I wanted
| (playing with microcontrollers etc.).
| klysm wrote:
| I had a couple of classes in USA uni that worked quite
| similarly. The professor said we can take the quizzes if we
| want, and if we didn't then the later quizzes would
| constitute more of your grade. The ultimate play was to only
| take the final quiz.
| cherryteastain wrote:
| > The ultimate play was to only take the final quiz.
|
| This is how a lot of British undergrad courses ('modules')
| work. One giant exam at the very end determining
| everything; no quizzes, no problem sheets, no midterms.
| xen2xen1 wrote:
| Would not be a surprise if AI brought this back.
| Dwedit wrote:
| Yay Rop Chains!
| xyst wrote:
| yet another "use-after-free" sploit
|
| Rust for Linux, wen?
|
| It's a damn shame the current maintainers are so hostile to its
| adoption that many of the original rust 4 linux folks have left
| the project.
| doug713705 wrote:
| Did they start their own project ? Linux is free, just fork it.
| klysm wrote:
| The 'just' doesn't belong in front of 'fork'.
| xen2xen1 wrote:
| Rust, the new "I use Arch, BTW"
| chc4 wrote:
| Going for the pipe spray is a kinda weird technique, and I'm
| honestly surprised that it worked. Usually just the fact that you
| are able to spray over the allocation at all isn't enough, and
| you also have to worry about your sprayed data containing
| additional pointers or things that also have to be valid.
|
| I probably would have gone for turning the UaF into an type
| confusion style attack: if you spray more sockets you'll end up
| with two files, the original and the new one, that have aliased
| sk members, but the vsock code will incorrectly cast the new one
| to a `vsock_sock`. From there you can probably find some other
| socket type that puts controllable data over some field that
| vsock treats as a pointer or vice versa, and use it as both a
| kaslr leak and data-only r/w primitive.
| benwilber0 wrote:
| > I probably would have gone for turning the UaF into an type
| confusion style attack
|
| I'm aware the Linux is nearly 40 years old at this point, and C
| is even decades older. But it is mind-boggling to me that we're
| still talking about UAFs and jumping from dangling pointers to
| get privileged executions in the 21st century.
|
| (rewrite it in Rust)
| mperham wrote:
| "WeaEUR(tm)ve Got a Panic!"
|
| Looks like we've got an encoding issue too.
| bombcar wrote:
| I kind of want to trademark aEUR so that aEUR(tm) is not just
| mojibake.
| klysm wrote:
| I thought this was a joke at corrupting the data intentionally
| nyanpasu64 wrote:
| I'm confused. The page has a HTML5 doctype, and
| https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/...
| says that UTF-8 is the only valid encoding for HTML5 documents,
| yet Firefox interprets the page as Windows-1252 or such until I
| "Repair Text Encoding". https://webhint.io/docs/user-
| guide/hints/hint-meta-charset-u... says you're supposed to
| include a <meta charset="utf-8"> or optionally Content-Type
| header.
| shakna wrote:
| If you don't have a charset set, then you'll get the fallback
| for IE compatibility.
|
| You should pretty much always use one.
| dang wrote:
| [stub for offtopicness]
| cyberpunk wrote:
| Cool writeup, and you have exceptional taste in fonts.
| ohc wrote:
| I can't read the dark blue links on the black background
| gerdesj wrote:
| Engage reading mode and relax.
| yapyap wrote:
| The dark blue on black reads absolutely terribly
| neuronflux wrote:
| Try the Reader View feature of Firefox.
| las_balas_tres wrote:
| For the love of god please change the blue on black text to
| something more readable
___________________________________________________________________
(page generated 2025-04-30 23:00 UTC)