Conversation

Notices

1. Embed this notice
   Jann Horn (jann@infosec.exchange)'s status on Tuesday, 12-Aug-2025 15:51:10 JST Jann Horn

   I found a Linux kernel security bug (in AF_UNIX) and decided to write a kernel exploit for it that can go straight from "attacker can run arbitrary native code in a seccomp-sandboxed Chrome renderer" to kernel compromise:
   https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html

   This post includes fun things like:

   • a nice semi-arbitrary read primitive combined with an annoying write primitive
   • slowing down usercopy without FUSE or userfaultfd
   • CONFIG_RANDOMIZE_KSTACK_OFFSET as an exploitation aid
   • a rarely-used kernel feature that Chrome doesn't need but is reachable in the Chrome sandbox
   • sched_getcpu() usable inside Chrome renderers despite getcpu being blocked by seccomp (thanks to vDSO)
   • James Morris likes this.
   • Embed this notice
     Jann Horn (jann@infosec.exchange)'s status on Tuesday, 12-Aug-2025 15:51:09 JST Jann Horn

     in reply to

     • Christian Brauner ??

     @brauner new feature work is one of the best ways to find bugs in existing code, I think :D

     James Morris likes this.
   • Embed this notice
     Christian Brauner ?? (brauner@mastodon.social)'s status on Tuesday, 12-Aug-2025 15:51:10 JST Christian Brauner ??

     in reply to

     @jann The real culprit here is coredumps in a way.

   • Embed this notice
     James Morris (jmorris@social.kernel.org)'s status on Tuesday, 12-Aug-2025 16:07:06 JST James Morris

     in reply to

     • Christian Brauner ??
     @brauner @jann How so?
   • Embed this notice
     Jann Horn (jann@infosec.exchange)'s status on Thursday, 14-Aug-2025 04:24:16 JST Jann Horn

     in reply to

     • James Morris
     • Christian Brauner ??

     @jmorris @brauner Christian is joking about how I only learned about this feature because I looked at a patch that intended to use MSG_OOB as part of the new core dumping mechanism

     James Morris likes this.