Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/jann/statuses/114992731248747587">Jann Horn (jann@infosec.exchange)'s status on Tuesday, 12-Aug-2025 15:51:10 JST</a><a href="https://infosec.exchange/@jann" title="jann@infosec.exchange"><img src="https://gnusocial.jp/avatar/171708-48-20230912164339.webp" width="48" height="48" alt="Jann Horn" style="position: absolute; left: 0; top: 0;">Jann Horn</a></section><article><p>I found a Linux kernel security bug (in AF_UNIX) and decided to write a kernel exploit for it that can go straight from "attacker can run arbitrary native code in a seccomp-sandboxed Chrome renderer" to kernel compromise:<br><a href="https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html" rel="nofollow">https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html</a></p><p>This post includes fun things like:</p><ul><li>a nice semi-arbitrary read primitive combined with an annoying write primitive</li><li>slowing down usercopy without FUSE or userfaultfd</li><li>CONFIG_RANDOMIZE_KSTACK_OFFSET as an exploitation aid</li><li>a rarely-used kernel feature that Chrome doesn't need but is reachable in the Chrome sandbox</li><li>sched_getcpu() usable inside Chrome renderers despite getcpu being blocked by seccomp (thanks to vDSO)</li></ul></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/5485995#notice-10766094">In conversation</a><time datetime="2025-08-12T15:51:10+09:00" title="Tuesday, 12-Aug-2025 15:51:10 JST">about a month ago</time> <span>from <span><a href="https://infosec.exchange/@jann/114992731248747587" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@jann/114992731248747587">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/5066081">Untitled attachment</a></label><br></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Jann Horn (jann@infosec.exchange)'s status on Tuesday, 12-Aug-2025 15:51:10 JST Jann Horn
I found a Linux kernel security bug (in AF_UNIX) and decided to write a kernel exploit for it that can go straight from "attacker can run arbitrary native code in a seccomp-sandboxed Chrome renderer" to kernel compromise:
https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html
This post includes fun things like:
- a nice semi-arbitrary read primitive combined with an annoying write primitive
- slowing down usercopy without FUSE or userfaultfd
- CONFIG_RANDOMIZE_KSTACK_OFFSET as an exploitation aid
- a rarely-used kernel feature that Chrome doesn't need but is reachable in the Chrome sandbox
- sched_getcpu() usable inside Chrome renderers despite getcpu being blocked by seccomp (thanks to vDSO)
In conversationabout a month ago from infosec.exchangepermalink
Attachments
1. Untitled attachment

Public

Embed Notice

HTML Code

Corresponding Notice