Tags: heap race pwn kernel 


Kernel driver with edit, add, delete, show options, all of which can only be used once and all of them perform checks. The bug lies in the fact that the ioctl function doesn't have a mutex lock on it, allowing for the classic userfaultfd and copy_from_user method of creating race conditions. To take control of RIP, we can create a uaf by the race condition upon edit, where you then free the chunk, allocate a useful kernel structure, and then have edit finish copying its data over. Due to the size restrictions, the timerfd_ctx structure is probably a good choice for leak and RIP control. After taking control of RIP, it just becomes a classic kernel ROP with a KPTI trampoline.

Original writeup (https://www.willsroot.io/2020/10/cuctf-2020-hotrod-kernel-writeup.html).