Rating: 5.0

In this challenge, instead of a .ko kernel module like normal kernel exploit challenge, we are provided only with a patched Linux kernel. In the patch, verifier.c of eBPF is modified so that xor operation to pointer to map value can be allowed. The problem is when applying xor to a pointer 2 times using different value, we can actually manipulate the pointer to arbitrary address, so that we can have arbitrary read and write primitive. Then we can use this to leak kernel address by spraying and reading tty_struct, and to rewrite modprobe_path to get root privilege.

Original writeup (https://mem2019.github.io/jekyll/update/2021/07/19/GCTF2021-eBPF.html).