Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

io_uring is a Linux kernel interface for providing asynchronous I/O. The basics of io_uring can be found here.

Most file implement the file op function read_iter. If this is not provided, then another function is called to perform an iterative read/write of the file. The pointer req->rw.addr is incremented by the size of the read/write.

Most of the time, this contains a pointer in userspace for the read/write being used. But, using the IORING_OP_PROVIDE_BUFFERS option, the pointer can contain a kernel buffer instead of a userland buffer.

Eventually, this pointer is later freed but only after the increment operation has taken place. This allows for the ability to free adjacent buffers at a controllable offset, giving a arbitrary free primitive on nearby chunks. Using this, a use after free could be trivially taken advantage of.

The patch for this vulnerability is to add a separate case to handle the kernel buffer vs. the userland buffer.

Overall, this is a super interesting primitive that could be trivially use for exploitation. This could be fun to write a full exploit for and would be a good place to start kernel exploitation at.