Here are just some side notes about linux kernel internals I put here to avoid to have to learn same things again and again. Every notes target linux kernel 5.18.12.There will be a lot of code for which I do not comment the whole part.
Kernel heap management (SLUB, SLAB, SLOB)Same way as for userland, the kernel has many algorithms to manage memory allocation according to what the kernel is looking for (huge resources or not, safety needs etc).
SLUBThe SLUB algorithm is the algorithm I know t...
IntroductionThe kmem_cache structure is one of the main structures of the SLUB algorithm. It contains pointers to other structures (cpu_slab, node array) and informations about the cache it describes (object_size, name). Every notes target linux kernel 5.18.12.
Overview of its role among the allocation process:
Let’s dig intoHere is the definition of the kmem_cache structure:
1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859// https...
Once for all is a heap challenge I did during the HackTheBox Cyber Apocalypse event. This is a classic unsorted bin attack plus a FSOP on stdin.Find the tasks and the final exploit here and here.
Reverse engineeringAll the snippets of pseudo-code are issued by IDA freeware:
12345678910111213141516171819202122232425262728293031323334int __cdecl main(int argc, const char **argv, const char **envp){ int v4; // [rsp+18h] [rbp-8h] BYREF int i; // [rsp+1Ch] [rbp-4h] for ( i = 0; i <= 49;...
What we can do
In the edit feature, we can overwrite the bytes right after any chunk up to the NULL byte.
In the alloc handler, it iterates once too may times through the alloc array, which means it can overlap on the first entry of the size array with a huge size which would be a chunk address, then we can easily trigger large heap overflow.
The libc version is 2.23 which means there not a lot of security checks about _IO_FILE_plus integrity compared to more recent versions.
Top chunk free’...