Modern Linux Kernel 0,1-day Unkind-Exploitations Review

posted by zer0day tl;dr Last time, I posted about 1-day vulnerability CVE-2017-5123, waitid() arbitrary R/W with null-deref on LK v4.13.x/~v4.14.0-rc4. It just happened because there's no any sanity check whether input space (*infop exactly) is kernel-land or user-land. Also, you can find other good payloads that include sandbox-bypass like chrome-sandbox (actually, it's kinda different vulnerability, but...), fully-chained sth, etc... Anyway, recently, I've been [Read More]