The vulnerability is an Use-After-Free that impacts the registered file descriptor functionality in the io_uring subsystem. It's possible to register a file in the io_uring context, free it from the Unix Garbage Collector and re-use it with the requested io_uring operation (for example, a writev
operation). To exploit the bug, it was a matter of replace the freed file structure with a read-only file (e.g. /etc/passwd), in order to write into it, and achieve a good timing with a small race window.
xsec / cve-2022-2602-kernel-exploit Goto Github PK
View Code? Open in Web Editor NEWThis project forked from kiks7/cve-2022-2602-kernel-exploit