The vulnerability is an Use-After-Free that impacts the registered file descriptor functionality in the io_uring subsystem. It's possible to register a file in the io_uring context, free it from the Unix Garbage Collector and re-use it with the requested io_uring operation (for example, a writev operation). To exploit the bug, it was a matter of replace the freed file structure with a read-only file (e.g. /etc/passwd), in order to write into it, and achieve a good timing with a small race window.
kiks7/CVE-2022-2602-Kernel-Exploit
Folders and files
| Name | Name | Last commit date | ||
|---|---|---|---|---|