Problem
Environment
- linux version:
5.10.127- CONFIG_SLUB_DEBUG=y
- CONFIG_SLUB=y
- CONFIG_SLAB_FREELIST_RANDOM=y
- CONFIG_SLAB_FREELIST_HARDENED=y
Simple description
The goal of this challenge is escaping docker with seccomp-ed environment by using off-by-one in kmalloc-4k.
The seccomp prohibits us to use struct msg_msg and struct msg_msgseg.
So, we need to find new structure which makes us exploit off-by-one. And after making RIP control (ROP, or something…), we have to LPE and Escaping docker.
Module
The module is simple: just prints the count of each syscall called and makes us to filter which syscall’s call count will be counted.
It utilizes Syscall statistics patch based on https://lwn.net/Articles/896474/ (check out build/build_kernel.sh).