Oddbean

New attack against the SLUB allocator Researchers from Graz University of Technology have https://www.stefangast.eu/papers/slubstick.pdf details of a new attack on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind. We assume that an unprivileged user has code execution. Additionally, we consider the presence of a heap vulnerability in the Linux kernel. We assume that the Linux kernel incorporates all defense mechanisms available in version 6.4, the most recent Linux kernel version when we started our work. These mechanisms include features such as WˆX, KASLR, SMAP, and kCFI. We do not assume any microarchitectural vulnerabilities, e.g., transient execution, fault injection, or hardware side channels. https://lwn.net/Articles/984984/