New attack against the SLUB allocator
Researchers from Graz University of Technology have
https://www.stefangast.eu/papers/slubstick.pdf
details of a new attack
on the Linux kernel called SLUBstack. The attack uses timing information to turn an ability to trigger use-after-free or double-free bugs into the ability to overwrite page tables, and thence into the ability to read and write arbitrary areas of memory. The good news is that this attack does require an existing bug to be usable; the bad news is that the kernel regularly sees bugs of this kind.
We assume that an unprivileged user has code execution.
Additionally, we consider the presence of a heap vulnerability
in the Linux kernel. We assume that the Linux kernel
incorporates all defense mechanisms available in version 6.4, the
most recent Linux kernel version when we started our work.
These mechanisms include features such as WˆX, KASLR,
SMAP, and kCFI. We do not assume any microarchitectural
vulnerabilities, e.g., transient execution, fault
injection, or hardware side channels.
https://lwn.net/Articles/984984/