Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

Linux Foundation

Exploiting Race Conditions Using the Scheduler

Linux Foundation via YouTube

Overview

Explore how to exploit race conditions using the scheduler in this 34-minute conference talk by Jann Horn from Google. Delve into two specific bugs with narrow race windows in the Linux kernel and Android userspace code, and learn how they can be exploited on a Google Pixel 2 phone running Linux 4.4. Discover techniques involving unprivileged sched_*() syscalls, Translation Lookaside Buffer (TLB), mremap() for moving memory mappings, and fallocate() for file space allocation. Examine the exploit plan, including the buddy allocator, preemption, and scheduler control. Investigate the Android kernel exploit involving app-zygote interaction, userfaultfd, FUSE, and komp() for reliable UAF. Analyze priority inversion, major faults, and repeated file mapping faults. Gain insights into exploiting struct file refcount and race conditions in hwservicemanager_mutex on kernel 4.4.

Syllabus

Intro
Translation Lookaside Buffer (TLB)
mremap() moving a memory mapping
fallocate() (de)allocate space for a file
Exploit plan: Basics
Buddy allocator
Preemption
Scheduler control
Android kernel exploit (app - zygote)
userfaultfd and FUSE
komp() for reliable UAF
FUSE for exploiting struct file refcount
int getpidcon(pid t pid, char **context)
Bug 3: race condition in hwservicemanager
_mutex on kernel 4.4
Priority Inversion
Major faults
Repeated file mapping faults

Taught by

Linux Foundation

Reviews

Start your review of Exploiting Race Conditions Using the Scheduler

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.