You are viewing a single comment's thread from:

RE: LeoThread 2024-11-17 10:12

in LeoFinance7 days ago

Part 3/5:

By triggering a double-free in the socket buffer (SKB) free list, the researchers were able to corrupt the metadata of the free list. They then used this to arbitrarily allocate a page middle descriptor (PMD), which is a component of the Linux kernel's page table system. This allowed them to overwrite a page table entry that corresponds to the kernel itself.

Bypassing Defenses and Executing Arbitrary Code

The researchers had to overcome several challenges to make this exploit work. They had to pin the exploit to a single CPU core, as each CPU has its own page table lookup descriptors and translation lookaside buffer (TLB) caching. They also had to find a way to flush the TLB to ensure their changes were reflected.

[...]