https://kiperz.dev/tags/lactf-2025/ Recent content in Lactf 2025 on kiperZ Hugo -- 0.147.7 en-us Sun, 17 May 2026 00:00:00 +0000 https://kiperz.dev/writeups/messenger/ Sun, 17 May 2026 00:00:00 +0000 https://kiperz.dev/writeups/messenger/ <h2 id="tldr">TL;DR</h2> <p>A 3-byte heap OOB write in <code>msgsnd()</code> is leveraged into a page-level UAF and then into root via a <code>struct cred</code> overwrite (PageJack).</p> <pre tabindex="0"><code>Description: i love sending messages, so i made it possible to add just a few more bytes to them </code></pre><h2 id="vulnerability">Vulnerability</h2> <p>A custom Linux 6.10.9 kernel ships with the following patch in <code>ipc/msgutil.c</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-diff" data-lang="diff"><span style="display:flex;"><span><span style="color:#75715e">@@ -93,7 +93,7 @@ </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> return ERR_PTR(-ENOMEM); </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> alen = min(len, DATALEN_MSG); </span></span><span style="display:flex;"><span><span style="color:#f92672">- if (copy_from_user(msg + 1, src, alen)) </span></span></span><span style="display:flex;"><span><span style="color:#f92672"></span><span style="color:#a6e22e">+ if (copy_from_user(msg + 1, src, alen + 3)) </span></span></span><span style="display:flex;"><span><span style="color:#a6e22e"></span> goto out_err; </span></span></code></pre></div><p><code>load_msg()</code>, invoked by <code>msgsnd()</code>, copies <code>alen + 3</code> bytes from userland into a freshly-allocated <code>msg_msg</code> slab object. Three bytes are written past the end of the slot, into the next object in the same slab. The allocation size (via <code>msgsz</code>) and the three overflow bytes (bytes <code>[msgsz, msgsz+1, msgsz+2]</code> of the user buffer) are both attacker-controlled.</p>