Exploiting Race Conditions Using the Scheduler

Explore how to exploit race conditions using the scheduler in this 34-minute conference talk by Jann Horn from Google. Delve into two specific bugs with narrow race windows in the Linux kernel and Android userspace code, and learn how they can be exploited on a Google Pixel 2 phone running Linux 4.4. Discover techniques involving unprivileged sched_*() syscalls, Translation Lookaside Buffer (TLB), mremap() for moving memory mappings, and fallocate() for file space allocation. Examine the exploit plan, including the buddy allocator, preemption, and scheduler control. Investigate the Android kernel exploit involving app-zygote interaction, userfaultfd, FUSE, and komp() for reliable UAF. Analyze priority inversion, major faults, and repeated file mapping faults. Gain insights into exploiting struct file refcount and race conditions in hwservicemanager_mutex on kernel 4.4.

Intro
Translation Lookaside Buffer (TLB)
mremap() moving a memory mapping
fallocate() (de)allocate space for a file
Exploit plan: Basics
Buddy allocator
Preemption
Scheduler control
Android kernel exploit (app - zygote)
userfaultfd and FUSE
komp() for reliable UAF
FUSE for exploiting struct file refcount
int getpidcon(pid t pid, char **context)
Bug 3: race condition in hwservicemanager
_mutex on kernel 4.4
Priority Inversion
Major faults
Repeated file mapping faults