![Day[0] cover image](https://images.weserv.nl/?url=https%3A%2F%2Fd3t3ozftmdmh3i.cloudfront.net%2Fproduction%2Fpodcast_uploaded_nologo%2F1589585%2F1589585-1553556841291-2e3a293ad9c2e.jpg&w=320&h=320&output=jpg)
[binary] Edge Vulns, a SHA-3 Overflow, and an io_uring Exploit
Day[0]
00:00
IO Ring Setup Pull
The bug is an IO wreck and it gets called whenever asynchronous things need to happen, such as like a splice operation. If two tasks try to submit IO requests to the same ring simultaneously, they could end up being submitted into one work queue. Now, this is a bit tricky to exploit because config hardened user copy disallows copying user data across a slot boundary. So while normally you'd want to try to get some reallocation using a typical heap spray to get control over the rest of the object, the hardened user copy checks will detect that and blow up.
Transcript
Play full episode
