Awesome
See notes.md
for information on the bug, and ixode.c
for the proof-of-concept exploit that triggers the KASAN splat in splat.txt
.
Tested on 6.10.2
(as root! this is patched for unpriv) with the config in repro_config
-- which is a lightly modified (+KASAN, -Canonical certs) config pulled from Ubuntu LTS. It's overkill for what we're doing here, but hey ho.
Source ref: https://github.com/torvalds/linux/blob/master/drivers/tty/n_gsm.c
To reproduce, make sure you have /dev/pts
mounted, so you can grab a pseudoterminal:
# mount proc -t proc /proc
# mkdir /dev/pts
# mount devpts -t devpts /dev/pts
You can't reproduce this on /dev/tty1
anymore, as there are now checks to prevent setting weird line disciplines for the main console.