Your Trash Kernel Bug, My Precious 0-day

The presentation discusses a new technical method to turn seemingly low-risk kernel bugs into memory corruption vulnerabilities, and demonstrates how this approach can be used to escalate Linux kernel non-security bugs into exploitable vulnerabilities.

• Kernel fuzzing techniques have led to the discovery of over 2,000 kernel bug reports on Linux in the past two years
• Memory corruption is typically the prerequisite for exploiting the Linux kernel and obtaining unauthorized root privilege
• A new technical method is introduced to turn low-risk kernel bugs into memory corruption vulnerabilities
• The approach is demonstrated on a real-world kernel bug in Centaurus kernel, which was successfully turned into an exploitable vulnerability
• The presentation highlights the importance of checking for unfixed exploitable bugs in vendor's kernel, as many bugs don't have CVEs and their exploitability is unknown
• The speaker also provides his contact information and expresses interest in internship opportunities

The speaker demonstrates how a seemingly low-risk kernel bug in Centaurus kernel was turned into an exploitable vulnerability, with the ability to leak kernel data and hijack kernel control flow. This highlights the importance of thoroughly assessing a kernel bug's severity and exploitability, as seemingly low-risk bugs can have severe memory corruption abilities.

The advance of kernel fuzzing techniques significantly benefits the discovery of kernel bugs. According to our statistics on Syzbot, Syzkaller has already unveiled more than 2,000 kernel bug reports on Linux over the past two years. From the security analysts' perspectives, a kernel bug report that demonstrates memory corruption usually receives more attention than those exhibiting only WARNING or NULL pointer dereference. It is simply because memory corruption is typically the prerequisite for exploiting the Linux kernel and obtaining unauthorized root privilege. In this talk, we will introduce a new technical method to turn those bugs with seemingly low-risk into memory corruption vulnerabilities. We will demonstrate how we leverage the proposed technique to escalate Linux kernel non-security bugs into exploitable vulnerabilities. Along with our demonstration, we will show unprecedented exploitability against broadly-adopted Centos and many Centos-based distros like TencentOS and Alibaba Cloud Linux OS. Last but not least, we will release our technical approach as a tool for the community to thoroughly assess a kernel bug's severity and exploitability.