From 961ac1ed667fe76036ba7b95eaf72c821ecf1d71 Mon Sep 17 00:00:00 2001
From: Andrey Konovalov
Date: Thu, 4 Nov 2021 21:51:14 +0100
Subject: September/October updates

---
 README.md | 52 +++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 51 insertions(+), 1 deletion(-)

(limited to 'README.md')

diff --git a/README.md b/README.md
index 4b0168b..3271df7 100644
--- a/README.md
+++ b/README.md
@@ -261,6 +261,12 @@ Subscribe to [@linkersec](https://t.me/linkersec) on Telegram for highlights.
 
 ### LPE
 
+[2021: "How a simple Linux kernel memory corruption bug can lead to complete system compromise" by Jann Horn](https://googleprojectzero.blogspot.com/2021/10/how-simple-linux-kernel-memory.html) [article] [CVE-TBD]
+
+[2021: "SuDump: Exploiting suid binaries through the kernel" by Itai Greenhut](https://alephsecurity.com/2021/10/20/sudump/) [article] [CVE-TBD]
+
+[2021: "CVE-2021-34866 Writeup" by HexRabbit](https://blog.hexrabbit.io/2021/11/03/CVE-2021-34866-writeup/) [article] [CVE-2021-34866]
+
 [2021: "Kernel Pwning with eBPF: a Love Story" by Valentina Palmiotti](https://www.graplsecurity.com/post/kernel-pwning-with-ebpf-a-love-story) [article] [CVE-2021-3490]
 
 [2021: "The Art of Exploiting UAF by Ret2bpf in Android Kernel" by Xingyu Jin and Richard Neal](https://conference.hitb.org/hitbsecconf2021sin/materials/D1T1%20-%20%20The%20Art%20of%20Exploiting%20UAF%20by%20Ret2bpf%20in%20Android%20Kernel%20-%20Xingyu%20Jin%20&%20Richard%20Neal.pdf) [slides] [CVE-2021-0399]
@@ -287,6 +293,8 @@ Subscribe to [@linkersec](https://t.me/linkersec) on Telegram for highlights.
 
 [2021: "ZDI-20-1440: An Incorrect Calculation Bug in the Linux Kernel eBPF Verifier" by Lucas Leong](https://www.zerodayinitiative.com/blog/2021/1/18/zdi-20-1440-an-incorrect-calculation-bug-in-the-linux-kernel-ebpf-verifier) [article]
 
+[2021: "ZDI-20-1440 Writeup" by HexRabbit](https://blog.hexrabbit.io/2021/02/07/ZDI-20-1440-writeup/) [article]
+
 [2021: "SSD Advisory – OverlayFS PE"](https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/) [article] [CVE-2021-3493]
 
 [2021: "[BugTales] A Nerve-Racking Bug Collision in Samsung's NPU Driver" by Gyorgy Miru](https://labs.taszk.io/articles/post/bug_collision_in_samsungs_npu_driver/) [article] [CVE-2020-28343, SVE-2020-18610]
@@ -299,7 +307,7 @@ Subscribe to [@linkersec](https://t.me/linkersec) on Telegram for highlights.
 
 [2021: "Four Bytes of Power: exploiting CVE-2021-26708 in the Linux kernel"](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708.pdf)] [[video](https://www.youtube.com/watch?v=EMcjHfceX44)] [CVE-2021-26708]
 
-[2021: "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG" by Alexander Popov](https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf)]
+[2021: "Improving the exploit for CVE-2021-26708 in the Linux kernel to bypass LKRG" by Alexander Popov](https://a13xp0p0v.github.io/2021/08/25/lkrg-bypass.html) [article] [[slides](https://a13xp0p0v.github.io/img/CVE-2021-26708_LKRG_bypass.pdf)] [[video](https://www.youtube.com/watch?v=n6YLiYiCIMA)]
 
 [2021: "CVE-2014-3153" by Maher Azzouzi](https://github.com/MaherAzzouzi/LinuxKernelStudy/tree/main/CVE-2014-3153) [article] [CVE-2014-3153]
 
@@ -553,6 +561,10 @@ Subscribe to [@linkersec](https://t.me/linkersec) on Telegram for highlights.
 
 ### Other
 
+[2021: "CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution" by Max Van Amerongen](https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/) [article] [CVE-2021-43267]
+
+[2021: "Kernel Vmalloc Use-After-Free in the ION Allocator" by Gyorgy Miru](https://labs.taszk.io/blog/post/61_android_ion_uaf/) [article] [CVE-TBD]
+
 [2021: "An EPYC escape: Case-study of a KVM breakout" by Felix Wilhelm](https://googleprojectzero.blogspot.com/2021/06/an-epyc-escape-case-study-of-kvm.html) [article] [CVE-2021-29657]
 
 [2021: "CVE-2021-1905: Qualcomm Adreno GPU memory mapping use-after-free" by Ben Hawkes](https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html) [article] [CVE-2021-1905]
@@ -586,6 +598,20 @@ Subscribe to [@linkersec](https://t.me/linkersec) on Telegram for highlights.
 
 ## Finding Bugs
 
+[2021: "CVEHound: Audit Kernel Sources for Missing CVE Fixes" by Denis Efremov](https://speakerdeck.com/efremov/cvehound-audit-kernel-sources-for-missing-cve-fixes) [slides] [[video](https://www.youtube.com/watch?v=jIDnVeZNUA8)]
+
+[2021: "Finding Multiple Bug Effects for More Precise Exploitability Estimation" by Zhenpeng Lin and Yueqi Chen](https://static.sched.com/hosted_files/lssna2021/5a/LSS_2021_Multiple_Error_Behavior.pdf) [slides] [[video](https://www.youtube.com/watch?v=J3frKpcJ9vg)]
+
+[2021: "Triaging Kernel Out-Of-Bounds Write Vulnerabilities" by Weiteng Chen](https://static.sched.com/hosted_files/lssna2021/07/koobe-LSS.pdf) [slides] [[video](https://www.youtube.com/watch?v=YUHy58hyDq0)]
+
+[2021: "SyzScope: Revealing High-Risk Security Impacts of Fuzzer-Exposed Bugs" by Xiaochen Zou](https://static.sched.com/hosted_files/lssna2021/55/SyzScope%20in%20Linux%20Security%20Summit.pdf) [slides] [[video](https://www.youtube.com/watch?v=MJbqeo5qtQ0)] [[lwn article](https://lwn.net/Articles/872649/)]
+
+[2021: "HEALER: Relation Learning Guided Kernel Fuzzing"](http://www.wingtecher.com/themes/WingTecherResearch/assets/papers/healer-sosp21.pdf) [paper]
+
+[2021: "Snowboard: Finding Kernel Concurrency Bugs through Systematic Inter-thread Communication Analysis"](https://dl.acm.org/doi/pdf/10.1145/3477132.3483549) [paper]
+
+[2021: "Detecting semantic bugs using differential fuzzing" by Mara Mihali](https://linuxplumbersconf.org/event/11/contributions/1033/attachments/742/1621/syz-verifier%20-%20Linux%20Plumbers%202021.pdf) [slides] [[video](https://www.youtube.com/watch?v=Y_minEhZNm8&t=2388s)]
+
 [2021: "Fuzzing Linux with Xen" by Tamas K Lengyel](https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20presentations/Tamas%20K%20Lengyel%20-%20Fuzzing%20Linux%20with%20Xen.pdf) [slides] [[video](https://www.youtube.com/watch?v=_dXC_I2ybr4)]
 
 [2021: "Variant analysis of the ‘Sequoia’ bug" by Jordy Zomer](https://pwning.systems/posts/sequoia-variant-analysis/) [article]
@@ -612,6 +638,8 @@ Subscribe to [@linkersec](https://t.me/linkersec) on Telegram for highlights.
 
 [2020: "Specification and verification in the field: Applying formal methods to BPF just-in-time compilers in the Linux kernel"](https://unsat.cs.washington.edu/papers/nelson-jitterbug.pdf) [paper]
 
+[2020: "Eliminating bugs in BPF JITs using automated formal verification" by Luke Nelson](https://homes.cs.washington.edu/~lukenels/slides/2020-08-28-lpc.pdf) [[video](https://www.youtube.com/watch?v=dZ_1HgUbni0&t=188s)] [slides]
+
 [2020: "Fuzzing the Linux kernel (x86) entry code, Part 1 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-1-of-3) [article]
 
 [2020: "Fuzzing the Linux kernel (x86) entry code, Part 2 of 3" by Vegard Nossum](https://blogs.oracle.com/linux/fuzzing-the-linux-kernel-x86-entry-code%2c-part-2-of-3) [article]
@@ -739,6 +767,16 @@ Subscribe to [@linkersec](https://t.me/linkersec) on Telegram for highlights.
 
 ["Linux Kernel Defence Map" by Alexander Popov](https://github.com/a13xp0p0v/linux-kernel-defence-map)
 
+[2021: "Mitigating Linux kernel memory corruptions with Arm Memory Tagging" by Andrey Konovalov](https://docs.google.com/presentation/d/1IpICtHR1T3oHka858cx1dSNRu2XcT79-RCRPgzCuiRk/edit?usp=sharing) [slides] [[video](https://www.youtube.com/watch?v=UwMt0e_dC_Q)]
+
+[2021: "Hardware-Assisted Fine-Grained Control-Flow Integrity: Adding Lasers to Intel's CET/IBT" by Joao Moreira](https://static.sched.com/hosted_files/lssna2021/8f/LSS_FINEIBT_JOAOMOREIRA.pdf) [slides] [[video](https://www.youtube.com/watch?v=FzGIM1218Ok)]
+
+[2021: "Kernel Self-Protection Project" by Kees Cook](https://outflux.net/slides/2021/lss/kspp.pdf) [slides] [[video](https://www.youtube.com/watch?v=-Binxid8t_8)]
+
+[2021: "Compiler Features for Kernel Security" by Kees Cook](https://linuxplumbersconf.org/event/11/contributions/1026/attachments/884/1692/compiler-features-for-kernel-security.pdf) [slides] [[video](https://www.youtube.com/watch?v=txIgZ31-RHI&t=13238s)]
+
+[2021: "A proof-carrying approach to building correct and flexible in-kernel verifiers"](https://linuxplumbersconf.org/event/11/contributions/944/attachments/893/1707/2021-09-23-lpc21.pdf) [slides] [[video](https://www.youtube.com/watch?v=WjxHKvwX8RY&t=11588s)]
+
 [2021: "How AUTOSLAB Changes the Memory Unsafety Game" by Zhenpeng Lin](https://grsecurity.net/how_autoslab_changes_the_memory_unsafety_game) [article]
 
 [2021: "security things in Linux vX.X" by Kees Cook](https://outflux.net/blog/archives/2021/02/08/security-things-in-linux-v5-8/) [articles]
@@ -922,6 +960,8 @@ https://haxx.in/blasty-vs-ebpf.c
 
 https://github.com/scannells/exploits/tree/master/CVE-2020-27194
 
+https://github.com/lntrx/CVE-2021-28663
+
 
 ## Tools
 
@@ -955,6 +995,8 @@ https://github.com/intel/kernel-fuzzer-for-xen-project
 
 https://github.com/IntelLabs/kAFL/
 
+https://github.com/snorez/ebpf-fuzzer
+
 
 ### Assorted
 
@@ -1014,6 +1056,10 @@ https://github.com/evdenis/cvehound
 
 [github.com/AravGarg/kernel-hacking/ctf-challs](https://github.com/AravGarg/kernel-hacking/tree/master/ctf-challs)
 
+TSG CTF 2021 (lkgit): [writeup](https://kileak.github.io/ctf/2021/tsg-lkgit/), [writeup 2](https://smallkirby.hatenablog.com/entry/2021/10/03/171804), [writeup 3](https://ptr-yudai.hatenablog.com/entry/2021/10/03/225325#pwn-322pts-lkgit-7-solves)
+
+Midnightsun Quals 2021 (BroHammer): [writeup](https://www.willsroot.io/2021/04/midnightsunquals-2021-brohammer-single.html)
+
 0ctf2021 (kernote): [source, exploit, and writeup](https://github.com/YZloser/My-CTF-Challenges/tree/master/0ctf-2021-final/kernote), [writeup 2](https://org.anize.rs/0CTF-2021-finals/pwn/kernote)
 
 corCTF 2021 (fire-of-salvation): [source](https://github.com/Crusaders-of-Rust/corCTF-2021-public-challenge-archive/tree/main/pwn/fire-of-salvation), [writeup](https://www.willsroot.io/2021/08/corctf-2021-fire-of-salvation-writeup.html)
@@ -1150,6 +1196,8 @@ https://github.com/crowell/old_blog/blob/source/source/_posts/2014-11-24-hosting
 
 [2021: "On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commit"](https://github.com/QiushiWu/QiushiWu.github.io/blob/main/papers/OpenSourceInsecurity.pdf) [paper]
 
+[2020: "Checklist for when you get stuck with a Kernel Exploit"](https://ptr-yudai.hatenablog.com/entry/2020/03/11/125818) [article]
+
 [2020: "Android / Linux SLUB aliasing for general- and special-purpose caches" by Vitaly Nikolenko](https://www.youtube.com/watch?v=5-eRsA0l8Pg) [video]
 
 [grsecurity CVE-Dataset](https://docs.google.com/spreadsheets/u/0/d/1JO43UfT7Vjun9ytSWNdI17xmnzZMg19Tii-rKw94Rvw/htmlview#gid=0) [spreadsheet]
@@ -1173,3 +1221,5 @@ https://github.com/milabs/lkrg-bypass
 https://github.com/V4bel/kernel-exploit-technique
 
 https://github.com/mudongliang/reproduce_kernel_bugs
+
+https://github.com/bata24/gef
-- 
cgit v1.3