Oct 3, 2025| Blog
Part1: Linux Kernel TLS Part 1 Part2: Linux Kernel TLS Part 2| Blog
Part1: Linux Kernel TLS Part 1 Part2: Linux Kernel TLS Part 2| Blog
One day, @farazsth98 asked me if I had analyzed the latest 1-day kernelCTF slot. I hadn’t analyzed it yet, but I thought it was a good time to do something interesting — especially since preparing a talk is exhausting 😭.| Blog
The talk KernelGP: Racing Against the Android Kernel at OffensiveCon 2025 demonstrates four techniques to leverage Android’s internal design to extend the race window during kernel exploitation. In this post, I will walk through my exploration of the first method — the proxy file descriptor — and explain how I implemented it. I’ll also share some side notes on writing an Android app.| Blog
Last week, I participated in corCTF as part of team Billy (simply because my friend Billy (@st424204) was also playing it in his free time) and solved an Android pwn challenge, corphone. Although I had some prior research experience with Android, this was the first time I successfully achieved LPE on it!| Blog
There are several kernelCTF slots targeting the TLS subsystem. Since I had previously reviewed KTLS during my kernelCTF research on lts-6.6.71 and found nothing, I decided to analyze them and write this post as my side notes.| Blog
While reading the article Kernel Blues, or Why x86 Is So Convoluted, I realized that my understanding of the restrictions on I/O port access in x86-64 was still incomplete. This post is therefore intended to document my thought process and analysis.| Blog
Recently, STAR Labs created some Pwn challenges for Singaporean students, and one of them was related to the Linux kernel. I know the Linux kernel researchers at STAR Labs are very skilled, so I thought this challenge would be interesting and that I might learn or practice some skills in the process. In the end, I spent about one to two days (not full-time) solving it, and my exploit doesn’t seem to be the intended solution (which is quite common for Linux kernel challenges).| Blog
This vulnerability is a logic bug in vsock, and the corresponding patch commit can be found here.| Blog
This vulnerability is a race condition in net/packet, which was exploited in kernelCTF. The corresponding patch commit can be found here.| Blog
CVE-2023-4272, reported by Google researcher Jann Horn, is a very interesting vulnerability in the Mali GPU driver. It involves insufficient cache invalidation, allowing an attacker to read stale data from main memory (DRAM). This is a powerful issue because the stale data may contain sensitive information, depending on previous memory usage. Moreover, the root cause of this vulnerability is quite fascinating!| Blog
I made some notes while rooting my Google Pixel 8a and shared them here. Most parts are based on leland’s blog, which is worth reading.| Blog