Last week, I participated in corCTF as part of team Billy (simply because my friend Billy (@st424204) was also playing it in his free time) and solved an Android pwn challenge, corphone. Although I had some prior research experience with Android, this was the first time I successfully achieved LPE on it!| Blog
There are several kernelCTF slots targeting the TLS subsystem. Since I had previously reviewed KTLS during my kernelCTF research on lts-6.6.71 and found nothing, I decided to analyze them and write this post as my side notes.| Blog
While reading the article Kernel Blues, or Why x86 Is So Convoluted, I realized that my understanding of the restrictions on I/O port access in x86-64 was still incomplete. This post is therefore intended to document my thought process and analysis.| Blog
Recently, STAR Labs created some Pwn challenges for Singaporean students, and one of them was related to the Linux kernel. I know the Linux kernel researchers at STAR Labs are very skilled, so I thought this challenge would be interesting and that I might learn or practice some skills in the process. In the end, I spent about one to two days (not full-time) solving it, and my exploit doesn’t seem to be the intended solution (which is quite common for Linux kernel challenges).| Blog
This vulnerability is a logic bug in vsock, and the corresponding patch commit can be found here.| Blog
This vulnerability is a race condition in net/packet, which was exploited in kernelCTF. The corresponding patch commit can be found here.| Blog
CVE-2023-4272, reported by Google researcher Jann Horn, is a very interesting vulnerability in the Mali GPU driver. It involves insufficient cache invalidation, allowing an attacker to read stale data from main memory (DRAM). This is a powerful issue because the stale data may contain sensitive information, depending on previous memory usage. Moreover, the root cause of this vulnerability is quite fascinating!| Blog
I made some notes while rooting my Google Pixel 8a and shared them here. Most parts are based on leland’s blog, which is worth reading.| Blog
Overview| Blog
It’s common to see the following code pattern in the release handlers of network protocols:| Blog
Jun 26, 2025| Blog
Recently, Ubuntu introduced sandbox mechanisms to reduce the attack surface, and they seemed unbreakable. However, after carrying out in-depth research, we found that the implementation contained some issues, and bypassing it was not as difficult as expected. This post will explain how we began our research at the kernel level and discovered a bypass method. We will also share some interesting stories from the process.| Blog