Ivan FratricAug 8, 2025
Jann Horn

I found a Linux kernel security bug (in AF_UNIX) and decided to write a kernel exploit for it that can go straight from "attacker can run arbitrary native code in a seccomp-sandboxed Chrome renderer" to kernel compromise:
https://googleprojectzero.blogspot.com/2025/08/from-chrome-renderer-code-exec-to-kernel.html

This post includes fun things like:

  • a nice semi-arbitrary read primitive combined with an annoying write primitive
  • slowing down usercopy without FUSE or userfaultfd
  • CONFIG_RANDOMIZE_KSTACK_OFFSET as an exploitation aid
  • a rarely-used kernel feature that Chrome doesn't need but is reachable in the Chrome sandbox
  • sched_getcpu() usable inside Chrome renderers despite getcpu being blocked by seccomp (thanks to vDSO)
From Chrome renderer code exec to kernel with MSG_OOB

Posted by Jann Horn, Google Project Zero Introduction In early June, I was reviewing a new Linux kernel feature when I learned about the...

Aug 8, 2025 at 10:43amWeb
Show threadChristian Brauner 🦊🐺Aug 8, 2025
@jann The real culprit here is coredumps in a way.
Show threadJann HornAug 8, 2025
@brauner new feature work is one of the best ways to find bugs in existing code, I think :D
Show threadDamian PoddębniakAug 8, 2025
@jann @brauner https://infosec.exchange/@FritzAdalis/114992908938188424 :-)
Fritz Adalis (@[email protected])

Attached: 1 image Linux is broken AF

Infosec Exchange
Show threadJames MorrisAug 12, 2025
@brauner @jann How so?
Show threadJann HornAug 12, 2025
@jmorris @brauner Christian is joking about how I only learned about this feature because I looked at a patch that intended to use MSG_OOB as part of the new core dumping mechanism