Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1164Thisis an issue that allows unentitled root to read kernel frame
pointers, which might be useful in combination with a kernel memory
corruption bug.By design, the syscall stack_snapshot_with_config() permits unentitled
root to dump information about all user stacks and kernel stacks.While a target thread, along with the rest of the system,is frozen,machine_trace_thread64() dumps its kernel stack.machine_trace_thread64() walks up the kernel stack using the chain of
saved RBPs.It dumps the unslid kernel text pointers together with
unobfuscated frame pointers.The attached PoC dumps a stackshot into the file stackshot_data.bin
when executed as root.The stackshot contains data like this:
00000a70de 14400080 ff ff ffa0 be 087780 ff ff ff|..@........w....|
00000a807b b8 300080 ff ff ff20 bf 087780 ff ff ff|{.0.......w....|
00000a909e a6 300080 ff ff ff60 bf 087780 ff ff ff|..0.....`..w....|
00000aa05d ac 330080 ff ff ffb0 bf 087780 ff ff ff|].3........w....|The addresses on the left are unslid kernel text pointers; the
addresses on the right are valid kernel stack pointers.Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42047.zip
