리눅스 커널 해킹. A부터 Z까지

리눅스 커널 해커 및 컨트리뷰터로 활동 중인 김현우(V4bel)입니다.

⦁  Contact: imv4bel@gmail.com

Awards

⦁  Pwn2Own Berlin 2025 Red Hat Linux in the LPE category WIN (Theori, $15,000)
⦁  Google kernelCTF LTS-6.6.75/COS-105 1-day WIN (CVE-2025-21756, $71,337)
⦁  Google kernelCTF LTS-6.6.56/COS-109 0-day WIN (CVE-2024-50264, $81,337)
⦁  Google kernelCTF LTS-6.6.35 0-day WIN (CVE-2024-41010, $51,337)

Vulnerability Reports

⦁  CVE-2024-27394 (Linux Kernel TCP Use-After-Free)
⦁  CVE-2024-27395 (Linux Kernel OpenvSwitch Use-After-Free)
⦁  CVE-2024-27396 (Linux Kernel GTP Use-After-Free)
⦁  CVE-2023-51779 (Linux Kernel Bluetooth socket Use-After-Free)
⦁  CVE-2023-51780 (Linux Kernel ATM socket Use-After-Free)
⦁  CVE-2023-51781 (Linux Kernel Appletalk socket Use-After-Free)
⦁  CVE-2023-51782 (Linux Kernel Rose socket Use-After-Free)
⦁  CVE-2023-32269 (Linux Kernel NET/ROM socket Use-After-Free)
⦁  CVE-2022-41218 (Linux Kernel DVB core Use-After-Free)
⦁  CVE-2022-45884 (Linux Kernel DVB core Use-After-Free)
⦁  CVE-2022-45885 (Linux Kernel DVB core Use-After-Free)
⦁  CVE-2022-45886 (Linux Kernel DVB core Use-After-Free)
⦁  CVE-2022-45919 (Linux Kernel DVB core Use-After-Free)
⦁  CVE-2022-40307 (Linux Kernel Device Driver Use-After-Free)
⦁  CVE-2022-41848 (Linux Kernel Device Driver Use-After-Free)
⦁  CVE-2022-41849 (Linux Kernel Device Driver Use-After-Free)
⦁  CVE-2022-41850 (Linux Kernel Device Driver Use-After-Free)
⦁  CVE-2022-44032 (Linux Kernel Device Driver Use-After-Free)
⦁  CVE-2022-44033 (Linux Kernel Device Driver Use-After-Free)
⦁  CVE-2022-44034 (Linux Kernel Device Driver Use-After-Free)
⦁  CVE-2022-45888 (Linux Kernel Device Driver Use-After-Free)

Linux Kernel Contributions

⦁  vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]
(github.com/torvalds/linux/commit/91751e248256efc111e52e15115840c35d85abaf)
⦁  vsock/virtio: cancel close work in the destructor
(github.com/torvalds/linux/commit/df137da9d6d166e87e40980e36eb8e0bc90483ef)
⦁  vsock/virtio: discard packets if the transport changes
(github.com/torvalds/linux/commit/2cb7c756f605ec02ffe562fb26828e4bcc5fdfc1)
⦁  vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
(github.com/torvalds/linux/commit/6ca575374dd9a507cdd16dfa0e78c2e9e20bd05f)
⦁  hv_sock: Initializing vsk->trans to NULL to prevent a dangling pointer
(github.com/torvalds/linux/commit/e629295bd60abf4da1db85b82819ca6a4f6c1e79)
⦁  tcp: Fix Use-After-Free in tcp_ao_connect_init
(github.com/torvalds/linux/commit/80e679b352c3ce5158f3f778cfb77eb767e586fb)
⦁  net: openvswitch: Fix Use-After-Free in ovs_ct_exit
(github.com/torvalds/linux/commit/5ea7b72d4fac2fdbc0425cd8f2ea33abe95235b2)
⦁  net: gtp: Fix Use-After-Free in gtp_dellink
(github.com/torvalds/linux/commit/f2a904107ee2b647bb7794a1a82b67740d7c8a64)
⦁  Bluetooth: af_bluetooth: Fix Use-After-Free in bt_sock_recvmsg
(github.com/torvalds/linux/commit/2e07e8348ea454615e268222ae3fc240421be768)
⦁  atm: Fix Use-After-Free in do_vcc_ioctl
(github.com/torvalds/linux/commit/24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3)
⦁  appletalk: Fix Use-After-Free in atalk_ioctl
(github.com/torvalds/linux/commit/189ff16722ee36ced4d2a2469d4ab65a8fee4198)
⦁  net/rose: Fix Use-After-Free in rose_ioctl
(github.com/torvalds/linux/commit/810c38a369a0a0ce625b5c12169abce1dd9ccd53)
⦁  media: dvb-core: Fix use-after-free due to race at dvb_register_device()
(github.com/torvalds/linux/commit/627bb528b086b4136315c25d6a447a98ea9448d3)
⦁  af_key: Fix heap information leak
(github.com/torvalds/linux/commit/2f4796518315ab246638db8feebfcb494212e7ee)
⦁  netrom: Fix use-after-free caused by accept on already connected socket
(github.com/torvalds/linux/commit/611792920925fb088ddccbe2783c7f92fdfb6b64)
⦁  net/rose: Fix to not accept on connected socket
(github.com/torvalds/linux/commit/14caefcf9837a2be765a566005ad82cd0d2a429f)
⦁  net/x25: Fix to not accept on connected socket
(github.com/torvalds/linux/commit/f2b0b5210f67c56a3bcdf92ff665fb285d6e0067)
⦁  efi: capsule-loader: Fix use-after-free in efi_capsule_write
(github.com/torvalds/linux/commit/9cb636b5f6a8cc6d1b50809ec8f8d33ae0c84c95)
⦁  HID: roccat: Fix Use-After-Free in roccat_read
(github.com/torvalds/linux/commit/cacdb14b1c8d3804a3a7d31773bc7569837b71a4)
⦁  video: fbdev: smscufx: Fix use-after-free in ufx_ops_open()
(github.com/torvalds/linux/commit/5610bcfe8693c02e2e4c8b31427f1bdbdecc839c)
⦁  video: fbdev: smscufx: Fix several use-after-free bugs
(github.com/torvalds/linux/commit/cc67482c9e5f2c80d62f623bcc347c29f9f648e1)
⦁  char: xillybus: Fix trivial bug with mutex
(github.com/torvalds/linux/commit/c002f04c0bc79ec00d4beb75fb631d5bf37419bd)
⦁  bpf: Always use maximal size for copy_array()
(github.com/torvalds/linux/commit/45435d8da71f9f3e6860e6e6ea9667b6ec17ec64)
⦁  media: dvb-core: Fix UAF due to refcount races at releasing
(github.com/torvalds/linux/commit/fd3d91ab1c6ab0628fe642dd570b56302c30a792)