tl;dr
- The patch adds a vulnerable virtio device
- The device accesses pointers without bound check
- Abuse OOB pointer access to setup arb r/w primitive
- Craft open,read,write ropchain on heap
- Overwrite virtqueue handler with stack pivoting gadget
tl;dr
tl;dr
incoming_queue
incoming_queue
causing UAFtl;dr
tl;dr
tl;dr
tl;dr
tl;dr
2 / 2