corCTF 2021 Fire of Salvation Writeup: Utilizing msg_msg Objects for Arbitrary Read and Arbitrary Write in the Linux Kernel

This writeup describes two kernel exploitation techniques developed for corCTF 2021 that abuse a use-after-free on the msg_msg IPC object to achieve arbitrary read and arbitrary write in kernel memory. The author details a reliable kmalloc-4k arb-write exploit (Fire of Salvation) and summarizes a kmalloc-64 variant (Wall of Perdition), explaining how MSG_COPY, userfaultfd hangs, SLAB behavior, and kernel mitigations (FG-KASLR, SLAB_RANDOM, SLAB_HARDENED, STATIC_USERMODE_HELPER, hardened_usercopy) interact with the attack; both PoC exploits culminate in replacing process cred pointers to obtain root on affected systems.