{"id":20776,"date":"2026-05-07T18:41:32","date_gmt":"2026-05-07T11:41:32","guid":{"rendered":"https:\/\/kitty.in.th\/?p=20776"},"modified":"2026-05-11T18:57:25","modified_gmt":"2026-05-11T11:57:25","slug":"copy-fail","status":"publish","type":"post","link":"https:\/\/kitty.in.th\/index.php\/2026\/05\/07\/copy-fail\/","title":{"rendered":"Copy Fail"},"content":{"rendered":"\n

tl;dr – buffer overflow <\/p>\n\n\n\n

But it’s a bit special kind of overflow. The copy fail exploits the overflow bug caused by mishandling in-place optimization in the algif_aead kernel module . The POC demonstrates that it can splice to read-only page cache, make it writable (because in-place ops must be read\/write) . So, when load a binary (e.g., \/usr\/bin\/su) to the page cache, we can rewrite the binary, and execute modified binary cached in the page cache directly.<\/p>\n\n\n\n

Because the kernel module can be triggered by a call from user space, it can be used to LPE. <\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

This bug exist since 2017. So, the exploit works in almost, if not all, distros.<\/p>\n\n\n\n

Luckily that the bug is in a kernel module. So, a quick mitigation is not to load the module: <\/p>\n\n\n\n

echo \"install algif_aead \/bin\/false\" | sudo tee \/etc\/modprobe.d\/manual-disable-algif_aead.conf<\/code><\/p>\n\n\n\n

If you want to fix, patches already there, though. Just update the kernel, and reboot the system.<\/p>\n","protected":false},"excerpt":{"rendered":"

tl;dr – buffer overflow But it’s a bit special kind of overflow. The copy fail exploits the overflow bug caused by mishandling in-place optimization in the algif_aead kernel module . The POC demonstrates that it can splice to read-only page cache, make it writable (because in-place ops must be read\/write) . So, when load a … Continue reading Copy Fail<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[85],"tags":[],"class_list":["post-20776","post","type-post","status-publish","format-standard","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/posts\/20776","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/comments?post=20776"}],"version-history":[{"count":6,"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/posts\/20776\/revisions"}],"predecessor-version":[{"id":20783,"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/posts\/20776\/revisions\/20783"}],"wp:attachment":[{"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/media?parent=20776"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/categories?post=20776"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kitty.in.th\/index.php\/wp-json\/wp\/v2\/tags?post=20776"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}