Moe's VR blog

Qualcomm DSP - Userland Allocator

Mon, 25 May 2026 18:48:03 +0200

In this post, i talk about some QuRT internals and about the userland allocator. I worked with the online available Qualcomm’s SDK top extract the binaries that implement the allocator’s logic. Most of this logic is found in a file called libc.a which is an archive that stores .o binaries like malloc.o, free.o…etc. A quick way to extract these binaries, after downloading the SDK, is:

Qualcomm SoC Internals Basics

Sun, 17 May 2026 20:16:14 +0200

Starting my journey in Mobile Vendor Chips internals & VR, i chose Qualcomm SoC since it is a very well known and a dominant brand in the phone space, and of course, a cherished target among exploit developers in many angles. However, it has a complex architecture and massive codebase; if we take for example the Snapdragon SoCs, they have: a CPU, Andreno GPU, many DSPs, AI accelerators(NPU), sensors, video processors…etc and each one of these has its own microprocessor, firmware and Operating System; so, even to start out, one should at least have a big picture before blindly diving into one specific thing; hence my goal is to establish some foundation.

Scudo Allocator - Internals

Sun, 10 May 2026 16:56:47 +0200

Everybody knows that iOS pwn is (real) hard for userland(and kernel too obviously); but folks, you should know that even Android is catching up now, so don’t worry, you can keep your Pixel 18 Pro Max ;-) LOLL

Nvidia Drivers Internals - Part 0

Thu, 07 May 2026 19:08:31 +0200

I recently wrote this article for my company; this is an introductory post and hope to write more on this in the near future:

https://fuzzinglabs.com/exploring-nvidia-linux-drivers-internals-basics-ioctls/

Unix GC Remastered

Sun, 19 Apr 2026 00:00:00 +0000

Introduction

The AF_UNIX garbage collector is an interesting piece of the kernel. It exists because sockets can be sent with SCM_RIGHTS but they can become unreachable from user-space while still being kept alive by the kernel, which is not memory efficient; in this situation, the garbage collector intervenes to free them. Not long ago, the subsystem was rewritten from scratch on top of a graph/Strongly-Connected-Components model; but it is still bug prone. This post walks the rewrite end-to-end, and discusses a Use-After-Free bug.

CVE-2026-31419: Use-After-Free in the Linux Bonding Driver

Wed, 15 Apr 2026 00:00:00 +0000

Introduction

Linux offers a way to synchronize multiple network interfaces, physical or virtual, and make them run a single logical NIC. The bonding driver handles of all that work. It is present in all major distros and this bug is exploitable in the ones that allow usernamespaces for unprivileged users like in RedHat or Fedora; that is, it’s reachable from any code path that can send packets out of the bonding device.

CVE-2024-0582, or Easy Kernel Exploitation

Wed, 18 Mar 2026 00:00:00 +0000

Introduction

io_uring has been a heavily targeted subsystem in the Linux kernel — at one point it constituted 60% of kCTF entries (source). As with most newly introduced features, io_uring — since its introduction in 2019 — has been very bug-prone.

Notes On RCU

Mon, 09 Mar 2026 00:00:00 +0000

RCU is a mechanism in the Linux kernel for concurrency that is lock-free, wait-free (for readers) and that allows concurrent readers and a single updater. RCU is made up of three fundamental mechanisms, one for insertion, the other for deletion, and the third being used to allow readers to tolerate concurrent insertions and deletions. These mechanisms are described in the following sections, which focus on applying RCU to linked lists.

Notes on io_uring bugs & exploitation

Tue, 20 Jan 2026 00:00:00 +0000

Introduction

io_uring is one of the most ambitious kernel interfaces added in recent years: a shared-memory asynchronous I/O engine designed to avoid the syscall-heavy overhead of traditional read, write, and networking paths. That performance-oriented design also makes it unusually interesting from a security perspective, because the subsystem is full of long-lived shared state, lifetime-sensitive objects, and fast paths that interact closely with core kernel memory-management code.

Notes on refcounting and Unix Garbage Collector in the Linux Kernel

Tue, 23 Dec 2025 00:00:00 +0000

As a means of studying and getting to know more about the linux kernel, especially exploitation(LPE & RCE), i tried to make notes and go as far as i can in reviewing the unix garbage, or GC, collector, the io_uring subsystem, and some CVEs that showcase all of these. I am currently working on an N-day LPE for CVE-2022-2602 LPE to make it work with FUSE technique.

Notes on Linux Internals: The Slab Allocator

Sat, 06 Sep 2025 00:00:00 +0000

Introduction

This post is some of my early notes on the SLUB allocator.

The kernel heap allocator is an important component responsible for satisfying allocation/de-allocation requests coming from different sources like device drivers, usermode processes, filesystems, etc. These notes discuss only kmalloc and kmem_cache_alloc*, but there are three main memory allocators used by the kernel:

Faulted RSA Signature

Sun, 15 Dec 2024 00:00:00 +0000

Faulted RSA signature attack

Le challenge commence par “Nous savons que les signatures ont été générées par un service en Go 1.5.1 sur une architecture 32 bits”.
Après avoir médité sur cette ligne, quelques recherches sur la version 1.5.1 de Go ont révélé que ce service est susceptible à des erreurs dans le processus d’exponentiation.
Ensuite, il nous est donné dix signatures, une clé publique RSA et un message chiffré avec la clé privée correspondante qu’on ne connait pas.

HTB Permx

Sun, 15 Dec 2024 00:00:00 +0000

Permx walkthrough

OS: Linux, Difficulty: Easy

Enumeration

Ports scan: nmap -p- -sCV 10.10.11.23

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 256 e2:5c:5d:8c:47:3e:d8:72:f7:b4:80:03:49:86:6d:ef (ECDSA)
|_ 256 1f:41:02:8e:6b:17:18:9c:a0:ac:54:23:e9:71:30:17 (ED25519)
80/tcp open http Apache httpd 2.4.52
|_http-title: Did not follow redirect to fer
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There’s no available exploit for this version of Openssh, and passwordless connexions are not possible.
The http server redirects to permx.htb/, so i added 10.10.11.23 permx.htb to /etc/hosts: echo "10.10.11.23 permx.htb" | sudo tee -a /etc/hosts".