Andrey Konovalov
@andreyknvl.bsky.social
Security engineer at http://xairy.io. Focusing on the Linux kernel. Maintaining @linkersec.bsky.social. Trainings at http://xairy.io/trainings.
Sheaves support has been merged into SLUB.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
October 24, 2025 at 2:04 PM
Sheaves support has been merged into SLUB.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
Opt-in for now, but planned to replace the per-CPU partial slab layer for all caches in the future.
Gonna have to revise the slab shaping strategies once this happens.
"Wrote" is a strong word for this, I just cleaned up the reproducer from this syzbot report:
syzkaller.appspot.com/bug?extid=fb...
The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.
syzkaller.appspot.com/bug?extid=fb...
The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.
September 11, 2025 at 3:39 PM
"Wrote" is a strong word for this, I just cleaned up the reproducer from this syzbot report:
syzkaller.appspot.com/bug?extid=fb...
The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.
syzkaller.appspot.com/bug?extid=fb...
The report has been public on the dashboard for over 2 months now. And there's plenty of other USB bugs that are still not fixed.
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
September 11, 2025 at 3:39 PM
Wrote a trigger for CVE-2025-38494/5 (an integer underflow in the HID subsystem) that leaks 64 KB of OOB memory over USB.
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Still works on Pixels and Ubuntus (but the bug is fixed in stable kernels).
github.com/xairy/kernel...
Exploiting the Linux Kernel on October 26 — November 1 online via Ringzer0.
ringzer0.training/countermeaas...
ringzer0.training/countermeaas...
July 1, 2025 at 10:01 PM
Exploiting the Linux Kernel on October 26 — November 1 online via Ringzer0.
ringzer0.training/countermeaas...
ringzer0.training/countermeaas...
Exploiting the Linux Kernel on October 6–9 in Paris at Hexacon @hexacon.bsky.social.
www.hexacon.fr/trainer/kono...
www.hexacon.fr/trainer/kono...
July 1, 2025 at 10:01 PM
Exploiting the Linux Kernel on October 6–9 in Paris at Hexacon @hexacon.bsky.social.
www.hexacon.fr/trainer/kono...
www.hexacon.fr/trainer/kono...
July 1, 2025 at 10:01 PM
July 1, 2025 at 10:01 PM
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
May 6, 2025 at 8:17 PM
Gave a talk on external fuzzing of Linux kernel USB drivers with syzkaller at SAFACon.
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Includes a demonstration of how to rediscover CVE-2024-53104, an out-of-bounds bug in the USB Video Class driver.
Slides: docs.google.com/presentation...
Similarly for CVE-2024-53197 (OOB for Extigy and Mbox devices), syzbot even gets to snd_usb_mbox2_boot_quirk — the buggy function. But then fails to pass the descriptor size check due to no Mbox-specific descriptions.
storage.googleapis.com/syzbot-asset...
storage.googleapis.com/syzbot-asset...
February 28, 2025 at 3:43 PM
Similarly for CVE-2024-53197 (OOB for Extigy and Mbox devices), syzbot even gets to snd_usb_mbox2_boot_quirk — the buggy function. But then fails to pass the descriptor size check due to no Mbox-specific descriptions.
storage.googleapis.com/syzbot-asset...
storage.googleapis.com/syzbot-asset...
For CVE-2024-53104 (OOB write in uvc_parse_format), syzbot reaches uvc_parse_streaming — parent function of uvc_parse_format — but fails to get to the bug: syzkaller has no descriptions for streaming interface descriptors.
storage.googleapis.com/syzbot-asset...
storage.googleapis.com/syzbot-asset...
February 28, 2025 at 3:43 PM
For CVE-2024-53104 (OOB write in uvc_parse_format), syzbot reaches uvc_parse_streaming — parent function of uvc_parse_format — but fails to get to the bug: syzkaller has no descriptions for streaming interface descriptors.
storage.googleapis.com/syzbot-asset...
storage.googleapis.com/syzbot-asset...
Exploiting the Linux Kernel on May 12–15 in Berlin at OffensiveCon @offensivecon.bsky.social.
More than half of the spots already gone — don't miss out.
www.offensivecon.org/trainings/20...
More than half of the spots already gone — don't miss out.
www.offensivecon.org/trainings/20...
February 5, 2025 at 1:28 AM
Exploiting the Linux Kernel on May 12–15 in Berlin at OffensiveCon @offensivecon.bsky.social.
More than half of the spots already gone — don't miss out.
www.offensivecon.org/trainings/20...
More than half of the spots already gone — don't miss out.
www.offensivecon.org/trainings/20...
Fuzzing the Linux Kernel on April 7–9 in Seoul at Zer0Con.
This is the new standalone training I'm starting to offer this year.
zer0con.org#training-sec...
This is the new standalone training I'm starting to offer this year.
zer0con.org#training-sec...
February 5, 2025 at 1:28 AM
Fuzzing the Linux Kernel on April 7–9 in Seoul at Zer0Con.
This is the new standalone training I'm starting to offer this year.
zer0con.org#training-sec...
This is the new standalone training I'm starting to offer this year.
zer0con.org#training-sec...
Exploiting the Linux Kernel on March 9–15 online with Rinzer0.
First time I'm teaching this training online publicly. This session follows the less intense 7-day format offered by Rinzer0 (but the content is the same).
ringzer0.training/bootstrap25-...
First time I'm teaching this training online publicly. This session follows the less intense 7-day format offered by Rinzer0 (but the content is the same).
ringzer0.training/bootstrap25-...
February 5, 2025 at 1:28 AM
Exploiting the Linux Kernel on March 9–15 online with Rinzer0.
First time I'm teaching this training online publicly. This session follows the less intense 7-day format offered by Rinzer0 (but the content is the same).
ringzer0.training/bootstrap25-...
First time I'm teaching this training online publicly. This session follows the less intense 7-day format offered by Rinzer0 (but the content is the same).
ringzer0.training/bootstrap25-...