Exploitation of the TIPC heap overflow bug based on a keylength being used in a memcpy() call before it was validated. Two objects are used in combination with the overflow to achieve code execution. First, the elastic object msg_msg is used to derive an infoleak. Since this object is elastic (ie. it’s size can be influenced by the user), it’s a great object for heap shaping. It also contains a message size field, which the TIPC overflow can smash, yielding an out-of-bounds read when that message is received, and thus an infoleak.

This infoleak not only provides a kASLR defeat, but it also can be used to leak the pointer to the message buffer you control the contents of, allowing you to fake data without worrying about Supervisor Mode Access Prevention (SMAP).

The second object was the tty object for pseudo-terminals. This object contains useful pointers for hijacking control flow, such as a tty_ops pointer, which contains callbacks for various file operations like read(), write(), and ioctl(). By using the TIPC overflow to smash the tty object, it was possible to corrupt the ops pointer.

Chaining these two primitives, achieving code execution was trivial. They used it to establish an arbitrary write, then smashed the modprobe_path to get a controlled module loaded and ran as root.