Bypassing Kernel Mitigations with PageJack: A New Data-Only Exploit Primitive

TLDR: Researchers at Black Hat 2024 introduced PageJack, a novel technique that converts common kernel vulnerabilities like OOB writes and double-frees into a powerful page-level Use-After-Free (UAF) primitive. By manipulating page objects to create dangling references to physical memory, this method bypasses modern kernel protections like KASLR and SLAB_VIRTUAL. This technique is highly effective for privilege escalation on both Linux and Android kernels, making it a critical addition to any researcher's toolkit.

Kernel exploitation has become a game of inches. As defensive mechanisms like Kernel Address Space Layout Randomization (KASLR) and various slab-level protections have matured, the bar for achieving reliable privilege escalation has risen significantly. Most modern exploits require a complex chain of primitives to bypass these defenses, often relying on fragile heap grooming or information leaks that are increasingly difficult to obtain. PageJack changes this dynamic by shifting the focus from virtual memory manipulation to the physical page level.

The Mechanics of PageJack

At its core, PageJack is a data-only exploit strategy that targets the way the kernel manages physical pages. The researchers identified that by creating a dangling reference to a physical page, an attacker can maintain access to that memory even after the kernel has marked it as free. This is not a traditional UAF where you target a specific object; instead, you target the page itself.

The technique works by forcing the kernel to allocate a page object that the attacker can then manipulate. By triggering a vulnerability—such as an out-of-bounds write or a double-free—the attacker can corrupt the page pointer within a structure like pipe_buffer. When the kernel subsequently frees the page, the attacker retains a dangling reference to that physical memory. Because the physical page is now marked as free in the buddy system, the attacker can spray new, critical objects (like cred structures or file objects) into that same physical memory.

This approach effectively turns a limited primitive into a powerful read/write capability. Since the attacker is operating on the physical page, they can modify the contents of the objects they have sprayed into that memory without needing to know the exact virtual address, rendering KASLR irrelevant.

Pivoting to Privilege Escalation

The power of PageJack lies in its ability to pivot from common, "weaker" vulnerabilities into a reliable exploit. During the presentation, the researchers demonstrated this using CVE-2022-0995, an out-of-bounds write vulnerability in the Linux kernel's queue event notification subsystem.

By using the second primitive identified in that CVE—which allows for a single-bit write out-of-bounds—the researchers were able to flip the 6th bit of a page pointer. This simple bit-flip caused two separate pipe_buffer objects to point to the same physical page. Once this state was achieved, closing one of the pipes triggered a free of the underlying physical page, while the other pipe maintained a dangling reference to it.

The exploit flow is remarkably streamlined:

1. Pivoting: Trigger the initial vulnerability (OOB or double-free) to create the dangling reference to a physical page.
2. Spraying: Allocate critical objects (like struct file) to occupy the freed physical page.
3. Tampering: Use the dangling reference to read or write the contents of the sprayed objects.
4. Escalation: Modify the f_mode field of a file object to change a read-only file into a read-write file, or overwrite a cred structure to gain root privileges.

This method is significantly more stable than traditional heap grooming because it relies on the buddy system's predictable behavior rather than the non-deterministic nature of slab caches. You can find the researchers' proof-of-concept code and further technical details in their Page-UAF GitHub repository.

Real-World Applicability

For those of us conducting penetration tests or hunting for bugs, PageJack represents a significant shift in how we should approach kernel targets. If you are working on a target that has SLAB_VIRTUAL enabled—a mitigation designed to prevent cross-cache attacks—PageJack is one of the few techniques that can bypass it. Because the attack targets physical pages rather than virtual ones, the virtual memory layout is irrelevant.

During the live demo, the researchers showed this technique successfully gaining root on a hardened kernel where both SLAB_VIRTUAL and Control Flow Integrity (CFI) were active. This confirms that even with modern hardening, data-only attacks that operate at the memory management layer remain a potent threat.

Defensive Considerations

Defending against PageJack is difficult because it exploits the fundamental design of how the kernel manages physical memory. While mitigations like SLAB_VIRTUAL provide some protection against cross-cache attacks, they do not address the underlying issue of page-level UAF. The most effective defense is to focus on the root cause: the initial vulnerabilities that allow for the creation of dangling references.

Rigorous auditing of subsystems that handle complex memory management, such as the pipe buffer or queue notification systems, is essential. Furthermore, implementing stricter checks on page-level operations and ensuring that all references to a physical page are properly invalidated upon freeing can help mitigate the risk.

PageJack is a reminder that as we continue to harden the virtual memory layer, the physical layer becomes an increasingly attractive target for attackers. For researchers, this is a call to look beyond the standard heap-based exploitation techniques and start investigating the lower-level primitives that the kernel relies on to function. If you are looking for your next research project, the interaction between the buddy system and user-space accessible objects is a prime area for exploration.