Researcher Name: Jeffball
Link: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
CVE: CVE-2021-27363 CVE-2021-27364 CVE-2021-27365
An RDMA kernel module can be loaded for iSCSI by an unprivileged user. The module returns a kernel pointer as a handle, which allows bypassing KASLR. A sprintf results in a buffer overflow in the heap, allowing us to overwrite an ib_iser transport struct. Heap grooming is done with POSIX message queues.
This bypasses KASLR, is not affected by SMEP, SMAP, and KPTI. The bugs were introduced into the mainline kernel in 2006 and are present and exploitable out of the box on many RedHat-based installations (all workstations, some servers).