Lying to the Kernel: FUSE Trust Boundary & Size Desync as a VFS Attack Surface — Part 1
An unprivileged FUSE daemon controls the semantic authority of an entire filesystem. By lying about i_size in vfs_getattr replies, it desynchronizes kernel allocation from kernel ingestion — turning finit_module(2), the firmware loader, and kexec_file_load(2) into kmalloc-4k slab overflow primitives.