Conversation
koczkatamas
added
the
kCTF: vuln OK
koczkatamas
changed the title
matrizzo
left a comment
matrizzo
left a comment
There was a problem hiding this comment.
Hi, this PR has a lot of style issues. I've left comments on some of them. Please read our style guide (https://google.github.io/security-research/kernelctf/style_guide) and fix them. Thanks.
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/cos-113-18244.448.39/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/cos-113-18244.448.39/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/cos-113-18244.448.39/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/cos-113-18244.448.39/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/cos-113-18244.448.39/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/lts-6.12.46/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/lts-6.12.46/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/lts-6.12.46/exploit.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2025-39946_lts_cos/exploit/lts-6.12.46/exploit.c
Outdated
Show resolved
Hide resolved
- Replace magic numbers with named constants (#defines with comments) - Break monolithic main() into descriptive functions - Remove all unused code (DumpHex, PAUSE, commented-out blocks) - Add @sleep(desc=...) annotations on all sleep() calls - Add ROP gadget instruction comments and KERNEL_DEFAULT_BASE - Add struct definitions for pipe_buffer layout offsets - Move globals to local/function scope where appropriate - Add MODULE_SYSFS_OPS JOP chain explanation in exploit.md and code comments - Add KASLR bypass to COS exploit (was missing) - Fix exploit.md grammar and restructure into numbered steps
- Replace magic numbers with named constants (#defines with comments) - Break monolithic main() into descriptive functions - Remove all unused code (DumpHex, PAUSE, commented-out blocks) - Add @sleep(desc=...) annotations on all sleep() calls - Add ROP gadget instruction comments and KERNEL_DEFAULT_BASE - Add struct definitions for pipe_buffer layout offsets - Move globals to local/function scope where appropriate - Add MODULE_SYSFS_OPS JOP chain explanation in exploit.md and code comments - Add KASLR bypass to COS exploit (was missing) - Fix exploit.md grammar and restructure into numbered steps
d4em0n
force-pushed
the
CVE-2025-39946_lts_cos_2
branch
from
fb7c22e to
f2712dc
Compare
The 0x180 value is arbitrary, not specifically chosen to match the kmalloc cache of skb_shinfo->frags. Clarify that AIO pages are simply freed and later reclaimed by kmalloc allocations.
matrizzo
left a comment
matrizzo
left a comment
There was a problem hiding this comment.
Hi, thanks for your changes. This looks much better now but there are still a few issues to fix. Please take a look.
|
|
||
| void build_and_send_payload(int conn) | ||
| { | ||
| char payload[1 << 16]; |
There was a problem hiding this comment.
Please define a constant PAYLOAD_SIZE for the size of this array.
| fcntl(pfds[pipe_idx++][1], F_SETPIPE_SZ, PIPE_EXPAND_SIZE); | ||
| fcntl(pfds[pipe_idx++][1], F_SETPIPE_SZ, PIPE_EXPAND_SIZE); |
There was a problem hiding this comment.
Why is the same fcntl called twice on the same pipe here?
There was a problem hiding this comment.
These are called on two different pipes — pipe_idx is post-incremented on each call (pipe_idx++), so the first fcntl expands pipe N and the second expands pipe N+1. This is intentional: we insert 2 pipe_buffer allocations per batch of MSGS_PER_PIPE_ALLOC msg_msgseg objects to ensure at least one pipe_buffer lands on each slab page. Added a clarifying comment.
| /* Step 2: Allocate AIO pages, unix socketpair, memfd, and splice pipe | ||
| * (must be before msg queue/pipe allocation for correct slab ordering) */ | ||
| int unix_fd[2]; | ||
| SYSCHK(socketpair(AF_UNIX, SOCK_STREAM, 0, unix_fd)); |
There was a problem hiding this comment.
This socket pair is seemingly never used. What is it for?
There was a problem hiding this comment.
Done. Removed the unused socketpair.
| typedef short i16; | ||
| typedef int i32; | ||
| typedef long long i64; | ||
| #define ARRAY_LEN(x) (sizeof(x) / sizeof(x[0])) |
There was a problem hiding this comment.
This macro is never used, please remove it.
| * Total size: 0x28 bytes, but allocated in 0xc0 (192) byte slab objects. | ||
| */ | ||
| #define PIPE_BUF_OPS_OFFSET 16 /* offset of ops pointer within pipe_buffer */ | ||
| #define PIPE_BUF_PRIVATE_OFFSET 24 /* offset of private field within pipe_buffer */ |
There was a problem hiding this comment.
Private is at offset 0x20, either this is supposed to be the offset of flags or the offset is wrong.
| #define PIPE_BUF_OPS_OFFSET 16 | ||
| #define PIPE_BUF_PRIVATE_OFFSET 24 | ||
| #define PIPE_BUF_SLAB_SIZE 0xc0 |
There was a problem hiding this comment.
These names should follow our style guide (https://google.github.io/security-research/kernelctf/style_guide#approach-2) and be named <struct_name>_OFFS_<field_name>. For example: #define PIPE_BUFFER_OFFS_OPS 16
| * KASLR bypass via EntryBleed-style prefetch timing side-channel | ||
| * ======================================================================== */ | ||
|
|
||
| // #define KASLR_BYPASS_INTEL |
There was a problem hiding this comment.
Please remove all commented out code.
| typedef short i16; | ||
| typedef int i32; | ||
| typedef long long i64; | ||
| #define ARRAY_LEN(x) (sizeof(x) / sizeof(x[0])) |
There was a problem hiding this comment.
This macro is never used, please remove it.
| #define PIPE_BUF_OPS_OFFSET 16 /* offset of ops pointer within pipe_buffer */ | ||
| #define PIPE_BUF_PRIVATE_OFFSET 24 /* offset of private field within pipe_buffer */ |
There was a problem hiding this comment.
These names should follow our style guide (https://google.github.io/security-research/kernelctf/style_guide#approach-2) and be named <struct_name>_OFFS_<field_name>. For example: #define PIPE_BUFFER_OFFS_OPS 16
In addition to that, the offset of private is wrong (should be 32) or it's supposed to be the offset of flags.
| * KASLR bypass (EntryBleed-style prefetch timing side-channel) | ||
| * ======================================================================== */ | ||
|
|
||
| // #define KASLR_BYPASS_INTEL |
There was a problem hiding this comment.
Please remove all commented out code.
- Remove unused typedefs (keep only u64) and ARRAY_LEN macro - Rename pipe_buffer offset defines to follow style guide (PIPE_BUFFER_OFFS_OPS, PIPE_BUFFER_OFFS_FLAGS) - Fix PIPE_BUF_PRIVATE_OFFSET: value 24 (0x18) is flags, not private (0x20) - Make ktext local in main() and pass to build_and_send_payload() - Move listen_vsockfd/listen_vsock_addr to static locals in vsock_pair() - Rename puaf -> aio_ctx - Add PAYLOAD_SIZE define - Remove commented-out code (// #define KASLR_BYPASS_INTEL) - COS: remove unused unix_fd socketpair, fix outdated header comment - Add clarifying comment on two-pipe fcntl expansion
3 participants
No description provided.