New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kernelCTF CVE-2023-3777 (lts) #85

Merged

koczkatamas merged 6 commits into google:master from kevinrich1337:CVE-2023-3777

May 2, 2024

Contributor

kevinrich1337 commented Feb 24, 2024

No description provided.


          Add kernelCTF CVE-2023-3777 (lts)

ad95046

google-cla bot commented Feb 24, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

kevinrich1337 added 3 commits

February 24, 2024 07:31


          Fix structure error

fa9142c


          Fix structure error

c6988b9


          Fix Makefile

be80b69

koczkatamas requested changes

View reviewed changes

pocs/linux/kernelctf/CVE-2023-3777_lts/docs/exploit.md Outdated Show resolved Hide resolved

pocs/linux/kernelctf/CVE-2023-3777_lts/docs/exploit.md Outdated

+              - Create a rule in `Vulnerable` with an immediate expr referencing `Victim`.
+              - Trigger the vulnerability by flushing the rule. This results in the `Victim` having a reference count of -1.
+              - Create an immediate expr in `Base` that references to the Victim, making the `Victim`'s reference count 0, and destroy the `Victim`.
+              - Spray counter exprs (struct expr) to place it at `Victim`'s chain->name. At this time, the counter exprs are allocated in the `kmalloc-cg-16`.

Collaborator

koczkatamas Mar 11, 2024

Please use the exact structure names, you are referring to struct nft_expr by saying struct expr, right?

Contributor Author

kevinrich1337 Apr 17, 2024

Yes. I updated this to the exploit.md.

pocs/linux/kernelctf/CVE-2023-3777_lts/docs/exploit.md Outdated Show resolved Hide resolved

pocs/linux/kernelctf/CVE-2023-3777_lts/exploit/lts-6.1.36/exploit.c Outdated

+                      err(1, "mnl_socket_send");
+                  }
+                  usleep(100*1000);

Collaborator

koczkatamas Mar 11, 2024

Why are you waiting here? What happens in the kernel you are waiting for? Can you make a comment about this? (Same for all usleep calls.)

Contributor Author

kevinrich1337 Apr 17, 2024

Since free is called from destroy worker, it waits for worker to finish. I added comments to the exploit.c and removed unnecessary sleeps.

pocs/linux/kernelctf/CVE-2023-3777_lts/docs/exploit.md Show resolved Hide resolved

pocs/linux/kernelctf/CVE-2023-3777_lts/exploit/lts-6.1.36/exploit.c

+              char * chain1_name = "chain1";
+              char * chain2_name = "chain2";
+              char * chain3_name = "chain3_12341234";
+              char * chain4_name = "chain4_1234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234123412341234";

Collaborator

koczkatamas Mar 11, 2024

Please comment on this why you choose this long name. (It's 131 bytes, so you'd like to allocate in kmalloc-cg-192?)

Contributor Author

kevinrich1337 Apr 17, 2024

The long name is used to allocate object in kmalloc-cg-192. I added comment about this to exploit.c

artmetla reviewed

View reviewed changes

pocs/linux/kernelctf/CVE-2023-3777_lts/docs/exploit.md Outdated Show resolved Hide resolved

kevinrich1337 added 2 commits

April 17, 2024 02:51


          update comments

2609a17


          update exploit.md

1683f77

koczkatamas merged commit 997724c into google:master

5 checks passed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet