update exploit.md

google · Nov 20, 2024 · 0e0b127 · 0e0b127
1 parent b8e17f8
commit 0e0b127
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/docs/exploit.md b/pocs/linux/kernelctf/CVE-2023-52620_lts_cos_mitigation/docs/exploit.md
@@ -279,7 +279,7 @@ void rop_chain_256(uint64_t* data){
 
 For COS kernel, the ROP payload is stored in `chain->rules_gen_0[0]` allocated in `kmalloc-cg-192`.
 
-When `eval()` is called, `RBX` points to `kmalloc-cg-192+0x0`, which is the beginning of the `nft_rule` structure.
+When `eval()` is called, `RBX` points to `kmalloc-cg-192+0x0`, which is the beginning of the `nft_rule` structure. LTS kernel (v6.1.x) uses `struct nft_rule_blob`, while COS kernel (v5.15.x) uses a double pointer of `struct nft_rule`, which caused the difference. Also, it is not necessary to bypass the rcu protected section when performing ROP on the COS kernel.
 
 ```c
 void rop_chain(uint64_t* data){