Update exploit.md

google · Dec 6, 2024 · 2593d85 · 2593d85
1 parent 782a179
commit 2593d85
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/docs/exploit.md b/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/docs/exploit.md
@@ -21,7 +21,7 @@ struct bpf_ringbuf {
 };
 ```
 
-`BPF_FUNC_ringbuf_reserve` is used to allocate a memory chunk from `BPF_MAP_TYPE_RINGBUF`.  It reverses 8 bytes space to record header structure.
+`BPF_FUNC_ringbuf_reserve` is used to allocate a memory chunk from `BPF_MAP_TYPE_RINGBUF`.  It reserve 8 bytes space to record header structure.
 ```C
 /* 8-byte ring buffer record header structure */
 struct bpf_ringbuf_hdr {
@@ -132,7 +132,7 @@ static void bpf_ringbuf_commit(void *sample, u64 flags, bool discard)
 	rb = bpf_ringbuf_restore_from_rec(hdr);
 ```
 
-`pg_off` in bpf_ringbuf_hdr is the chunks's page offset from bpf_ringbuf structure, so `bpf_ringbuf_restore_from_rec` will substract the ringbuf chunk with `pg_off` to locate `bpf_ringbuf` object. If we see this structure again:
+`pg_off` in `bpf_ringbuf_hdr` is the chunks's page offset from `bpf_ringbuf` structure, so `bpf_ringbuf_restore_from_rec` will substract the ringbuf chunk address with `pg_off` to locate `bpf_ringbuf` object. We can see `bpf_ringbuf_hdr` structure again:
 ```C
 struct bpf_ringbuf {
 	...
@@ -142,7 +142,7 @@ struct bpf_ringbuf {
 	char data[] __aligned(PAGE_SIZE);
 }
 ```
-Suppose chunk A located at the first page of `rb->data`, using bug's primitive we modify `pg_off` of chunk A to `2`, then the meta pages that calculated with `bpf_ringbuf_restore_from_rec` will point to the `rb->consumer_pos`. We can mmap `rb->consumer_pos` and control its content.
+Suppose chunk A located at the first page of `rb->data`, distance chunk A address with `rb->consumer_pos` is `2`, using bug's primitive we modify `pg_off` of chunk A to `2`, then the meta pages that calculated from `bpf_ringbuf_restore_from_rec` will point to the `rb->consumer_pos`. We can mmap `rb->consumer_pos` in user space and control its content.
 
 By crafting `work` field inside `bpf_ringbuf` and call `bpf_ringbuf_commit` with `BPF_RB_FORCE_WAKEUP` it will call our crafted `irq_work` object to `irq_work_queue`.
 ```C