From 2593d852cd00c3ae3545c6edb241e992ecf6b84f Mon Sep 17 00:00:00 2001 From: M Ramdhan Date: Fri, 6 Dec 2024 14:51:13 +0800 Subject: [PATCH] Update exploit.md --- pocs/linux/kernelctf/CVE-2024-41009_lts_cos/docs/exploit.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/docs/exploit.md b/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/docs/exploit.md index 89695bc7..3267fee5 100755 --- a/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/docs/exploit.md +++ b/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/docs/exploit.md @@ -21,7 +21,7 @@ struct bpf_ringbuf { }; ``` -`BPF_FUNC_ringbuf_reserve` is used to allocate a memory chunk from `BPF_MAP_TYPE_RINGBUF`. It reverses 8 bytes space to record header structure. +`BPF_FUNC_ringbuf_reserve` is used to allocate a memory chunk from `BPF_MAP_TYPE_RINGBUF`. It reserve 8 bytes space to record header structure. ```C /* 8-byte ring buffer record header structure */ struct bpf_ringbuf_hdr { @@ -132,7 +132,7 @@ static void bpf_ringbuf_commit(void *sample, u64 flags, bool discard) rb = bpf_ringbuf_restore_from_rec(hdr); ``` -`pg_off` in bpf_ringbuf_hdr is the chunks's page offset from bpf_ringbuf structure, so `bpf_ringbuf_restore_from_rec` will substract the ringbuf chunk with `pg_off` to locate `bpf_ringbuf` object. If we see this structure again: +`pg_off` in `bpf_ringbuf_hdr` is the chunks's page offset from `bpf_ringbuf` structure, so `bpf_ringbuf_restore_from_rec` will substract the ringbuf chunk address with `pg_off` to locate `bpf_ringbuf` object. We can see `bpf_ringbuf_hdr` structure again: ```C struct bpf_ringbuf { ... @@ -142,7 +142,7 @@ struct bpf_ringbuf { char data[] __aligned(PAGE_SIZE); } ``` -Suppose chunk A located at the first page of `rb->data`, using bug's primitive we modify `pg_off` of chunk A to `2`, then the meta pages that calculated with `bpf_ringbuf_restore_from_rec` will point to the `rb->consumer_pos`. We can mmap `rb->consumer_pos` and control its content. +Suppose chunk A located at the first page of `rb->data`, distance chunk A address with `rb->consumer_pos` is `2`, using bug's primitive we modify `pg_off` of chunk A to `2`, then the meta pages that calculated from `bpf_ringbuf_restore_from_rec` will point to the `rb->consumer_pos`. We can mmap `rb->consumer_pos` in user space and control its content. By crafting `work` field inside `bpf_ringbuf` and call `bpf_ringbuf_commit` with `BPF_RB_FORCE_WAKEUP` it will call our crafted `irq_work` object to `irq_work_queue`. ```C