-
Notifications
You must be signed in to change notification settings - Fork 424
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kernelCTF CVE-2023-3776 (lts) #50
Conversation
d8211d8
to
22b1cba
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey! I've made some comments, can you please take a look and made the appropriate changes, add more explanations?
We are trying to make the submissions as understandable as possible, so it makes easier for the community to learn from them!
Thank you!
pocs/linux/kernelctf/CVE-2023-3776_lts/exploit/lts-6.1.36/poc.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2023-3776_lts/exploit/lts-6.1.36/poc.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2023-3776_lts/exploit/lts-6.1.36/poc.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2023-3776_lts/exploit/lts-6.1.36/poc.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2023-3776_lts/exploit/lts-6.1.36/poc.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2023-3776_lts/exploit/lts-6.1.36/poc.c
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2023-3776_lts/exploit/lts-6.1.36/poc.c
Outdated
Show resolved
Hide resolved
first->cmsg_type = 0x41414141; | ||
|
||
for(int i=0x40;i<0x80;i+=0x8) | ||
*(size_t*)&payload[i] = 0xfffffe000003df58; //cpu_entry_area fixed kernel address |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you comment on which field is at offset 0x3df58
? https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/x86/include/asm/cpu_entry_area.h#n90
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That address is at CPU#1 cpu_entry_area's entry_stack_page (stack address) while it try to push r15 in function error_entry
Add cooment on why to poweroff
Hi, thanks for the comment. |
No description provided.