Add kernelCTF CVE-2023-6931_mitigation #141
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
koczkatamas
force-pushed
the
master
branch
3 times, most recently
from
933028d to
c111d81
Compare
koczkatamas
force-pushed
the
master
branch
13 times, most recently
from
76d6b57 to
bf0d68f
Compare
There was a problem hiding this comment.
Hey,
This is just a quick code quality review. We're planning to review the submissions more deeply (actually understanding what the exploit does) in two weeks.
In general, the code in its current form does not match the requirements to be reviewed or accepted. Please follow our (draft) style guide to fix your code: https://google.github.io/security-research/kernelctf/style_guide. Also make sure you are meeting the documentation requirements of the rules.
I've left a few explicit comments too, but it's not enough to only fix those.
Thanks for the submission and PR!
| }; | ||
|
|
||
| struct read_format { | ||
| __u64 value; // 카운터 값 |
There was a problem hiding this comment.
Please use English in the code. See more details here.
| } | ||
|
|
||
| void spray(){ | ||
| char *fname = "/tmp/zzlol"; |
There was a problem hiding this comment.
Please refactor and/or rewrite your code and make it clearer what you are building here following our style guide.
| pe1.exclude_hv = 1; | ||
| event = perf_event_open(&pe1, 0, -1, group_leader, 0); | ||
| if (event == -1) { | ||
| perror("asdf"); |
There was a problem hiding this comment.
Please use descriptive error messages, what went wrong.
| pid_t parent_pid; | ||
| parent_pid = getpid(); | ||
| pid_t child_pid = fork(); | ||
| if(fork < 0) puts("fail"); |
There was a problem hiding this comment.
Please use more descriptive error messages, what went wrong e.g. sibling fork failed.
| } | ||
| } | ||
| kill(parent_pid, SIGUSR1); | ||
| sleep(999999); |
There was a problem hiding this comment.
Please comment here what you are waiting for (which kernel function). See more details here.
| } | ||
| } | ||
| kill(parent_pid, SIGUSR1); | ||
| sleep(999999); |
There was a problem hiding this comment.
Please comment here what you are waiting for (which kernel function). See more details here.
| sleep(999999); | ||
| } | ||
| pause(); | ||
| for(int i = 0; i < (0x10000/0x10+0x2000/0x10)-2000; i++){ |
There was a problem hiding this comment.
Please explain this iteration count and calculation in more details.
| struct xattr_return *xret = read_xattr("/tmp/zzlol", name); | ||
|
|
||
| printf("[+] xattr size: 0x%lx\n", xret->size); | ||
| uint64_t kpage = ((uint64_t *)xret->value)[0x7fc]; |
There was a problem hiding this comment.
Please explain in more details what you are leaking here: https://google.github.io/security-research/kernelctf/style_guide#sprayed-and-leaked-structures
| perror("setxattr"); | ||
| } | ||
|
|
||
| memset(y, 'y', 0x40); |
There was a problem hiding this comment.
Please explain in more details what you are building here. Follow the recommendations from our style guide.
| puts("[+] Spraying xattr"); | ||
| spray(); | ||
| char *fname = "/tmp/zzlol"; | ||
| char *z = "zzlol1994"; |
There was a problem hiding this comment.
Please fix this code following the style guide.
No description provided.