Add kernelCTF CVE-2025-39964_lts_cos_mitigation#265
Add kernelCTF CVE-2025-39964_lts_cos_mitigation#265st424204 wants to merge 13 commits intogoogle:masterfrom
Conversation
st424204
force-pushed
the
CVE-2025-39964_lts_cos_mitigation_fixed
branch
from
f6f4806 to
2aa25ad
Compare
st424204
force-pushed
the
CVE-2025-39964_lts_cos_mitigation_fixed
branch
from
2aa25ad to
6b5e504
Compare
koczkatamas
added
the
kCTF: vuln OK
|
I verified the exploit, the writeup was good enough, but mapping the steps to the exploit code was not trivial to me, to see where the different steps happening:
Next time try to include in the exploit which call does which steps, otherwise we may stop verification and ask you for changes first which will make the payout process slower. |
koczkatamas
left a comment
koczkatamas
left a comment
There was a problem hiding this comment.
Some comments along the line, please explain the exploit in more detail, I stopped reviewing because it was hard to follow what's going on exactly.
Make sure you follow the style guide: https://google.github.io/security-research/kernelctf/style_guide
| }; | ||
| ``` | ||
|
|
||
| If sgl is at address 0, sgl->sg[-1] will be at -8 (24-32), so we can use previous chunk's content to control `page_link`, but `offset` and `length` is not controllable. |
There was a problem hiding this comment.
Explain this part (everything from here until the end of the writeup) in more depth, it's hard to follow that's going on exactly.
There was a problem hiding this comment.
explained in recent changes
| xcnt++; | ||
| oracle = *(size_t *)&payload[0xff8]; | ||
| char *start = (void *)(0ULL); | ||
| // test guess is first/second half |
There was a problem hiding this comment.
Explain the whole logic better behind the binary search, what's going on exactly, how the oracle works, etc.
There was a problem hiding this comment.
explained in recent changes
| read(cfd[1], buf, 1); | ||
| } | ||
|
|
||
| *(size_t *)&payload[0xff8] += (((core_pattern & ~0xfff) - (leak_offset & ~0xfff)) >> 6); |
There was a problem hiding this comment.
What's at offset 0xff8? (-8)
There was a problem hiding this comment.
explained in recent changes
| else | ||
| stext = bypass_kaslr(0); | ||
| core_pattern = 0xffffffff8420dde0; | ||
| core_pattern = 0xffffffff8420e260; |
There was a problem hiding this comment.
Remove unnecessary lines.
| char *start = (void *)0x100000000ULL; | ||
| while (1) | ||
| { | ||
| start = SYSCHK(mmap(start, 0x80000000ULL, PROT_READ | PROT_WRITE, MAP_SHARED | MAP_ANON | MAP_FIXED, -1, 0)); |
There was a problem hiding this comment.
Explain more about this allocation (why chose the size 0x80000000ULL, etc).
There was a problem hiding this comment.
explained in recent changes
| @@ -0,0 +1,8 @@ | |||
| #LTS/COS | |||
There was a problem hiding this comment.
Do we need these RUN files? It seems core_pattern is also specified in the source code as well.
koczkatamas
left a comment
koczkatamas
left a comment
There was a problem hiding this comment.
We've asked our friendly AI to review your exploits based on our style guide and here are its recommendations to guide your fixing.
We manually checked the findings, but it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
Please take a look below.
| #endif | ||
|
|
||
| pthread_t tid[0x100]; | ||
| pthread_t tid2[0x100]; |
There was a problem hiding this comment.
Unused array tid2 clutters the global scope.
Recommendation: Remove the unused array declaration.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration): remove the line.
Read more about this violation in the 'Unused code' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
| pthread_t tid[0x100]; | ||
| pthread_t tid2[0x100]; | ||
|
|
||
| char buf[0x10000]; |
There was a problem hiding this comment.
Using a global variable for a generic temporary buffer instead of localized buffers.
Recommendation: Move the buffer to the local scope of the functions that require it.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration):
char buf[0x10000]; // moved inside main2 or job functionRead more about this violation in the 'Usage of global variables instead of local ones' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
There was a problem hiding this comment.
explained in recent changes
| char vec[0x100000]; | ||
|
|
||
| int cfd[2]; | ||
| int sfd[0x200][2]; |
There was a problem hiding this comment.
Mismatch between the allocated array size (0x200) and actual usage (0x100).
Recommendation: Change the allocation size to match the exact number of threads used.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration):
int sfd[THREAD_NUM][2];Read more about this violation in the 'Match iteration count for allocation, creation and usage' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
|
|
||
| int cfd[2]; | ||
| int sfd[0x200][2]; | ||
| int sfd2[0x200][2]; |
There was a problem hiding this comment.
Unused array sfd2 is present in the code.
Recommendation: Remove the unused array declaration.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration): remove the line.
Read more about this violation in the 'Unused code' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
| char payload[0x1000]; | ||
| int opfd; | ||
|
|
||
| #define LEN 0x1000 / 8 * 0x1000 |
There was a problem hiding this comment.
Generic macro name used for a length constant.
Recommendation: Rename it to something more descriptive like MMAP_REGION_LEN.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration):
#define MMAP_REGION_LEN (0x1000 / 8 * 0x1000)Read more about this violation in the 'Naming conventions' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
| system("cat /flag"); | ||
| system("cat /flag"); | ||
| system("cat /flag"); | ||
| system("cat /flag"); | ||
| system("cat /flag"); | ||
| system("cat /flag"); |
There was a problem hiding this comment.
Repeating lines of modification or execution requires explanation to prove it is not a typo and to document its purpose.
Recommendation: Either wrap the code in a loop or leave a comment explicitly stating the reason for executing it six times.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration):
// Repeatedly execute cat /flag to ensure success before panic for (int i = 0; i < 6; i++) { system("cat /flag"); }Read more about this violation in the 'Explain duplicated lines' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
| wait(NULL); | ||
| } | ||
| } | ||
| int main2() |
There was a problem hiding this comment.
Exploit staging functions must be named descriptively to inform the reader about the steps taking place.
Recommendation: Rename the function to something descriptive like execute_cross_cache_exploit.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration):
int execute_cross_cache_exploit()Read more about this violation in the 'Naming conventions' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
| printf("init %ld\n", n); | ||
| // PAUSE; | ||
|
|
||
| for (int i = 0; i < 0x7b; i++) |
There was a problem hiding this comment.
Numeric constants determining counts and iteration constraints must be named and/or commented.
Recommendation: Define a macro or provide a comment explaining what the limit 0x7b achieves.
Read more about this violation in the 'Name and/or comment numeric constants' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
|
|
||
| // PAUSE; | ||
|
|
||
| sleep(1); |
There was a problem hiding this comment.
Every sleep() call must feature a comment explaining what background kernel task it waits for.
Recommendation: Add a descriptive sleep comment explaining the delay trigger.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration):
// @sleep(desc="Wait for network operation to complete handling before advancing") sleep(1);Read more about this violation in the 'Sleeping & waiting' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
| read(sfd[i][0], buf, 0x1000); | ||
| read(cfd[1], buf, 1); | ||
| } | ||
| *(size_t *)&payload[0xff8] -= (0x500000000000ULL >> 6); |
There was a problem hiding this comment.
Applying complex arithmetic using hardcoded sizes and magic offsets into raw buffers is strictly discouraged.
Recommendation: Use a struct layout or defined macros for offsets and size constants.
AI-suggested fix (do not apply blindly, but can be helpful for inspiration):
#define MAGIC_GUESS_ADJUST 0x500000000000ULL #define PAYLOAD_OVERLAP_OFFS 0xff8 *(size_t *)&payload[PAYLOAD_OVERLAP_OFFS] -= (MAGIC_GUESS_ADJUST >> 6);Read more about this violation in the 'Sprayed and leaked structures' section of the style guide.
This comment is AI-generated. Although it was manually checked, it can still contain mistakes, please double-check it and feel free to push back if you think it's wrong.
st424204
force-pushed
the
CVE-2025-39964_lts_cos_mitigation_fixed
branch
from
8ea1847 to
2592f76
Compare
- Add KERNEL_TEXT_BASE macro (0xffffffff81000000UL) and use it in all
CORE_PATTERN_*_OFFSET definitions instead of the raw literal
- Add SCAN_END_ADDR (0x500000000000ULL) and MAP_CHUNK_SIZE (0x80000000ULL)
macros; replace all raw values in allocate_map() and the binary search
- Add PAGE_SIZE / PAGE_MASK macros; use in adjust_offset calculation and
the page-aligned delta expression (~0xfff -> ~PAGE_MASK)
- Replace 6 duplicate system("cat /flag") calls with a for loop
- Rename job() -> spray_send_thread(), do_spray() -> spray_unix_sockets()
for descriptiveness; apply consistently to all three targets
- Fix remaining raw 0x100 -> THREAD_NUM in Step 4 release loop
- Use MITIGATION_PHYSMAP_EXTRA_OFFSET macro (already defined) instead of
the raw (0x100000000ULL >> 6) literal in mitigation-v4-6.6
- Add explanatory comment on global buf (intentionally shared across threads)
- Fix "Exploit chain (LTS 6.12.44)" header in COS and mitigation files
3 participants
No description provided.