-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kernelCTF CVE-2024-26581_lts_cos_mitigation #109
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Exploit looks nicely written, left some comments where I'd like to see more details in the writeup
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/vulnerability.md
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md
Outdated
Show resolved
Hide resolved
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md
Outdated
Show resolved
Hide resolved
- msg[3]: Error message and finally trigger __nf_tables_abort. All previous messages will be rolled back: | ||
- The element created in msg[2] will be removed by function `nft_rbtree_remove` and will be freed by function `nft_set_elem_destroy` | ||
- The element `B` created in msg[1] will be removed and freed. | ||
- The element `A` created in msg[0] will be removed by function `nft_rbtree_remove` and will be freed by function `nft_set_elem_destroy` again! `rb_erase` will replace element B to the left child node of element A's parent node again! This means that we reinserted the element `B` that was about to be freed into the rbtree! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The element A
created in msg[0] will be removed by function nft_rbtree_remove
and will be freed by function nft_set_elem_destroy
again! rb_erase
will replace element B to the left child node of element A's parent node again! This means that we reinserted the element B
that was about to be freed into the rbtree!
this makes it sound like A is freed 2x. I think what you meant is that A is freed by the nft_set_elem_destroy, calling rb_erase. This means that we reinserted the element
B
that was about to be freed into the rbtree.
after this you have a UAF on B?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, after that, I have a UAF on B.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a note that this gives a UAF on B? I think it helps readers a lot to have the victim object be clear.
Hi, I've added more details in the exploit.md. Thanks. |
Thanks! Added one last request here: https://github.com/google/security-research/pull/109/files/c0b2d52e922b5fa3499deade6c4b30cab8ca0193#r1731889215 |
Hi, I've updated the exploit.md. Thanks. |
No description provided.