CVE-2021-29155 PoC — Linux kernel 缓冲区错误漏洞

Source

https://github.com/benschlueter/CVE-2021-29155

Associated Vulnerability

Title:Linux kernel 缓冲区错误漏洞 (CVE-2021-29155)
Description:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在缓冲区错误漏洞，攻击者可利用该漏洞可以通过猜测的Linux内核的越界负载绕过对数据的访问限制。

Description

Proof of Concept CVE-2021-29155

Readme

# This is the Proof Of Concept code for CVE-2021-29155.

The range tracking system for pointer arithmetic in the speculative domain was insufficient. 

It was possible to extract kernel data via a sidechannel. 

This is a proof of concept you can read up to 0x5fff bytes out of bounds from the last element of our map onwards.

This issue was fixxed in 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/kernel/bpf/verifier.c?id=7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 and backported to serveral LTS kernels.

However if you are still interesed how this works and see a spectre exploit in action you can run the program as sudo. Then the spectre mitigations do not kick in.

Usage:
```
sudo ./bpf_exploit 0 3 0x0 0x5ff0
```

Where 0 3 correspond to 2 different threads, which run on a different physical core for the exploit to work.

For more Information and a detailed explaination of this issue you can have a look at my bachelors thesis [NOT FINISHED RIGHT NOW]

File Snapshot


 [4.0K]  /data/pocs/15949edc7793cab35f37062f775a8608cabdf11c
├── [ 19K]  bpf_exploit.c
├── [  94]  Makefile
└── [ 994]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!