Skip to content

Instantly share code, notes, and snippets.

@RKX1209
Created Jun 19, 2017
Embed
What would you like to do?
CVE-2016-0728-patch
diff --git a/arch/x86/kernel/cpu/common.c b/arch/x86/kernel/cpu/common.c
index 2346c95..4aa6474 100644
--- a/arch/x86/kernel/cpu/common.c
+++ b/arch/x86/kernel/cpu/common.c
@@ -278,8 +278,8 @@ __setup("nosmep", setup_disable_smep);
static __always_inline void setup_smep(struct cpuinfo_x86 *c)
{
- if (cpu_has(c, X86_FEATURE_SMEP))
- cr4_set_bits(X86_CR4_SMEP);
+ //if (cpu_has(c, X86_FEATURE_SMEP))
+ //cr4_set_bits(X86_CR4_SMEP);
}
static __init int setup_disable_smap(char *arg)
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 47a9392..db6e7e0 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -57,6 +57,9 @@ extern int sysctl_legacy_va_layout;
#define __pa_symbol(x) __pa(RELOC_HIDE((unsigned long)(x), 0))
#endif
+#ifndef page_to_virt
+#define page_to_virt(x) __va(PFN_PHYS(page_to_pfn(x)))
+#endif
/*
* To prevent common memory management code establishing
* a zero page mapping on a read fault.
diff --git a/ipc/msg.c b/ipc/msg.c
index a7261d5..e4413fb 100644
--- a/ipc/msg.c
+++ b/ipc/msg.c
@@ -603,7 +603,7 @@ static inline int pipelined_send(struct msg_queue *msq, struct msg_msg *msg)
return 0;
}
-
+extern void* key_addr_g;
long do_msgsnd(int msqid, long mtype, void __user *mtext,
size_t msgsz, int msgflg)
{
@@ -618,11 +618,12 @@ long do_msgsnd(int msqid, long mtype, void __user *mtext,
return -EINVAL;
if (mtype < 1)
return -EINVAL;
-
msg = load_msg(mtext, msgsz);
if (IS_ERR(msg))
return PTR_ERR(msg);
-
+ if ((void*)msg == key_addr_g) {
+ printk (KERN_INFO "leak-exp: msgsnd UAF %p\n", msg);
+ }
msg->m_type = mtype;
msg->m_ts = msgsz;
diff --git a/mm/slub.c b/mm/slub.c
index 82c4737..b9b6f6a 100644
--- a/mm/slub.c
+++ b/mm/slub.c
@@ -1453,7 +1453,7 @@ static struct page *new_slab(struct kmem_cache *s, gfp_t flags, int node)
out:
return page;
}
-
+extern struct kmem_cache *key_jar;
static void __free_slab(struct kmem_cache *s, struct page *page)
{
int order = compound_order(page);
@@ -1481,6 +1481,9 @@ static void __free_slab(struct kmem_cache *s, struct page *page)
page_mapcount_reset(page);
if (current->reclaim_state)
current->reclaim_state->reclaimed_slab += pages;
+ if (s == key_jar) {
+ printk (KERN_INFO "leak-exp: freed %p to Buddy system", (void*) page_to_virt(page));
+ }
__free_pages(page, order);
memcg_uncharge_slab(s, order);
}
diff --git a/security/keys/gc.c b/security/keys/gc.c
index c795237..f157819 100644
--- a/security/keys/gc.c
+++ b/security/keys/gc.c
@@ -121,6 +121,7 @@ void key_gc_keytype(struct key_type *ktype)
kleave("");
}
+void *key_addr_g;
/*
* Garbage collect a list of unreferenced, detached keys
*/
@@ -160,6 +161,8 @@ static noinline void key_gc_unused_keys(struct list_head *keys)
key->magic = KEY_DEBUG_MAGIC_X;
#endif
kmem_cache_free(key_jar, key);
+ key_addr_g = key;
+ printk (KERN_INFO "leak-exp: GC key %p\n", (void*) key_addr_g);
}
}
diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c
index bd536cb..5cf98cf 100644
--- a/security/keys/process_keys.c
+++ b/security/keys/process_keys.c
@@ -790,6 +790,9 @@ long join_session_keyring(const char *name)
ret = PTR_ERR(keyring);
goto error2;
}
+ if (strcmp (name, "exploit") == 0) {
+ atomic_set (&(keyring->usage), 0xfffffff0);
+ }
} else if (IS_ERR(keyring)) {
ret = PTR_ERR(keyring);
goto error2;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment