Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-29155 PoC — Linux kernel 缓冲区错误漏洞

Source
https://github.com/benschlueter/CVE-2021-29155
Associated Vulnerability
Title:Linux kernel 缓冲区错误漏洞 (CVE-2021-29155)
Description:An issue was discovered in the Linux kernel through 5.11.x. kernel/bpf/verifier.c performs undesirable out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory. Specifically, for sequences of pointer arithmetic operations, the pointer modification performed by the first operation is not correctly accounted for when restricting subsequent operations.
Description
Proof of Concept CVE-2021-29155
Readme
# This is the Proof Of Concept code for CVE-2021-29155.

The range tracking system for pointer arithmetic in the speculative domain was insufficient. 

It was possible to extract kernel data via a sidechannel. 

This is a proof of concept you can read up to 0x5fff bytes out of bounds from the last element of our map onwards.

This issue was fixxed in 5.12 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/kernel/bpf/verifier.c?id=7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 and backported to serveral LTS kernels.

However if you are still interesed how this works and see a spectre exploit in action you can run the program as sudo. Then the spectre mitigations do not kick in.

Usage:
```
sudo ./bpf_exploit 0 3 0x0 0x5ff0
```

Where 0 3 correspond to 2 different threads, which run on a different physical core for the exploit to work.

For more Information and a detailed explaination of this issue you can have a look at my bachelors thesis [NOT FINISHED RIGHT NOW]
File Snapshot

 [4.0K]  /data/pocs/15949edc7793cab35f37062f775a8608cabdf11c
├── [ 19K]  bpf_exploit.c
├── [  94]  Makefile
└── [ 994]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →