Artem S. Tashkinov birdie-github
⚫
birdie-github
/ gro_frag.c
Created
May 23, 2026 08:35
— forked from lcfr-eth/gro_frag.c
LPE via GRO managed-frag UAF
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * gro_frag.c — LPE via GRO managed-frag UAF (io_uring SEND_ZC + veth) | |
| * | |
| * The bug: skb_gro_receive() copies frag descriptors from a ZC skb | |
| * (SKBFL_MANAGED_FRAG_REFS → no per-frag page refs) into a non-ZC | |
| * GRO accumulator. When the accumulator is freed, skb_release_data() | |
| * calls put_page() on each frag — including the stolen ones that never | |
| * had get_page() called. This gives us one extra put_page per merged | |
| * ZC frag: a refcount underflow. | |
| * |
birdie-github
/ sockmap_lpe_ktls.c
Created
May 23, 2026 14:03
— forked from lcfr-eth/sockmap_lpe_ktls.c
slopped up
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| * sockmap_lpe_ktls.c — full LPE via kTLS + sockmap page cache corruption | |
| * | |
| * https://lore.kernel.org/stable/20260517121626.406516-1-rollkingzzc@gmail.com/ | |
| * | |
| * Works on ALL kernels 4.18+ (including 6.5+ where sendpage was removed). | |
| * | |
| * Chain: sendfile → tls_sw_sendmsg(MSG_SPLICE_PAGES) | |
| * → tls_sw_sendmsg_splice → sk_msg_page_add(msg_pl, page) | |
| * → bpf_exec_tx_verdict(msg_pl) |