Skip to content

Instantly share code, notes, and snippets.

View birdie-github's full-sized avatar

Artem S. Tashkinov birdie-github

29 followers · 0 following
View GitHub Profile
@birdie-github
birdie-github / sockmap_lpe_ktls.c
Created May 23, 2026 14:03 — forked from lcfr-eth/sockmap_lpe_ktls.c
slopped up
/*
* sockmap_lpe_ktls.c — full LPE via kTLS + sockmap page cache corruption
*
* https://lore.kernel.org/stable/20260517121626.406516-1-rollkingzzc@gmail.com/
*
* Works on ALL kernels 4.18+ (including 6.5+ where sendpage was removed).
*
* Chain: sendfile → tls_sw_sendmsg(MSG_SPLICE_PAGES)
* → tls_sw_sendmsg_splice → sk_msg_page_add(msg_pl, page)
* → bpf_exec_tx_verdict(msg_pl)
@birdie-github
birdie-github / gro_frag.c
Created May 23, 2026 08:35 — forked from lcfr-eth/gro_frag.c
LPE via GRO managed-frag UAF
/*
* gro_frag.c — LPE via GRO managed-frag UAF (io_uring SEND_ZC + veth)
*
* The bug: skb_gro_receive() copies frag descriptors from a ZC skb
* (SKBFL_MANAGED_FRAG_REFS → no per-frag page refs) into a non-ZC
* GRO accumulator. When the accumulator is freed, skb_release_data()
* calls put_page() on each frag — including the stolen ones that never
* had get_page() called. This gives us one extra put_page per merged
* ZC frag: a refcount underflow.
*
@birdie-github
birdie-github / policy.md
Last active April 25, 2026 10:46
Chrome for Linux: a policy to enable Manifest V2 and force enable DNS over HTTPS using CloudFlare's one.one.one.one server

This is for the official Google Chrome. No idea how Chromium works - it depends on your distro. The policy files are most likely compatible with Chromium forks as well but again the policies directory will be different.

To be put into /etc/opt/chrome/policies/managed:
DoH.json:{ "DnsOverHttpsMode": "secure" }
DoH-server.json:{ "DnsOverHttpsTemplates": "https://one.one.one.one/dns-query" }
ExtensionManifestV2Availability.json:{ "ExtensionManifestV2Availability": 2 }

Files names are totally arbitrary.