-
Notifications
You must be signed in to change notification settings - Fork 1
/
per_cpu_slabs.c
51 lines (31 loc) · 964 Bytes
/
per_cpu_slabs.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include "libs/pwn.h"
#include <unistd.h>
/*******************************
* EXPLOIT *
*******************************/
#define CHUNK_SIZE 0x100
int main(int argc, char *argv[]) {
void *freed_ptr, *diff_ptr, *same_ptr;
setvbuf(stdout, NULL, _IONBF, 0);
lstage("INIT");
pin_cpu(0, 0);
init();
lstage("START");
linfo("allocating and freeing chunk");
pin_cpu(0, 1);
freed_ptr = keap_malloc(CHUNK_SIZE, GFP_KERNEL_ACCOUNT);
keap_free(freed_ptr);
linfo("free done done");
linfo("trying to realloc from different cpu (Spoiler: will fail)");
pin_cpu(0, 2);
diff_ptr = keap_malloc(CHUNK_SIZE, GFP_KERNEL_ACCOUNT);
CHK(diff_ptr != freed_ptr);
linfo("trying to realloc from same cpu");
pin_cpu(0, 1);
same_ptr = keap_malloc(CHUNK_SIZE, GFP_KERNEL_ACCOUNT);
CHK(same_ptr == freed_ptr);
linfo("successfully realloced from same cpu");
keap_free(diff_ptr);
keap_free(same_ptr);
return 0;
}