How to use the diff.patch file in eebpf
fatgrass opened this issue ยท 4 comments
Hi,leesh3288,I'm reading your exploit code & writeup about eebpf,IT'S GREAT.
eebpf gives a diff.patch file,but I don't know how to use it to patch it to the kernel file.
Will you show me the command line to apply the patch,Thanks.
Thanks for your interest ๐
As man patch suggests, it would suffice to run patch -pNUM <diff.patch in your kernel src directory where NUM represents number of leading slashes to strip for each given diff file name.
Also, I've noticed that my exploit isn't completely AAR/W in its current state. It's sufficient to leak kernel base but I've not tried further than that so you might need to modify some stuff, for example replace the use of bpf stack -> bpf map (the core idea is the same though, see author's explanation).
The diff.patch seems interesting,and the patch command dosn't like it.:)
โ linux-5.4.58 patch -p0 < diff.patch
patch: **** Only garbage was found in the patch input.
โ linux-5.4.58 patch -p1 < diff.patch
patch: **** Only garbage was found in the patch input.
โ linux-5.4.58 patch -p2 < diff.patch
patch: **** Only garbage was found in the patch input.
โ linux-5.4.58 patch -p3 < diff.patch
patch: **** Only garbage was found in the patch input.
โ linux-5.4.58 patch -p4 < diff.patch
patch: **** Only garbage was found in the patch input.
โ linux-5.4.58 cat diff.patch
diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/arch/x86/net/bpf_jit_comp.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/arch/x86/net/bpf_jit_compc
612d611
< case BPF_ALU | BPF_ALSH | BPF_K:
616d614
< case BPF_ALU64 | BPF_ALSH | BPF_K:
626d623
< case BPF_ALSH: b3 = 0xE0; break; /* hex(asm('sal rax, 1')[-1]) = 0xE0 */
638d634
< case BPF_ALU | BPF_ALSH | BPF_X:
642d637
< case BPF_ALU64 | BPF_ALSH | BPF_X:
668d662
Hmm, it seems that the patch file is created as a normal diff file so the file to patch is missing (at least that's what patch sees). I couldn't find a way to quickly apply the patches as a whole, but we can run the patches for each file:
$ patch -Rn
diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/arch/x86/net/bpf_jit_comp.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/arch/x86/net/bpf_jit_comp.c
612d611
< case BPF_ALU | BPF_ALSH | BPF_K:
616d614
< case BPF_ALU64 | BPF_ALSH | BPF_K:
626d623
< case BPF_ALSH: b3 = 0xE0; break; /* hex(asm('sal rax, 1')[-1]) = 0xE0 */
638d634
< case BPF_ALU | BPF_ALSH | BPF_X:
642d637
< case BPF_ALU64 | BPF_ALSH | BPF_X:
668d662
< case BPF_ALSH: b3 = 0xE0; break; /* hex(asm('sal rax, 1')[-1]) = 0xE0 */
can't find file to patch at input line 2
The text leading up to this was:
--------------------------
|diff -r ./buildroot-2020.08-rc3/output/build/linux-5.4.58/arch/x86/net/bpf_jit_comp.c buildroot-2020.08-rc3_original/output/build/linux-5.4.58/arch/x86/net/bpf_jit_comp.c
--------------------------
File to patch: linux-5.4.58/arch/x86/net/bpf_jit_comp.c
patching file linux-5.4.58/arch/x86/net/bpf_jit_comp.c
OK.It's enough for recompiling the kernel to reproduce the challenge.Thanks.