Share
## https://sploitus.com/exploit?id=B43DF341-AE9D-50C0-A4F9-60BA3E36EB19
# kernel-poc
Minimal Linux kernel + QEMU environment for reproducing kernel vulnerability PoCs.
Supports per-PoC kernel configuration so each exploit runs in the exact kernel
environment it needs without polluting the shared config.
---
## One-command quick start
### macOS (Apple Silicon / Intel)
```bash
# Prerequisites (one-time)
brew install qemu
# Docker Desktop must be installed and running
# From a fresh clone β the Docker image is built automatically on first run
make poc POC=pocs/smoke/poc.c
```
`make poc` handles everything: builds the Docker cross-compilation image
(first run only), downloads Linux and BusyBox sources, compiles the kernel,
builds the initramfs, compiles the PoC, and launches QEMU.
### Linux (x86-64)
```bash
# Install dependencies (one-time)
sudo apt install build-essential gcc flex bison bc cpio wget xz-utils \
libelf-dev libssl-dev qemu-system-x86 musl-tools gdb
# From a fresh clone
make poc POC=pocs/smoke/poc.c
```
---
## Available PoCs
| PoC | Description |
|-----|-------------|
| `pocs/smoke/poc.c` | **Environment smoke test** β run first to validate the full pipeline. Checks kernel symbols, BPF, namespaces, debugfs, perf settings. |
| `pocs/copyfail/poc.c` | **CVE-2026-31431** β page-cache write without write permission via authencesn AEAD ESN out-of-bounds write. |
| `pocs/template/poc.c` | **Skeleton** β copy this to start a new PoC. |
---
## Directory layout
```
kernel-poc/
βββ Makefile # main entry point (auto-detects ARCH)
βββ build/
β βββ Dockerfile # cross-compilation toolchain image (macOS)
β βββ config/
β β βββ kernel-common.config # debug symbols, KASAN, BPF, namespaces, ...
β β βββ kernel-arm64.config # PL011 UART, GIC, PSCI, ...
β β βββ kernel-x86_64.config # 8250 UART, ...
β βββ rootfs/
β β βββ etc/init.d/rcS # init: mounts fs, runs /root/poc, drops to shell
β βββ scripts/
β βββ build_kernel.sh # fetch + configure + build Linux kernel
β βββ build_rootfs.sh # build static busybox initramfs
β βββ pack_poc.sh # compile PoC β inject into rootfs β repack
β βββ run.sh # launch QEMU
β βββ check_deps.sh # dependency checker
βββ pocs/
β βββ smoke/poc.c # end-to-end smoke test (start here)
β βββ template/poc.c # PoC skeleton
β βββ copyfail/
β βββ poc.c # CVE-2026-31431
β βββ kernel.config # AF_ALG AEAD options required by this PoC
βββ src/ # downloaded kernel / busybox sources (git-ignored)
βββ out/ # build artifacts (git-ignored)
βββ /
βββ Image / bzImage # kernel image passed to QEMU
βββ vmlinux # unstripped ELF for GDB
βββ rootfs.img # initramfs cpio with PoC injected
```
---
## Per-PoC kernel configuration
Each PoC can ship its own `kernel.config` fragment alongside `poc.c`.
When you run `make poc POC=pocs//poc.c`, the build system:
1. Merges `build/config/kernel-common.config`
2. Merges `build/config/kernel-.config`
3. Merges `pocs//kernel.config` (if it exists)
4. Runs `olddefconfig` to resolve any conflicts
5. Rebuilds the kernel incrementally (only changed modules recompile)
This keeps each PoC's requirements isolated.
**Example** (`pocs/copyfail/kernel.config`):
```
CONFIG_CRYPTO_USER_API_AEAD=y
CONFIG_CRYPTO_AUTHENC=y
```
---
## Writing a new PoC
```bash
# 1. Copy the template directory (includes Makefile, poc.c)
cp -r pocs/template pocs/my-cve
# 2. Edit the PoC source
# Fill in exploit() in pocs/my-cve/poc.c
# 3. Update the Makefile
# Change POC_C to pocs/my-cve/poc.c in pocs/my-cve/Makefile
# 4. (Optional) Add PoC-specific kernel requirements
cat > pocs/my-cve/kernel.config ` | **One-command:** build kernel + rootfs + PoC β launch QEMU |
| `make kernel` | Build kernel only |
| `make rootfs` | Build busybox initramfs only |
| `make run` | Launch QEMU (plain shell, no PoC) |
| `make debug` | Launch QEMU with GDB server on :1234 |
| `make docker-image` | Build the cross-compilation Docker image (macOS, explicit) |
| `make setup` | Check host dependencies |
| `make clean` | Remove built images for current ARCH |
| `make distclean` | Remove all sources and built artifacts |
---
## Overriding arch and kernel version
```bash
# ARCH is auto-detected from the host (arm64 on Apple Silicon, x86_64 otherwise)
make poc POC=pocs/smoke/poc.c ARCH=x86_64 # force x86_64
make poc POC=pocs/smoke/poc.c ARCH=arm64 # force arm64
# Use a different kernel version
make poc POC=pocs/smoke/poc.c KERNEL_VERSION=5.15.0
```
---
## Security mitigations
```bash
# Disable SMEP/SMAP for easier exploitation (x86_64 only)
make poc POC=pocs/my-cve/poc.c SMEP=n SMAP=n
# Enable KASLR for realistic testing (off by default)
make poc POC=pocs/my-cve/poc.c KASLR=y
```
arm64 always has PAN (βSMAP) and PXN (βSMEP) enabled at the hardware level.
---
## GDB kernel debugging
```bash
# Terminal 1: launch QEMU paused, waiting for GDB
make debug
# Terminal 2: attach
gdb out/arm64/vmlinux
(gdb) target remote :1234
(gdb) break start_kernel
(gdb) continue
```