Author: Andrea Botticella (s347291) Course: Security Verification and Testing — Politecnico di Torino, A.Y. 2025/2026
This repository contains academic research on Linux kernel vulnerabilities, focusing exclusively on eBPF verifier bugs. The project analyzes recent CVEs, explores exploit primitives, and develops Proof of Concepts (PoCs) using a milestone-driven methodology.
Unlike standard exploit repositories, this project emphasizes the methodology of vulnerability analysis: it documents not only successful exploitation paths but also failed approaches, explaining why techniques were blocked by verifier state tracking or kernel mitigation mechanisms.
s347291_Botticella_Andrea/
├── common/ ← Shared exploit infrastructure (headers, wrappers)
│ └── include/
│ ├── bpf_helpers.h ← BPF helper definitions
│ └── exploit_common.h ← Common exploit macros
├── CVEs/ ← Analyzed vulnerabilities (one per directory)
│ ├── CVE-2021-3444/ ← ★ Full unprivileged LPE achieved
│ │ ├── README.md ← Detailed vulnerability analysis and results
│ │ ├── configs/ ← Kernel configs (4.19.19 + 5.10.15)
│ │ ├── poc/ ← Milestones for 5.10.15
│ │ ├── poc_4.19/ ← Full exploit for 4.19.19
│ │ └── exploit_overlay/ ← Buildroot overlay
│ ├── CVE-2021-3600/
│ ├── CVE-2023-52452/
│ └── CVE-2024-26589/
├── execution/ ← Automation scripts (build.sh)
├── patches/ ← Per-kernel build patches
├── report/ ← Final academic report (LaTeX)
│ ├── main.tex ← Report entry point
│ ├── sections/ ← Per-CVE chapters + introduction + conclusion
│ ├── compile_report.sh ← Compilation script
│ └── s347291_Botticella_Andrea.pdf
└── README.md
Each CVE directory contains a self-contained environment with vulnerability analysis, PoC source code organized into milestones, and build/run instructions.
For detailed information, refer to each CVE's README.md.
| CVE | Bug Class | Target Kernel | Primitive | LPE Result |
|---|---|---|---|---|
| CVE-2021-3444 | mod32 dst truncation | 4.19.19 | Heap R/W | ✅ Full LPE (uid=1001→root) |
| CVE-2021-3600 | div32 src truncation | 5.10.15 | Heap R/W | ❌ Blocked by alu_limit |
| CVE-2023-52452 | Stack depth miscalc. | 6.7.1 | Stack R | ❌ Partial (leak + corruption) |
| CVE-2024-26589 | Missing switch case | 6.7.1 | Stack R/W | ❌ Requires CAP_NET_ADMIN |
Each CVE follows a structured 4-milestone approach:
| Milestone | Goal |
|---|---|
| M1 | Confirm vulnerability (verifier/runtime state divergence) |
| M2 | Build OOB read primitive (information leak / KASLR bypass) |
| M3 | Build OOB write primitive or controlled corruption |
| M4 | Attempt full privilege escalation chain |
The crown jewel of this research is a complete unprivileged LPE from uid=1001 to uid=0 (root) on Linux 4.19.19, achieved through a six-phase exploit chain:
- SLUB heap spray — Controlled heap layout via targeted-hole allocation
- OOB read — Leak
array_map_opsaddress for KASLR bypass - Structure verification — Confirm adjacent map metadata
- value_size corruption — Extend heap R/W from 256 to 2048 bytes
- ops pointer hijack — Redirect
bpf_map_opsto userspace fake table - ret2usr shellcode — Hand-written x86-64 shellcode:
prepare_kernel_cred(0)+commit_creds()+ ops pointer restoration → root
The project features a fully reproducible, Buildroot-based QEMU/KVM lab environment. For each CVE, the specific vulnerable kernel version is compiled and a minimal custom root filesystem is generated. Exploits are statically cross-compiled on the host and injected into the VM image using Buildroot's overlay mechanism.
# 1. Compile the PoCs for the desired CVE
make -C CVEs/<CVE-ID>/poc
# 2. Select the CVE and target kernel interactively, configure and build
bash execution/build.sh
# 3. Boot the QEMU virtual machine
bash execution/build.sh bootOnce inside the VM, compiled milestones are available in the root directory (e.g., /milestone1, /milestone2, /exploit).
| CVE | Kernel | Key Config |
|---|---|---|
| CVE-2021-3444 | 4.19.19 | No alu_limit, SMEP/SMAP/KPTI disabled |
| CVE-2021-3444 | 5.10.15 | With alu_limit (defense-in-depth analysis) |
| CVE-2021-3600 | 5.10.15 | CONFIG_BPF_SYSCALL=y, CONFIG_BPF_JIT=y |
| CVE-2023-52452 | 6.7.1 | CONFIG_DEBUG_INFO=y, KASLR disabled |
| CVE-2024-26589 | 6.7.1 | Flow dissector hook enabled |
The final academic report is a 34-page LaTeX document covering all four CVEs with detailed vulnerability analysis, patch details, PoC methodology, experimental results, and a comparative conclusion.
cd report && bash compile_report.shThis project is for educational and academic research purposes only. All experiments are conducted in controlled, isolated virtual machine environments. No real systems were targeted.