Linux kernel POSIX CPU timers race condition privilege escalation

Repository is a small local privilege-escalation exploit project targeting LG webOS Smart TVs vulnerable to CVE-2025-38352, a Linux kernel POSIX CPU timer race/use-after-free. The provided snapshot contains 6 files: documentation-heavy README and vulnerability report, a Makefile that builds a static binary from getroot.c for x86_64/ARM/ARM64, and a Bash deployment helper for webOS. Notably, the actual exploit source file getroot.c is referenced by the Makefile but is absent from the provided content, so the exploit logic is inferred from the documentation and deployment script. Exploit purpose: obtain root from the unprivileged 'prisoner' account on vulnerable ARM64 LG TVs, then convert that into persistent root. The documented chain is: trigger POSIX CPU timer UAF on struct sigqueue; reclaim freed object via pipe-buffer cross-cache; use overwritten list_head pointers so list_del_init() performs an arbitrary write into task_struct->cred; point cred to a fake credential structure with zeroed uid/gid fields; then use modprobe_path overwrite (/proc/sys/kernel/modprobe -> /tmp/pwn) and socket(44, SOCK_STREAM, 0) to execute a payload with full valid root credentials. Persistence is achieved by installing/elevating Homebrew Channel, after which SSH is available on port 22 after reboot. Capabilities described in the docs are advanced and operational rather than a simple PoC: deterministic arbitrary write, non-destructive pipe reads via tee(), second cross-cache for deterministic fake cred placement, keeping SIGUSR2 pending as final write trigger, and post-exploitation persistence workflow. The deployment script automates cross-compilation, SSH connectivity checks, binary upload to /tmp/exploit-arm64 over Developer Mode SSH on port 9922, permission setting, and optional upload of a Homebrew Channel IPK to /tmp/hbchannel.ipk. Attack surface is local, not remote: the attacker needs valid Developer Mode SSH access and an SSH key. The repository is not part of a known exploit framework. Because the actual exploit source is missing from the snapshot, file analysis shows only Bash/Makefile/Markdown, but the repository clearly intends to build and deploy a native exploit binary. Overall, this is a credible operational local kernel LPE package with persistence tooling, not a detection script or fake exploit.

Repository purpose: a local Android KGSL driver PoC and accompanying write-up/logs for an alleged KGSL out-of-bounds read/write vulnerability (CVE-2025-38352) affecting Honor Magic V2 / Snapdragon 8 Gen 2 devices, with emphasis on demonstrating kernel integrity auditing and noting EL2 hypervisor (RKP/MagicGuard) interference. Structure: - BOUNTY_REPORT.md: Bug-bounty style report describing the claimed root cause (alignment bypass via integer overflow/type confusion in GPUOBJ_ALLOC/IMPORT), exploitation chain (dangling reference, slab reclaim to hijack pipe_buffer/msg_msg), and an info-leak via DEVICE_GETPROPERTY to bypass KASLR. - src/kread_dump.c: Main PoC tool. Opens /dev/kgsl-3d0, calls IOCTL_KGSL_DEVICE_GETPROPERTY to obtain a buffer and scans for kernel-looking pointers (0xFFFFFF..), then derives a kernel base by masking low bits. Calls IOCTL_KGSL_GPUOBJ_ALLOC as a placeholder for the mutation/OOB trigger. The ‘read’ portion is not a real kernel read primitive in this code; it prints a hardcoded 64-bit value corresponding to the ASCII signature for "kthreadd" and reports success. - POC_EXPLOIT.py: Simple automation scaffold (mostly commented out) intended to cross-compile, adb push to /data/local/tmp/, chmod, and execute the PoC binary as shell (UID 2000). - logs/audit_v7.11.log: Example output claiming stages including OOB read/write and EL2 intervention (pointer nullification to 0x1). - README.md: Positions the project as a defensive diagnostic/audit suite; references an APK/binaries under /bin, but those are not present in the provided file list. Exploit capabilities (as implemented vs. claimed): - Implemented: local kernel pointer disclosure/KASLR base derivation via KGSL DEVICE_GETPROPERTY response parsing; basic KGSL ioctl interaction; accepts an optional target address argument for the audit printout. - Claimed in docs/logs: full OOB read/write primitives via KGSL GPU object allocation/import alignment bypass and subsequent kernel object hijacking; EL2 hypervisor blocks sensitive writes. The provided C code does not implement the actual OOB read/write or object-hijack steps—those are described but not present (and a comment references missing code like exploit_bridge.cpp).

Repository contains a standalone local privilege-escalation exploit in C (exploit.c ~64KB) plus minimal build/run scaffolding (Makefile, qemu.sh) and a marketing-style README. The exploit targets a claimed CVE-2025-38352 affecting Linux/Android kernels 5.10.x. Core exploit capabilities (from code structure/constants and visible logic): - Implements a race-condition/UAF style kernel exploit using POSIX timers and signal delivery internals. It uses multiple threads, barriers, and many timers (NUM_TIMERS) to stall kernel timer handling (comment references stalling handle_posix_cpu_timers()) to widen the race window. - Heavy heap grooming and cross-cache reallocation: constants and comments reference sigqueue_cachep slab geometry (objects per slab, cpu_partial, slab_count, object size) and a two-phase cross-cache timer allocation strategy (cross_cache_timers[][]) to influence kernel heap placement. - Signal queue and signalfd manipulation: duplicates many signalfds (SFD_DUP_COUNT) for SIGUSR1/SIGUSR2 to increase race window and later detect UAF conditions; includes a helper to drain signalfd. - Synchronization and orchestration via parent/child processes and pipes (exploit_child_to_parent / exploit_parent_to_child), with retry logic that adjusts syscall busy-loop timing (syscall_loop_times) to tune CPU usage and improve race reliability. - Second-stage privilege escalation via credential spraying: defines NUM_CRED_PROCS and hardcoded struct cred offsets (euid/egid) suggesting it attempts to overlap a freed object with struct cred and overwrite credentials to become root. Repository structure/purpose: - exploit.c: main exploit implementation (local kernel privesc). Contains timing calibration knobs (PARENT_SETTIME_DELAY_US, CPU_USAGE_THRESHOLD), race retry loop, timer creation/deletion, signalfd/epoll/poll usage, and heap-spray/cross-cache constants for sigqueue/cred. - Makefile: builds a statically linked binary named 'exploit' (gcc -static exploit.c). - qemu.sh: launches a local x86_64 QEMU VM with KVM, 4 vCPUs, 3GB RAM, user-mode networking, and KGDB options; intended as a reproduction harness with provided bzImage/initramfs.tgz paths. - README.md: claims Android kernel exploit for CVE-2025-38352 and points to GitHub releases; does not document technical steps beyond generic instructions. No hardcoded C2, IPs, or remote network targets are present in the exploit code shown; the only network-relevant artifact is QEMU user-mode networking configuration in qemu.sh and the GitHub releases URL in the README.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-38352, a use-after-free vulnerability in the Linux kernel's POSIX CPU timers implementation. The main exploit code is in 'poc.c', which orchestrates a complex race condition using multiple threads, POSIX timers, and signal handling to trigger the bug. The exploit is local-only and requires the ability to compile and run C code on a vulnerable Linux system. The repository also includes a profiling helper ('profile_handle_posix_cpu_timers.c'), a kernel patch for profiling ('profiler_patch.diff'), example logs showing successful and unsuccessful exploitation, a Makefile for building the PoC, and a README with detailed instructions. The exploit demonstrates the vulnerability by causing kernel warnings or KASAN errors, but does not provide privilege escalation or a shell. It is intended for research and demonstration purposes only.

This repository contains a local privilege escalation exploit for CVE-2025-38352, targeting the Linux kernel v5.10.x (tested on v5.10.157). The main exploit logic is implemented in 'exploit.c', a large C file that orchestrates a complex race condition and use-after-free (UAF) in the kernel's POSIX CPU timers subsystem. The exploit manipulates kernel memory to overwrite credential structures, ultimately granting root privileges to the attacker. The repository also includes a 'Makefile' for building the exploit statically, a 'qemu.sh' script for launching a QEMU virtual machine with the appropriate kernel and initramfs, and a detailed 'README.md' with build instructions, kernel configuration requirements, and tuning parameters for the exploit. The attack vector is local, requiring the attacker to execute code on the target system. No remote endpoints are involved; the only fingerprintable endpoints are the file paths used for the QEMU environment. The exploit is operational and requires specific kernel configuration to succeed.

This repository provides a proof-of-concept (PoC) exploit for CVE-2025-38352, a race condition vulnerability in the Linux kernel's POSIX CPU timers implementation. The repository contains four files: a Makefile for building the PoC, a README.md with background and usage instructions, mdelay_patch.diff (a patch to the kernel source to make the race condition easier to trigger), and poc.c (the main exploit code). The PoC is written in C and demonstrates the race by orchestrating parent/child/thread interactions and manipulating POSIX CPU timers. The exploit is local and requires a specific kernel configuration (Linux 6.12.33 with CONFIG_POSIX_CPU_TIMERS_TASK_WORK disabled). The patch file is optional but increases the reliability of the exploit by extending the race window. The PoC does not provide a direct privilege escalation or shell, but is intended to demonstrate and analyze the vulnerability.