[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1182":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":9,"rankLanguage":9,"license":21,"archived":22,"fork":22,"defaultBranch":23,"hasWiki":24,"hasPages":22,"topics":25,"createdAt":9,"pushedAt":9,"updatedAt":38,"readmeContent":39,"aiSummary":40,"trendingCount":15,"starSnapshotCount":15,"syncStatus":13,"lastSyncTime":41,"discoverSource":42},1182,"copy-fail-c","tgies\u002Fcopy-fail-c","tgies","Cross-platform C port of the Copy Fail Linux LPE (CVE-2026-31431). Disclosed 2026-04-29 by Theori \u002F Xint.",null,"C",424,117,2,1,0,3,12,45,9,6.22,"Other",false,"main",true,[26,27,28,29,30,31,32,33,34,35,36,37],"af-alg","copy-fail","cve-2026-31431","exploit","kernel-exploit","linux-kernel","local-privilege-escalation","nolibc","portable-c","privilege-escalation","proof-of-concept","security-research","2026-06-12 02:00:24","# Copy Fail (CVE-2026-31431) - C port\n\n*[English (en)](README.md) ∙ [日本語 (ja)](README.ja.md) ∙ [简体中文 (zh-cn)](README.zh-cn.md) ∙ [한국어 (ko)](README.ko.md) ∙ [Русский (ru)](README.ru.md)*\n\nA cross-platform C reimplementation of the Copy Fail Linux LPE (CVE-2026-31431),\ndisclosed 2026-04-29 by Theori \u002F Xint. See the canonical writeup at\n[copy.fail](https:\u002F\u002Fcopy.fail\u002F) for the full vulnerability description, timeline,\nand Theori's discovery process.\n\nThe publicly-released proof-of-concept is a 732-byte Python script. This C port\ndemonstrates that the same exploit can be expressed as portable C compilable to\nany architecture nolibc supports, with no per-arch hex blobs or inline assembly\nin the project's own source.\n\nAuthor of this port: Tony Gies \u003Ctony.gies@crashunited.com>.\nDiscovery and original disclosure: Theori \u002F Xint.\n\n## Repository layout\n\n```\ncopy-fail-c\u002F\n├── exploit.c the dropper (binary-mutation variant)\n├── exploit-passwd.c the dropper (\u002Fetc\u002Fpasswd UID-flip variant)\n├── vulnerable.c non-destructive vulnerability checker\n├── payload.c the body that gets dropped (setgid+setuid+execve sh)\n├── utils.c, utils.h shared AF_ALG\u002Fsplice page-cache mutation primitive\n├── Makefile build orchestration\n├── nolibc\u002F vendored from torvalds\u002Flinux tools\u002Finclude\u002Fnolibc\n└── README.md this file\n```\n\nAfter `make`:\n\n```\n├── payload tiny static ELF, embedded into the dropper as bytes\n├── payload.o payload wrapped as a relocatable .o by `ld -r -b binary`\n├── exploit dropper, binary-mutation variant\n├── exploit-passwd dropper, \u002Fetc\u002Fpasswd UID-flip variant\n└── vulnerable non-destructive vulnerability checker\n```\n\n`exploit.c` opens the target binary read-only, then for each 4-byte window of\nthe embedded payload runs one bogus AEAD-decrypt through AF_ALG whose\nciphertext input is supplied via splice() from the target's page-cache pages.\nThe authencesn template's in-place optimization treats the splice'd source\npages as both the ciphertext input and the plaintext destination, so the\n(failing) decrypt has already overwritten the page-cache page by the time\nauthentication verification rejects the request. After 4 * N iterations the\ntarget's cached image has been replaced byte-for-byte with the payload.\nexecve()'ing the target loads the mutated pages; the on-disk inode is still\nsetuid root, so the kernel grants root credentials and runs the payload.\n\n`payload.c` is plain portable C: `setgid(0); setuid(0); execve(\"\u002Fbin\u002Fsh\",\n...)`. nolibc supplies the `_start`, the syscall machinery, and the per-arch\nregister-juggling.\n\nA second variant, `exploit-passwd.c`, mutates four bytes of \u002Fetc\u002Fpasswd's page\ncache instead of a setuid binary's image. It needs no embedded payload and\nworks on systems where the binary-mutation route is blocked, but its cashout\nsurface is much narrower.\n\n`vulnerable.c` is not an exploit. It creates a local `testfile` containing the\nstring `init`, then runs the same `patch_chunk()` primitive against that file's\nown page cache to overwrite the bytes with `vulnerable`. If the read-back\ncontents match, the running kernel is in-window for CVE-2026-31431. The\non-disk inode is never modified; `testfile` is removed on exit; the page-cache\nmutation evaporates with it. Runs unprivileged. Exits 100 if vulnerable, 0\notherwise.\n\n\n## Build\n\nDefault (host-arch native):\n\n```sh\nmake\n```\n\nCross-compile to aarch64 (or any other Linux arch a cross-toolchain is\ninstalled for):\n\n```sh\nmake CC=aarch64-linux-gnu-gcc LD=aarch64-linux-gnu-ld\n```\n\nArchitectures supported by the vendored nolibc (per upstream): x86_64, i386,\narm, aarch64, riscv32\u002F64, mips, ppc, s390x, loongarch, m68k, sh, sparc.\nnolibc dispatches on the compiler's arch macros, so picking the right\n`CC`\u002F`LD` is sufficient.\n\nRequired to build:\n\n* a C compiler (`cc`, `gcc`, or any cross variant)\n* a linker that supports `ld -r -b binary` (binutils ld and lld both do)\n* kernel UAPI headers providing `linux\u002Fif_alg.h` and `\u003Casm\u002Funistd.h>`\n (Debian\u002FUbuntu: `linux-libc-dev`; cross variants: typically pulled in by\n the cross-toolchain package)\n\nThere are no external library dependencies. The payload is built freestanding\nagainst nolibc; the dropper links against the host libc only for `fprintf`\nand `perror`.\n\n\n## Architectural choices\n\nThree small toolchain features carry most of the weight in keeping the source\nportable and the payload small.\n\n### nolibc\n\n`nolibc\u002F` is the kernel's tiny header-only libc replacement, vendored from\ntorvalds\u002Flinux `tools\u002Finclude\u002Fnolibc\u002F`. It provides `_start`, a portable\n`syscall()` macro, and inline syscall wrappers, with the per-arch register\nconventions encoded in `nolibc\u002Farch-*.h`. Building the payload with\n`-nostdlib -static -ffreestanding -Inolibc` produces a tiny static ELF that\ncalls into the kernel directly without dragging in glibc startup, TLS init,\nor stack-canary plumbing. Result: ~1.7 KB on x86_64, ~2.0 KB on aarch64,\nversus ~17 KB for the same `payload.c` linked against musl-static or\n~700 KB against glibc-static.\n\n### `ld -r -b binary` for embedding\n\nThe Makefile turns the built `payload` ELF into `payload.o` via `ld -r -b\nbinary -o payload.o payload`. The linker emits the input bytes verbatim as\nthe data section of a relocatable object file and synthesizes three symbols\nfrom the input filename:\n\n```\n_binary_payload_start address of first payload byte\n_binary_payload_end address one past the last payload byte\n_binary_payload_size absolute symbol whose value is the size in bytes\n```\n\n`exploit.c` declares the first two as `extern const unsigned char[]` and\ncomputes the size as `_binary_payload_end - _binary_payload_start`.\n\n### `-Wl,-N` plus tight `max-page-size`\n\nThe payload is statically linked with `-Wl,-N -Wl,-z,max-page-size=0x10`,\nwhich collapses `.text`\u002F`.rodata`\u002F`.data` into a single LOAD segment with\n16-byte file-alignment instead of the kernel-page-aligned 4 KB-per-segment\ndefault. This produces an \"RWX permissions\" warning from `ld`, which is\ninformational only - the payload's runtime memory protection doesn't matter to\nits single-purpose program. Without this flag, the same code links to ~13 KB\non x86_64 (mostly inter-segment zero padding); with it, ~1.7 KB.\n\n\n## Variants and cashout viability\n\nThis repository ships two exploit variants that share the AF_ALG\u002Fsplice\npage-cache mutation primitive but cash out into root execution differently.\nTheir reliability profiles are not equivalent, and the difference matters\nwhen reasoning about real-world threat models.\n\n### Binary-mutation variant (`exploit`)\n\nMutates the page cache of a target setuid binary with the embedded payload\nbytes, then execs the binary. The kernel grants root credentials from the\nbinary's untouched on-disk setuid bit, loads the corrupted in-memory image,\nand runs the payload.\n\nWorks wherever the attacker can `open(target, O_RDONLY)` for any root-setuid\nbinary on the system. More or less defeated by environments that gate setuid\nbinaries behind restricted-read directories and by setuid-free system designs.\n\n### \u002Fetc\u002Fpasswd UID-flip variant (`exploit-passwd`)\n\nMutates four bytes of \u002Fetc\u002Fpasswd's page cache to set the running user's UID\nfield to \"0000\". \u002Fetc\u002Fpasswd is world-readable on every standard Linux system,\nso the *mutation* is universal. Translating it into root execution depends on\nsome root-side process resolving the user via getpwnam\u002Fgetpwuid and acting on\nthe resolved uid without cross-validation. Many such consumers exist; many of\nthem defensively cross-check against the kernel's view of the calling uid or\nagainst on-disk file ownership, breaking the cashout.\n\n#### Cashout viability matrix\n\n| Cashout | Pre-root setup needed | Notes |\n|---|---|---|\n| WSL2 session spawn | No | WSL's per-session `setuid(getpwnam(default_user)->pw_uid)` does no validation. Works cleanly. |\n| util-linux `su` | No | Permissive caller-identity handling. |\n| shadow-utils `su` | Yes | `getpwuid(getuid())` caller-identity check fails because the mutation unmaps the real uid. |\n| sshd (default `StrictModes yes`) | Yes (disable StrictModes) | StrictModes requires the home dir to be owned by root or `pw->pw_uid`. Mutation makes pw_uid=0; on-disk owner stays at original uid; mismatch refuses auth. |\n| MTA local delivery (postfix, exim, etc.) | Variable | Depends on the MDA's home-perm validation. Test per MTA. |\n\n#### Pivoting after `su` fails\n\n`exploit-passwd` execs `su \u003Cuser>` after mutating, as the simplest possible\ncashout. That works against util-linux `su` but fails against shadow-utils `su`\nwith \"Cannot determine your user name.\" The page cache mutation is still in\nplace at that point, and pivoting to any other cashout (e.g. using a daemon\nresolving users via getpwnam without cross-checking) is possible at that point.\nRun `echo 3 > \u002Fproc\u002Fsys\u002Fvm\u002Fdrop_caches` as root to clear the corrupted page\ncache when done testing.\n\n\n## Affected kernels\n\n```\nfloor: torvalds\u002Flinux 72548b093ee3 August 2017, v4.14\n (AF_ALG iov_iter rework that\n introduced the file-page write\n primitive via splice into the AEAD\n scatterlist)\n\nceiling: torvalds\u002Flinux a664bf3d603d April 2026, mainline\n (reverts the 2017 algif_aead\n in-place optimization; separates\n source and destination scatterlists\n so page-cache pages can no longer\n be a writable crypto destination)\n```\n\nIn between: every major distro kernel that didn't backport the fix.\nUbuntu, RHEL, SUSE, Amazon Linux, and Debian were all confirmed vulnerable\nin their stock cloud-image kernels at disclosure time. Distro-level\nbackports started rolling out around 2026-04-29 alongside the public\ndisclosure. To verify whether a target kernel is in-window, check whether\n`a664bf3d603d` (or its distro-specific backport) is present in the kernel's\ngit log or the distro's changelog.\n\n\n## License and credits\n\nDiscovery and original disclosure of CVE-2026-31431: Theori \u002F Xint.\nPublic writeup: \u003Chttps:\u002F\u002Fcopy.fail\u002F>.\n\nThis C port: Tony Gies \u003Ctony.gies@crashunited.com>\n\n`nolibc\u002F`: vendored from the Linux kernel tree, dual-licensed\nLGPL-2.1-or-later OR MIT (see `nolibc\u002Fnolibc.h` and individual file\nSPDX headers).\n\nThe dropper and payload sources in this repository are released under the\nsame dual LGPL-2.1-or-later OR MIT terms as the nolibc tree they depend on,\nto keep the licensing trivially compatible for anyone vendoring this whole\ndirectory into their own work.\n\nThe exploit and payload are published for security-research and\ndefensive-detection purposes. Use against systems you do not own or have\nexplicit authorization to test is your problem, not the author's.\n","该项目是对CVE-2026-31431漏洞(被称为Copy Fail)的一个跨平台C语言移植版本,该漏洞最初于2026年4月29日由Theori \u002F Xint披露。其核心功能在于通过AF_ALG和splice机制修改目标文件或\u002Fetc\u002Fpasswd的页面缓存内容,实现本地权限提升。技术特点包括使用纯C编写以确保跨架构兼容性,无需特定架构的二进制代码或内联汇编。适用于安全研究人员、渗透测试人员在评估Linux系统安全性时进行概念验证实验,以及对存在此漏洞环境下的攻击模拟。","2026-06-11 02:42:08","CREATED_QUERY"]