Technique: CPU Entry Area Payload Staging

Fixed address for CPU 1 (used by most exploits): PAYLOAD_LOCATION(1) — derive from the CEA base address plus cpu * 0x3b000 + 0x1f58 (CEA base is fixed pre-6.4; derive from /proc/kallsyms or kernel binary)

Implementation Steps

1. Resolve KASLR (bypass_kaslr()) — payload contains kbase + gadget_offset
2. Fill a userspace buffer with the payload struct (fake ops or gadget addresses)
3. Fork a child process; parent returns immediately
4. Child: sched_setaffinity() to HELPER_CPU (typically CPU 1)
5. Child: install signal handlers for SIGFPE, SIGTRAP, SIGSEGV (or SIGILL)
6. Child: call setsid() — detaches from terminal, prevents panic propagation
7. Child: execute the write gadget (pop 15 regs + divq targeting an unmapped address)
8. Parent: sleep(1) then proceed; the payload is now resident in kernel CEA
9. In the ROP chain or corrupted struct, reference PAYLOAD_LOCATION(HELPER_CPU)

Code Template

Address macros and payload struct (source: CVE-2024-27397_mitigation/exploit.c L160-177, CVE-2023-4244_mitigation/exploit.c L260-271):

Define CPU_ENTRY_AREA_BASE(cpu) as the fixed CEA base address (derive from /proc/kallsyms or kernel binary) plus cpu multiplied by 0x3b000. Define PAYLOAD_LOCATION(cpu) as CPU_ENTRY_AREA_BASE(cpu) plus 0x1f58. Set HELPER_CPU to 1. Declare a payload struct as a union of a named struct with three uint64_t fields (r15 slot for the RIP control gadget, r14 slot for the stack pivot gadget in Gen-2b, r13 slot for the return gadget in Gen-2b) and a raw uint64_t array of 16 elements covering all GPR slots.

Write function (source: CVE-2024-27397_mitigation/exploit.c L386-410, CVE-2023-4244_mitigation/exploit.c L742-765):

Implement a noreturn function write_cpu_entry_area(void *payload) using inline assembly. Set RSP to the payload pointer, then execute 15 consecutive pop instructions in register order (r15, r14, r13, r12, rbp, rbx, r11, r10, r9, r8, rax, rcx, rdx, rsi, rdi) to load all GPRs with the payload values. Then execute divq targeting an unmapped address to trigger a #DE fault — the kernel exception entry path will push all GPRs onto the CEA exception stack, writing the 120-byte payload to PAYLOAD_LOCATION(HELPER_CPU). End with an infinite loop. Call __builtin_unreachable() to satisfy the noreturn contract.

Setup wrapper (source: CVE-2024-27397_mitigation/exploit.c L414-431):

Implement setup_cpu_entry_area() as follows. Call fork(); the parent returns immediately. The child: initializes the payload struct with kbase + gadget_offset in the appropriate slots; calls sched_setaffinity() to pin itself to HELPER_CPU; installs signal handlers for SIGFPE, SIGTRAP, and SIGSEGV; calls setsid() (required — detaches from terminal before fault); then calls write_cpu_entry_area() with the payload pointer.

Payload Variants

Gen-2a uses a single eval pointer in the r15 slot. Gen-2b uses a three-slot nft pivot with a stack pivot gadget in r14 and a return gadget in r13.

Gen-3a uses a Qdisc_ops union with a two-stage COP chain. Gen-3b uses a raw array layout with a ud2 instruction as the fault trigger instead of divq.

Real-World Cases from kernelCTF

• CVE-2023-3609_cos_mitigation (tc/drr): Gen-1 NASM pattern; fake Qdisc.enqueue → eBPF JIT spray; CEA address (derive from /proc/kallsyms or kernel binary) hardcoded in ctnetlink payload
• CVE-2023-4244_mitigation (nftables pipapo UAF): Gen-2a; nft_expr_eval = push_rbx_pop_rsp; exploit.c L742-784
• CVE-2024-27397_mitigation (nftables hash UAF): Gen-2b; three-slot pivot with nft_do_chain_leave; exploit.c L386-430
• CVE-2024-53164_lts_cos_mitigation (tc/drr+qfq confusion): Gen-3a; Qdisc_ops union, divq(0x0), 2-stage COP chain; exploit.c L413-461
• CVE-2025-38001_lts_cos_mitigation (tc/HFSC UAF): Gen-3b; ud2 trigger, runtime-leaked ceabase via prefetch; exploit.c L522-573

Five more Gen-2a CVEs (52620, 52924, 52925, 0193, 57947) and five more Gen-1 CVEs (3776 x2, 4206, 4207, 4208) use identical code patterns.

Common Pitfalls and Traps

• Omitting setsid(): Without it, SIGFPE can propagate to the terminal process group and cause unexpected kernel behavior. Every working exploit in the dataset calls setsid() before the fault.
• Wrong CPU: If the child's affinity is not set before the fault, the write goes to the wrong CPU's CEA slot. The main thread must trigger the exploit on the same CPU whose CEA was written.
• KASLR not yet bypassed: The payload contains absolute gadget addresses (kbase + offset). If setup_cpu_entry_area() is called before kbase is known, the payload will contain garbage.
• No sleep after fork: The child needs time to complete the write before the exploit fires. Most exploits use sleep(1) after setup_cpu_entry_area().
• Kernel >= 6.4: CVE-2023-0597 was fixed in 6.4. The CEA base is randomized and the fixed-address assumption no longer holds.
• Payload overflow: The write covers exactly 15 × 8 = 120 bytes from PAYLOAD_LOCATION. Data placed beyond that is not written and will be zero.

Deep Dive

Read references/theory.md for the kernel internals: how CEA is laid out, why the address is fixed, how PUSH_AND_CLEAR_REGS writes the payload, and the CVE-2023-0597 timeline.

Read references/implementation-guide.md for step-by-step integration, variant selection, Gen-3a Qdisc_ops fill order, and a debugging checklist.

Read references/bibliography.md for exact source file line numbers, kernel commit references, and gadget patterns reused across CVEs.