{"id":34647207,"url":"https://github.com/neuschaefer/cve-2016-0728-testbed","last_synced_at":"2026-05-23T20:33:56.231Z","repository":{"id":141654732,"uuid":"50619014","full_name":"neuschaefer/cve-2016-0728-testbed","owner":"neuschaefer","description":"A testbed for CVE-2016-0728, a refcount leak/overflow bug in Linux","archived":false,"fork":false,"pushed_at":"2016-01-29T00:48:38.000Z","size":8,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":3,"default_branch":"master","last_synced_at":"2023-03-12T06:18:33.399Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/neuschaefer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-01-28T22:38:13.000Z","updated_at":"2023-04-22T17:26:59.960Z","dependencies_parsed_at":"2023-04-22T17:26:59.700Z","dependency_job_id":null,"html_url":"https://github.com/neuschaefer/cve-2016-0728-testbed","commit_stats":null,"previous_names":[],"tags_count":null,"template":null,"template_full_name":null,"purl":"pkg:github/neuschaefer/cve-2016-0728-testbed","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neuschaefer%2Fcve-2016-0728-testbed","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neuschaefer%2Fcve-2016-0728-testbed/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neuschaefer%2Fcve-2016-0728-testbed/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neuschaefer%2Fcve-2016-0728-testbed/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/neuschaefer","download_url":"https://codeload.github.com/neuschaefer/cve-2016-0728-testbed/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/neuschaefer%2Fcve-2016-0728-testbed/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33412082,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T18:09:33.147Z","status":"ssl_error","status_checked_at":"2026-05-23T18:09:31.380Z","response_time":53,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-24T17:48:21.770Z","updated_at":"2026-05-23T20:33:56.223Z","avatar_url":"https://github.com/neuschaefer.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# CVE-2016-0728 testbed\n\nThis repository contains a test program for CVE-2016-0728, a refcount leak\nand overflow bug in Linux, that leads to a use-after-free.\n\nThe bug was [found and explained](http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/)\nby Perception Point. I am not affiliated to them.\n\n\n## Usage\n\n```\nWelcome to the CVE-2016-0728 testbed\nsizeof(struct msg_msg) == 0x30, sizeof(struct key) == 0xb8\n\nPID: 27673, UID: (1000/1000)\nKeyring: 1b66e5d6, \"test-1a328d6e\"\nUsage:   1\nPress a key: (f)ork (i)ncref (a)uto-incref (r)evoke (h)eap-spray (s)hell (q)uit\n```\n\nOn my test system, a root shell could be obtained in the following way:\n\n1. Bring the refcount up to -2; If you incref too often, you will probably\n   crash the kernel.\n2. Fork twice to overflow it, so the key garbage collector frees the keyring\n3. Spray the heap with fake keyrings\n4. Call `revoke`\n5. `execl(\"/bin/sh\", \"sh\", NULL)`\n\nI found it useful to run `watch -n0.1 cat /proc/keys` to see what's\nhappening.\n\n\n## Portability\n\nThis code has only been tested on x86-64, but it should run on other\narchitectures as well, because I didn't use magic offsets, but copied the\nstructure definitions from the Linux headers and used `sizeof`\n(except that I hard-coded the addresses of `prepare_kernel_cred` and\n`commit_creds`).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneuschaefer%2Fcve-2016-0728-testbed","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fneuschaefer%2Fcve-2016-0728-testbed","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fneuschaefer%2Fcve-2016-0728-testbed/lists"}