https://github.com/zolutal/kheap_sift
A tool combining DWARF info and source to search for kernel heap objects
https://github.com/zolutal/kheap_sift
dwarf heap-exploitation linux-kernel
Last synced: 18 days ago
JSON representation
A tool combining DWARF info and source to search for kernel heap objects
- Host: GitHub
- URL: https://github.com/zolutal/kheap_sift
- Owner: zolutal
- License: bsd-2-clause
- Created: 2024-01-05T06:05:41.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2025-12-23T19:47:28.000Z (6 months ago)
- Last Synced: 2025-12-25T09:51:53.616Z (6 months ago)
- Topics: dwarf, heap-exploitation, linux-kernel
- Language: Rust
- Homepage:
- Size: 55.7 KB
- Stars: 24
- Watchers: 1
- Forks: 0
- Open Issues: 3
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# kheap_sift
A utility for finding Linux kernel heap objects of desired sizes.
This tool combines DWARF type information parsed from a vmlinux file using [dwat](https://github.com/zolutal/dwat), and source code pattern matching using [tree-sitter](https://tree-sitter.github.io/tree-sitter/).
# Usage
```
Usage: kheap_sift [OPTIONS]
Arguments:
The path to the vmlinux file.
The path to the Linux source code directory.
The lower bound for struct sizes (exclusive).
The upper bound for struct sizes (inclusive).
Options:
--quiet Silence most output, only print struct names when allocation sites are found.
--flags Regex filter on the allocation flags argument.
--exclude Glob to exclude files based on, can be specified multiple times.
--threads Number of threads to scale up to.
-h, --help Print help
```
## Example Output/Usage
```
┌──(jmill@ubun)-[~/repos/kheap_sift]
└─$ kheap_sift ~/linux/vmlinux ~/linux 96 128
======== Found allocation sites for: struct bpf_array_aux ========
struct bpf_array_aux {
struct list_head poke_progs; /* 16 | 0 */
struct bpf_map *map; /* 8 | 16 */
struct mutex poke_mutex; /* 56 | 24 */
struct work_struct work; /* 32 | 80 */
/* total size: 112 */
};
/home/jmill/linux/kernel/bpf/arraymap.c:1109
static struct bpf_map *prog_array_map_alloc(union bpf_attr *attr)
{
struct bpf_array_aux *aux;
struct bpf_map *map;
aux = kzalloc(sizeof(*aux), GFP_KERNEL_ACCOUNT);
if (!aux)
return ERR_PTR(-ENOMEM);
...
return map;
```
```
┌──(jmill@ubun)-[~/repos/kheap_sift]
└─$ kheap_sift ~/linux-6.6.7/vmlinux ~/linux-6.6.7 128 256 --exclude '*/drivers/**/*' --flags "GFP_KERNEL$" --threads 16
======== Found allocation site for: struct deflate_ctx ========
struct deflate_ctx {
struct z_stream_s comp_stream; /* 96 | 0 */
struct z_stream_s decomp_stream; /* 96 | 96 */
/* total size: 192 */
};
/home/jmill/linux-6.6.7/crypto/deflate.c:115
static void *deflate_alloc_ctx(struct crypto_scomp *tfm)
...
struct deflate_ctx *ctx;
...
ctx = kzalloc(sizeof(*ctx), GFP_KERNEL);
...
return ctx;
}
```
# Contributing
Feel free to open issues/PRs for improvements!