lukasmaar/qaic-page-uaf

# Page UAF QAIC This repository contains a local privilege escalation for a QAIC page-level use-after-free issue. It includes a bootable QEMU image, a patched kernel image, QAIC-related kernel modules, and a userspace proof-of-concept. [poc.webm](https://github.com/user-attachments/assets/41bfa89d-fd8f-4ac4-aa24-b13be251c288) ## Quick Start make build-kernel Build the userspace exploit and copy it into the VM share: make build-exploits Start the VM: make run-vm Attach GDB to the kernel: make gdb Run everything through the top-level Makefile: make ## Kernel And Fix Reference - Used Linux kernel base commit: `7d0a66e4bb9081d75c82ec4957c50034cb0ea449` (`Linux 6.18`). - Kernel commit webpage: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d0a66e4bb9081d75c82ec4957c50034cb0ea449 - QAIC fix patch webpage: https://lore.kernel.org/all/20260423204412.2861046-1-zachary.mckevitt@oss.qualcomm.com/ ## Repository Layout - `Makefile`: Top-level helper targets for building the exploit, starting the VM, launching GDB, and cleaning staged kernel artifacts. - `build-kernel.sh`: Builds the local `linux/` tree, stages `vmlinux`, `bzImage`, and `System.map` into `images/`, and stages `qaic.ko` and `mhi.ko` into `vmshare/module/`. If `linux/` is missing, it downloads the configured Linux commit, applies `qaic-fake-online.patch`, and installs `config` first. - `config`: Kernel configuration used. - `qaic-fake-online.patch`: Patch that makes the QAIC path usable in the local offline setup without real Qualcomm Cloud AI 100 hardware. - `vm-start.sh`: Starts the Buildroot QEMU VM with the staged kernel, raw disk image, 9p shared folder, fake QAIC enablement, default GDB stub on TCP port `1234`, and helper options such as `--no-kvm`, `--no-kaslr`, and `--wait-gdb`. - `gdb-start.sh`: Starts GDB against `images/vmlinux`. - `exploits/`: Userspace proof-of-concept source tree. See `exploits/README.md`. - `images/`: Kernel and disk artifacts used by QEMU. See `images/README.md`. - `vmshare/`: Host directory exported into the VM through 9p. See `vmshare/README.md`.

标签：客户端加密