pwndbg>
info breakpoints
8 Appendix
The companion scripts, exploit variants, and tracing helpers referenced throughout this writeup are collected in the artifact repo: 4xura/CVE-2026-31431-CopyFail.
8.1 Kernel Source References
| Keyword | Why it matters |
|---|---|
filemap_splice_read() | regular file bytes enter the splice path from page cache |
splice_folio_into_pipe() | a cached file folio becomes a pipe-backed page reference |
do_splice() | generic splice dispatcher |
struct pipe_buffer | metadata object that carries the spliced page |
alg_bind() | resolves sockaddr_alg into the requested AF_ALG family |
af_alg_sendmsg() | imports AAD and MSG_SPLICE_PAGES input into AF_ALG |
extract_iter_to_sg() | converts the page-backed iterator into TX scatterlist entries |
aead_sendmsg() | AEAD socket wrapper above af_alg_sendmsg() |
_aead_recvmsg() | builds the final decrypt request layout |
struct aead_request | final crypto-layer request object |
crypto_authenc_esn_decrypt() | vulnerable decrypt callback |
scatterwalk_map_and_copy() | walker that performs the destination-side scratch write |
crypto_authenc_extractkeys() | parses the authenc key blob used by ALG_SET_KEY |
8.2 Important Structures Cheat Sheet
| Keyword | Role in this bug |
|---|---|
struct address_space | per-file page-cache mapping |
struct inode | owns i_mapping / cached file state |
struct pipe_inode_info | ring of pipe buffers |
struct pipe_buffer | page-backed slot moved through splice |
struct sockaddr_alg | selects aead and authencesn(...) |
struct msghdr | carries AAD and AF_ALG control messages |
struct cmsghdr | wraps ALG_SET_OP, ALG_SET_IV, ALG_SET_AEAD_ASSOCLEN |
struct af_alg_iv | 16-byte IV wrapper for ALG_SET_IV |
struct aead_request | final decrypt request submitted to crypto core |
struct scatterlist | chained request layout behind RX/TX buffers |
8.3 Syscall Cheat Sheet
| Syscall / API | Used for |
|---|---|
socket(AF_ALG, SOCK_SEQPACKET, 0) | open crypto transform socket |
bind() | select authencesn(hmac(sha256),cbc(aes)) |
setsockopt(ALG_SET_KEY) | install valid authenc key blob |
setsockopt(ALG_SET_AEAD_AUTHSIZE) | set authsize = 4 |
accept() | create AEAD operation socket |
sendmsg() | queue AAD and AF_ALG control messages |
pipe() | create splice bridge |
splice(file -> pipe) | import target file page |
splice(pipe -> socket) | hand page-backed data to AF_ALG |
recv() / recvfrom() | trigger decrypt path and scratch write |
execve() | execute corrupted cached target |
8.4 Bpftrace Scripts
Check probe availability first:
Bash
sudo cat /proc/kallsyms | grep -E \
'filemap_splice_read|splice_folio_into_pipe|af_alg_sendmsg|extract_iter_to_sg|crypto_authenc_esn_decrypt|scatterwalk_map_and_copy'File page enters page-cache splice path:
bpftrace-scripts/bpftrace-filemap-splice.bt
Bash
sudo bpftrace ./bpftrace-scripts/bpftrace-filemap-splice.btPipe data reaches AF_ALG:
bpftrace-scripts/bpftrace-af-alg-sendmsg.bt
Bash
sudo bpftrace ./bpftrace-scripts/bpftrace-af-alg-sendmsg.btVulnerable decrypt callback runs:
bpftrace-scripts/bpftrace-authencesn-decrypt.bt
Bash
sudo bpftrace ./bpftrace-scripts/bpftrace-authencesn-decrypt.bt8.5 Mitigation
See Copy Fail — CVE-2026-31431 while this writeup focus on an attacker perspective.
Comments | NOTHING