Some advice

[enlist12]

1: I notice that you assume the name of init process is "init". However, in high version, the name may is "swapper/0".
2: I found that you try get address of init_cred at a function. However, it maybe fail at high kernel version. we could get it directy like sym['init_cred']
3: You define the total start time of kernel in 60s. However, high version kernel may need more time due to complex system.
4. I notice that you use "run_to_unconstrained" in angrop to get gadgets. However, I try to use this way to get other gadgets. Then I encounter gadgets like "push 0xffffffff93417831 ; ret " and the rip would be led to other address which may cause deadloop.

[Kyle-Kyle]

Hi, thank you for the suggestions. I just want to point out some things are not kernel versions specific, they were design decisions.

1. "swapper" is always there as pid 0. And I'm not sure where I have the "init" process in the code. I just checked the code. Whenever I use the string "init", it is a symbol representing the initial PC-control, not the "init" process.
2. It is actually config-specific not version-specific. There are 3 configurations for KALLSYM: none, text, and all. "init_cred" only exists if KALLSYM is in the "all" mode. But the init_cred extraction code in this repo works for both text and all modes. And Ubuntu's kernel uses all mode, COS kernel uses text mode. (But I guess the code in this repo is kinda old and doesn't work anymore)
3. Yeah. That works for my simple setups, but not every setup. Feel free to create a PR and change that.
4. run_to_unconstrained should find gadgets that lead to unconstrained states (taking PC from stack). By definition. it will find all valid ROP gadgets. And whether push 0xffffffff93417831 ; ret is a valid gadget totally depends on what 0xffffffff93417831 is and shouldn't lead to deadloop. So, my guess will be: the gadget is valid, it's the chaining logic that is wrong. I'd suggest you to post the binary there (or the gadget) and I can take a look what is happening.

[enlist12]

Thanks for your answer:
For the first question:
I read the source code and find :

    gs_base = gdb.parse_and_eval("$gs_base")
    current = read_u64(gs_base+current_task_offset)
    task_mem = inferior.read_memory(current, 0x1000).tobytes()
    comm_offset = task_mem.index(b'init\x00')

I mistakenly think current process is root process and it't comm is " swapper/0 " , I feel deeply sorry for this.
For the second:
You try to extract the address of init_cred in prepare_kernel_cred.
I view the source code of it in low kernel version, I found:

prepare_kernel_cred(){
......
old = get_cred(&init_cred)

Maybe you want to get init_cred from here.
However, at high kernel version, such as 6.3, it disappears.
For the third,
I ran it in my ubuntu, maybe the performance of my cpus is poor, I feel sorry about this.
For the fourth:
I want to use angr to analyze some gadget and let angr run to an unconstraint state. However, it stuck at a gadget like push 0xffffffff89ff31fc ; ret
And the insts of target address are

   0xffffffff89ff31fc:  add    BYTE PTR [rax],al
   0xffffffff89ff31fe:  add    BYTE PTR [rdi+0x2],bl
   0xffffffff89ff3201:  add    eax,0x2e090000
   0xffffffff89ff3206:  sub    eax,0x5126f7
   0xffffffff89ff320b:  add    BYTE PTR [rbp+0x0],dh
   0xffffffff89ff320e:  add    eax,0x2dfc0005
   0xffffffff89ff3213:  sub    eax,0xf7
   0xffffffff89ff3218:  add    al,bh
   0xffffffff89ff321a:  add    BYTE PTR [rip+0x2dfe0000],al        # 0xffffffffb7fd3220
   0xffffffff89ff3220:  sub    eax,0x5111f7
   0xffffffff89ff3225:  add    BYTE PTR [rbp+0x0],dh
   0xffffffff89ff3228:  add    eax,0x2df10005
   0xffffffff89ff322d:  sub    eax,0xf7
   0xffffffff89ff3232:  add    bh,dh
   0xffffffff89ff3234:  add    BYTE PTR [rip+0x2dfa0000],al        # 0xffffffffb7f9323a
   0xffffffff89ff323a:  sub    eax,0x50fcf7
   0xffffffff89ff323f:  add    BYTE PTR [rbp+0x0],dh
   0xffffffff89ff3242:  add    eax,0x2ded0005
   0xffffffff89ff3247:  sub    eax,0xf7
   0xffffffff89ff324c:  add    BYTE PTR [rcx+0x501],bh
   0xffffffff89ff3252:  in     al,dx
   0xffffffff89ff3253:  sub    eax,0x50e7f72d
   0xffffffff89ff3258:  add    BYTE PTR [rax],al
   0xffffffff89ff325a:  jne    0xffffffff89ff325c
   0xffffffff89ff325c:  add    eax,0x2ddf0005
   0xffffffff89ff3261:  sub    eax,0xf7
   0xffffffff89ff3266:  add    BYTE PTR [rax+0x501],bh
   0xffffffff89ff326c:  pop    rbx
   0xffffffff89ff326d:  jl     0xffffffff89ff3248
   0xffffffff89ff326f:  call   rdx

Then, it is trapped to a deadloop. Therefore, I assume that the usage of run_to_unconstrained maybe lead to deadloop in some cases.