{"uuid": "1cd34b68-5a7f-4e06-8d35-708c486c4f53", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-31431", "type": "seen", "source": "https://gist.github.com/0xlane/0d565281d6a2ae05de2fc310a4a23a90", "content": "# GDB commands for CVE-2026-31431 dynamic debugging\n#\n# Usage: gdb ./vmlinux -x gdb_commands.gdb\n# Then: target remote :1234\n# continue\n\nset pagination off\nset confirm off\n\n# --- Breakpoint 1: crypto_authenc_esn_decrypt entry ---\nbreak crypto_authenc_esn_decrypt\ncommands\n silent\n printf \"\\n=== [BP1] crypto_authenc_esn_decrypt ===\\n\"\n # req is first argument (rdi on x86_64)\n printf \" req->cryptlen = %u\\n\", ((struct aead_request *)$rdi)->cryptlen\n printf \" req->assoclen = %u\\n\", ((struct aead_request *)$rdi)->assoclen\n printf \" req->src = %p\\n\", ((struct aead_request *)$rdi)->src\n printf \" req->dst = %p\\n\", ((struct aead_request *)$rdi)->dst\n printf \" src == dst = %d (in-place?)\\n\", ((struct aead_request *)$rdi)->src == ((struct aead_request *)$rdi)->dst\n continue\nend\n\n# --- Breakpoint 2: scatterwalk_map_and_copy WRITE operations ---\n# out=1 means write. This catches the critical scratch write.\nbreak scatterwalk_map_and_copy if out == 1\ncommands\n silent\n printf \"\\n=== [BP2] scatterwalk_map_and_copy WRITE ===\\n\"\n printf \" buf=%p sg=%p start=%u nbytes=%u\\n\", buf, sg, start, nbytes\n # Print first 4 bytes being written\n printf \" writing value: 0x%08x\\n\", *(unsigned int *)buf\n continue\nend\n\n# --- Breakpoint 3: sg_chain call in algif_aead ---\n# This is where tag pages get chained to RX SGL\nbreak sg_chain\ncommands\n silent\n printf \"\\n=== [BP3] sg_chain ===\\n\"\n printf \" prv=%p prv_nents=%u sgl=%p\\n\", prv, prv_nents, sgl\n continue\nend\n\nprintf \"\\n[GDB] Breakpoints set. Connect with: target remote :1234\\n\"\nprintf \"[GDB] Then: continue\\n\\n\"\n", "creation_timestamp": "2026-05-08T04:30:20.000000Z"}