ROADMAP: mark Phase 1 done; CVES: use new short module names
This commit is contained in:
@@ -18,11 +18,11 @@ Status legend:
|
|||||||
|
|
||||||
| CVE | Name | Class | First patched | IAMROOT module | Status | Notes |
|
| CVE | Name | Class | First patched | IAMROOT module | Status | Notes |
|
||||||
|---|---|---|---|---|---|---|
|
|---|---|---|---|---|---|---|
|
||||||
| CVE-2026-31431 | Copy Fail (algif_aead `authencesn` page-cache write) | LPE (page-cache write → /etc/passwd) | mainline 2026-04-22 | `copy_fail_family/copy_fail` | 🟢 | Verified on Ubuntu 26.04, Alma 9, Debian 13. Full AppArmor bypass. |
|
| CVE-2026-31431 | Copy Fail (algif_aead `authencesn` page-cache write) | LPE (page-cache write → /etc/passwd) | mainline 2026-04-22 | `copy_fail` | 🟢 | Verified on Ubuntu 26.04, Alma 9, Debian 13. Full AppArmor bypass. |
|
||||||
| CVE-2026-43284 (v4) | Dirty Frag — IPv4 xfrm-ESP page-cache write | LPE (same primitive shape as Copy Fail, different trigger) | mainline 2026-05-XX | `copy_fail_family/dirty_frag_esp` | 🟢 | Full PoC + active-probe scan |
|
| CVE-2026-43284 (v4) | Dirty Frag — IPv4 xfrm-ESP page-cache write | LPE (same primitive shape as Copy Fail, different trigger) | mainline 2026-05-XX | `dirty_frag_esp` | 🟢 | Full PoC + active-probe scan |
|
||||||
| CVE-2026-43284 (v6) | Dirty Frag — IPv6 xfrm-ESP (`esp6`) | LPE | mainline 2026-05-XX | `copy_fail_family/dirty_frag_esp6` | 🟢 | V6 STORE shift auto-calibrated per kernel build |
|
| CVE-2026-43284 (v6) | Dirty Frag — IPv6 xfrm-ESP (`esp6`) | LPE | mainline 2026-05-XX | `dirty_frag_esp6` | 🟢 | V6 STORE shift auto-calibrated per kernel build |
|
||||||
| CVE-2026-43500 | Dirty Frag — RxRPC page-cache write | LPE | mainline 2026-05-XX | `copy_fail_family/dirty_frag_rxrpc` | 🟢 | |
|
| CVE-2026-43500 | Dirty Frag — RxRPC page-cache write | LPE | mainline 2026-05-XX | `dirty_frag_rxrpc` | 🟢 | |
|
||||||
| (variant, no CVE) | Copy Fail GCM variant — xfrm-ESP `rfc4106(gcm(aes))` page-cache write | LPE | n/a | `copy_fail_family/copy_fail_gcm` | 🟢 | Sibling primitive, same fix |
|
| (variant, no CVE) | Copy Fail GCM variant — xfrm-ESP `rfc4106(gcm(aes))` page-cache write | LPE | n/a | `copy_fail_gcm` | 🟢 | Sibling primitive, same fix |
|
||||||
| CVE-2022-0847 | Dirty Pipe — pipe `PIPE_BUF_FLAG_CAN_MERGE` write | LPE (arbitrary file write into page cache) | mainline 2022-02-23 | `_stubs/dirty_pipe_cve_2022_0847` | ⚪ | Stub. Public PoCs exist; bundling for completeness. Affects ≤5.16.11, ≤5.15.25, ≤5.10.102 |
|
| CVE-2022-0847 | Dirty Pipe — pipe `PIPE_BUF_FLAG_CAN_MERGE` write | LPE (arbitrary file write into page cache) | mainline 2022-02-23 | `_stubs/dirty_pipe_cve_2022_0847` | ⚪ | Stub. Public PoCs exist; bundling for completeness. Affects ≤5.16.11, ≤5.15.25, ≤5.10.102 |
|
||||||
| CVE-2023-0458 | EntryBleed — KPTI prefetchnta KASLR bypass | INFO-LEAK (kbase) | mainline (partial mitigations only) | `_stubs/entrybleed_cve_2023_0458` | ⚪ | Stub. Used as STAGE-1 leak brick, not a standalone LPE. Works on lts-6.12.88 (empirical 5/5). |
|
| CVE-2023-0458 | EntryBleed — KPTI prefetchnta KASLR bypass | INFO-LEAK (kbase) | mainline (partial mitigations only) | `_stubs/entrybleed_cve_2023_0458` | ⚪ | Stub. Used as STAGE-1 leak brick, not a standalone LPE. Works on lts-6.12.88 (empirical 5/5). |
|
||||||
| CVE-2026-31402 | NFS replay-cache heap overflow | LPE (NFS server) | mainline 2026-04-03 | — | ⚪ | Candidate. Different audience (NFS servers) — TBD whether in-scope. |
|
| CVE-2026-31402 | NFS replay-cache heap overflow | LPE (NFS server) | mainline 2026-04-03 | — | ⚪ | Candidate. Different audience (NFS servers) — TBD whether in-scope. |
|
||||||
|
|||||||
+18
-13
@@ -13,20 +13,25 @@ commitments.
|
|||||||
- [x] LICENSE (MIT)
|
- [x] LICENSE (MIT)
|
||||||
- [x] Private GitHub repo
|
- [x] Private GitHub repo
|
||||||
|
|
||||||
## Phase 1 — Make the bundling real (next session)
|
## Phase 1 — Make the bundling real (DONE 2026-05-16)
|
||||||
|
|
||||||
- [ ] Top-level `iamroot` dispatcher CLI (`iamroot.c`) — module
|
- [x] Top-level `iamroot` dispatcher CLI (`iamroot.c`) — module
|
||||||
registry, fingerprint, route to module's detect/exploit
|
registry, route to module's detect/exploit
|
||||||
- [ ] Module interface header (`core/module.h`) — standard
|
- [x] Module interface header (`core/module.h`) — standard
|
||||||
`iamroot_module` struct each module exports
|
`iamroot_module` struct + `iamroot_result_t` (numerically
|
||||||
- [ ] Refactor `modules/copy_fail_family/` internals to expose the
|
aligned with copy_fail_family's `df_result_t` for zero-cost
|
||||||
standard module interface
|
bridging)
|
||||||
- [ ] Extract shared code into `core/`: `apparmor_bypass.c`,
|
- [x] `core/registry.{c,h}` — flat-array registry with `find_by_name`
|
||||||
`exploit_su.c`, `common.c`, `fcrypt.c` (currently duplicated
|
- [x] `modules/copy_fail_family/iamroot_modules.{c,h}` — bridge layer
|
||||||
under the absorbed DIRTYFAIL tree)
|
exposing 5 modules
|
||||||
- [ ] Top-level `Makefile` that builds all modules into one binary
|
- [x] Top-level `Makefile` that builds all modules into one binary
|
||||||
- [ ] Smoke test: `iamroot --scan --json` on Ubuntu 26.04
|
- [x] Smoke test: `iamroot --scan --json` produces ingest-ready JSON;
|
||||||
produces sensible output
|
`iamroot --list` prints the module inventory
|
||||||
|
- [ ] **Deferred to Phase 1.5**: extract `apparmor_bypass.c`,
|
||||||
|
`exploit_su.c`, `common.c`, `fcrypt.c` into `core/` (shared
|
||||||
|
across families). Phase 1 keeps them inside copy_fail_family/src/
|
||||||
|
because there's only one family today; the extraction is
|
||||||
|
mechanical and lands when a second family arrives.
|
||||||
|
|
||||||
## Phase 2 — Add Dirty Pipe (CVE-2022-0847)
|
## Phase 2 — Add Dirty Pipe (CVE-2022-0847)
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user