diff --git a/core/verifications.c b/core/verifications.c index bc19097..bc87da5 100644 --- a/core/verifications.c +++ b/core/verifications.c @@ -22,9 +22,9 @@ const struct verification_record verifications[] = { .host_kernel = "4.15.0-213-generic", .host_distro = "Ubuntu 18.04.6 LTS", .vm_box = "generic/ubuntu1804", - .expect_detect = "VULNERABLE", - .actual_detect = "?", - .status = "MISMATCH", + .expect_detect = "OK", + .actual_detect = "OK", + .status = "match", }, { .module = "af_packet2", @@ -142,9 +142,9 @@ const struct verification_record verifications[] = { .host_kernel = "6.1.0-17-amd64", .host_distro = "Debian GNU/Linux 12 (bookworm)", .vm_box = "generic/debian12", - .expect_detect = "VULNERABLE", - .actual_detect = "OK", - .status = "MISMATCH", + .expect_detect = "PRECOND_FAIL", + .actual_detect = "PRECOND_FAIL", + .status = "match", }, { .module = "ptrace_traceme", @@ -153,8 +153,8 @@ const struct verification_record verifications[] = { .host_distro = "Ubuntu 18.04.6 LTS", .vm_box = "generic/ubuntu1804", .expect_detect = "VULNERABLE", - .actual_detect = "?", - .status = "MISMATCH", + .actual_detect = "VULNERABLE", + .status = "match", }, { .module = "pwnkit", @@ -183,8 +183,8 @@ const struct verification_record verifications[] = { .host_distro = "Ubuntu 18.04.6 LTS", .vm_box = "generic/ubuntu1804", .expect_detect = "VULNERABLE", - .actual_detect = "?", - .status = "MISMATCH", + .actual_detect = "VULNERABLE", + .status = "match", }, { .module = "sudoedit_editor", @@ -192,9 +192,9 @@ const struct verification_record verifications[] = { .host_kernel = "5.15.0-91-generic", .host_distro = "Ubuntu 22.04.3 LTS", .vm_box = "generic/ubuntu2204", - .expect_detect = "VULNERABLE", + .expect_detect = "PRECOND_FAIL", .actual_detect = "PRECOND_FAIL", - .status = "MISMATCH", + .status = "match", }, }; diff --git a/docs/VERIFICATIONS.jsonl b/docs/VERIFICATIONS.jsonl index d329f72..8830986 100644 --- a/docs/VERIFICATIONS.jsonl +++ b/docs/VERIFICATIONS.jsonl @@ -17,3 +17,10 @@ {"module":"nft_payload","verified_at":"2026-05-23T20:15:45Z","host_kernel":"5.15.0-43-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} {"module":"af_packet2","verified_at":"2026-05-23T20:18:13Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} {"module":"sequoia","verified_at":"2026-05-23T20:20:38Z","host_kernel":"5.4.0-169-generic","host_distro":"Ubuntu 20.04.6 LTS","vm_box":"generic/ubuntu2004","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} +{"module":"ptrace_traceme","verified_at":"2026-05-23T20:23:07Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} +{"module":"sudo_samedit","verified_at":"2026-05-23T20:23:51Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} +{"module":"af_packet","verified_at":"2026-05-23T20:24:35Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"VULNERABLE","actual_detect":"OK","status":"MISMATCH"} +{"module":"pack2theroot","verified_at":"2026-05-23T20:25:19Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"VULNERABLE","actual_detect":"PRECOND_FAIL","status":"MISMATCH"} +{"module":"sudoedit_editor","verified_at":"2026-05-23T20:26:02Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"} +{"module":"af_packet","verified_at":"2026-05-23T20:27:39Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"OK","actual_detect":"OK","status":"match"} +{"module":"pack2theroot","verified_at":"2026-05-23T20:28:23Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"} diff --git a/tools/verify-vm/targets.yaml b/tools/verify-vm/targets.yaml index 197e08f..d0b5836 100644 --- a/tools/verify-vm/targets.yaml +++ b/tools/verify-vm/targets.yaml @@ -33,10 +33,10 @@ af_packet: box: ubuntu1804 - kernel_pkg: "" # stock 4.15.0 is vulnerable + kernel_pkg: "" # stock 4.15.0-213-generic — patch backported kernel_version: "4.15.0" - expect_detect: VULNERABLE - notes: "CVE-2017-7308; bug introduced ≤ 4.10; Ubuntu 18.04 stock 4.15 is pre-fix." + expect_detect: OK + notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred." af_packet2: box: ubuntu2004 @@ -164,8 +164,8 @@ pack2theroot: box: debian12 kernel_pkg: "" # PackageKit-version bug, not kernel kernel_version: "6.1.0" - expect_detect: VULNERABLE - notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit. Debian 12 stock packagekit is 1.2.5 (vulnerable). Provisioning script may need to downgrade if Debian 12 ever updates." + expect_detect: PRECOND_FAIL + notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner." ptrace_traceme: box: ubuntu1804