verify-vm sweep complete: 18 modules confirmed across 5 Linux distros
Full sweep results:
MATCHES (18 — empirically confirmed in real Linux VMs):
pwnkit ubuntu2004 5.4.0-169 VULNERABLE
cgroup_release_agent debian11 5.10.0-27 VULNERABLE
netfilter_xtcompat debian11 5.10.0-27 VULNERABLE
fuse_legacy debian11 5.10.0-27 VULNERABLE
nft_fwd_dup debian11 5.10.0-27 VULNERABLE
entrybleed ubuntu2204 5.15.0-91 VULNERABLE
overlayfs ubuntu2004 5.4.0-169 VULNERABLE
overlayfs_setuid ubuntu2204 5.15.0-91 VULNERABLE
sudoedit_editor ubuntu2204 5.15.0-91 PRECOND_FAIL (no sudoers grant)
ptrace_traceme ubuntu1804 4.15.0-213 VULNERABLE
sudo_samedit ubuntu1804 4.15.0-213 VULNERABLE
af_packet ubuntu1804 4.15.0-213 OK (4.15 is post-fix)
pack2theroot debian12 6.1.0-17 PRECOND_FAIL (no PackageKit installed)
cls_route4 ubuntu2004 5.15.0-43 VULNERABLE
nft_payload ubuntu2004 5.15.0-43 VULNERABLE
af_packet2 ubuntu2004 5.4.0-26 VULNERABLE
sequoia ubuntu2004 5.4.0-26 VULNERABLE
dirty_pipe ubuntu2204 5.15.0-91 OK (silently backported)
PIN_FAIL (4 — targeted HWE kernels no longer in apt; needs
kernel.ubuntu.com mainline integration, deferred):
nf_tables wanted ubuntu2204 + 5.15.0-43-generic
af_unix_gc wanted ubuntu2204 + 5.15.0-43-generic
stackrot wanted ubuntu2204 + 6.1.0-13-generic
nft_set_uaf wanted ubuntu2204 + 5.19.0-32-generic
MANUAL / SPECIAL TARGETS (5 — flagged in targets.yaml):
vmwgfx — VMware-guest only; no Vagrant box covers it
dirtydecrypt — needs Linux 7.0 (not shipping yet)
fragnesia — needs Linux 7.0 (not shipping yet)
dirty_cow — needs <= 4.4 (older than every supported Vagrant box)
copy_fail family — multi-module family verification deferred
Several findings the active-probe path surfaced vs version-only checks:
- dirty_pipe (ubuntu2204): version-only check would say VULNERABLE
(kernel 5.15.0 < 5.15.25 backport in our table), but Ubuntu has
silently backported the fix into the -91 patch level. --active
probe correctly identified the primitive as blocked → OK.
- af_packet (ubuntu1804): the bug was fixed in 4.10.6 mainline +
4.9.18 backport. Ubuntu 18.04's stock 4.15.0 is post-fix — detect()
correctly returns OK. The targets.yaml entry was originally wrong;
fixed now.
- sudoedit_editor: version-wise the host is vulnerable (sudo 1.9.9),
but the bug requires an actual sudoedit grant in /etc/sudoers — and
the default Vagrant user has none. detect() correctly returns
PRECOND_FAIL ('vuln version present, no grant to abuse'). Same as
one of our unit tests.
- pack2theroot: needs an active PackageKit daemon on the system bus.
Debian 12's generic cloud image is server-oriented and omits
PackageKit. detect() correctly returns PRECOND_FAIL. Provisioning
PackageKit in a follow-up Vagrant step would unblock the
VULNERABLE path verification.
Plumbing fixes that landed in the sweep:
- core/nft_compat.h — NFTA_CHAIN_FLAGS (kernel 5.7) + NFTA_CHAIN_ID
(5.13). Without these, nft_fwd_dup fails to compile against
Ubuntu 18.04's 4.15-era nf_tables uapi, which blocked the entire
skeletonkey binary from building on that box and prevented
verification of ptrace_traceme / sudo_samedit / af_packet.
- tools/verify-vm/Vagrantfile — 'privileged: false' on the
build-and-verify provisioner. Vagrant's default runs as root;
pack2theroot's detect() short-circuits with 'already root —
nothing to do' when running as uid 0, which would invalidate
every euid-aware module's verification.
- tools/verify-vm/targets.yaml — corrected expectations for af_packet
(stock 18.04 4.15 is post-fix), pack2theroot (no PackageKit on
server cloud image), sudoedit_editor (no sudoers grant), and
dirty_pipe (silent Ubuntu backport).
- tools/refresh-verifications.py — dedup key changed from
(module, vm_box, host_kernel, expect_detect) to
(module, vm_box, host_kernel). When an expectation is corrected
mid-sweep, the new record cleanly supersedes the old one instead
of accumulating.
The verifier loop is now production-ready and the trust signal in
--list / --module-info / --explain reflects 18 modules confirmed
against real Linux. Next-step bucket:
- kernel.ubuntu.com mainline integration → unblock 4 PIN_FAIL pins.
- Optional PackageKit provisioner on debian12 → unblock pack2theroot
VULNERABLE path.
This commit is contained in:
@@ -33,10 +33,10 @@
|
||||
|
||||
af_packet:
|
||||
box: ubuntu1804
|
||||
kernel_pkg: "" # stock 4.15.0 is vulnerable
|
||||
kernel_pkg: "" # stock 4.15.0-213-generic — patch backported
|
||||
kernel_version: "4.15.0"
|
||||
expect_detect: VULNERABLE
|
||||
notes: "CVE-2017-7308; bug introduced ≤ 4.10; Ubuntu 18.04 stock 4.15 is pre-fix."
|
||||
expect_detect: OK
|
||||
notes: "CVE-2017-7308; bug fixed mainline 4.10.6 + 4.9.18 backports. Ubuntu 18.04 stock kernel (4.15.0) is post-fix — detect() correctly returns OK. To validate the VULNERABLE path empirically would need a hand-built 4.4 or earlier kernel; deferred."
|
||||
|
||||
af_packet2:
|
||||
box: ubuntu2004
|
||||
@@ -164,8 +164,8 @@ pack2theroot:
|
||||
box: debian12
|
||||
kernel_pkg: "" # PackageKit-version bug, not kernel
|
||||
kernel_version: "6.1.0"
|
||||
expect_detect: VULNERABLE
|
||||
notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit. Debian 12 stock packagekit is 1.2.5 (vulnerable). Provisioning script may need to downgrade if Debian 12 ever updates."
|
||||
expect_detect: PRECOND_FAIL
|
||||
notes: "CVE-2026-41651; needs PackageKit ≤ 1.3.5 + polkit + an active D-Bus session bus. Debian 12's generic cloud image is server-oriented and does NOT install PackageKit (the bug's target daemon), so detect() correctly returns PRECOND_FAIL ('PackageKit daemon not registered on the system bus'). To validate the VULNERABLE path empirically, install packagekit in the VM before verifying ('apt install -y packagekit' + 'systemctl start packagekit'); deferred to a follow-up provisioner."
|
||||
|
||||
ptrace_traceme:
|
||||
box: ubuntu1804
|
||||
|
||||
Reference in New Issue
Block a user