diff --git a/core/verifications.c b/core/verifications.c index bc87da5..79a1869 100644 --- a/core/verifications.c +++ b/core/verifications.c @@ -36,6 +36,16 @@ const struct verification_record verifications[] = { .actual_detect = "VULNERABLE", .status = "match", }, + { + .module = "af_unix_gc", + .verified_at = "2026-05-23", + .host_kernel = "5.15.5-051505-generic", + .host_distro = "Ubuntu 22.04.3 LTS", + .vm_box = "generic/ubuntu2204", + .expect_detect = "VULNERABLE", + .actual_detect = "VULNERABLE", + .status = "match", + }, { .module = "cgroup_release_agent", .verified_at = "2026-05-23", @@ -96,6 +106,16 @@ const struct verification_record verifications[] = { .actual_detect = "VULNERABLE", .status = "match", }, + { + .module = "nf_tables", + .verified_at = "2026-05-23", + .host_kernel = "5.15.5-051505-generic", + .host_distro = "Ubuntu 22.04.3 LTS", + .vm_box = "generic/ubuntu2204", + .expect_detect = "VULNERABLE", + .actual_detect = "VULNERABLE", + .status = "match", + }, { .module = "nft_fwd_dup", .verified_at = "2026-05-23", @@ -116,6 +136,16 @@ const struct verification_record verifications[] = { .actual_detect = "VULNERABLE", .status = "match", }, + { + .module = "nft_set_uaf", + .verified_at = "2026-05-23", + .host_kernel = "5.15.5-051505-generic", + .host_distro = "Ubuntu 22.04.3 LTS", + .vm_box = "generic/ubuntu2204", + .expect_detect = "VULNERABLE", + .actual_detect = "VULNERABLE", + .status = "match", + }, { .module = "overlayfs", .verified_at = "2026-05-23", @@ -176,6 +206,16 @@ const struct verification_record verifications[] = { .actual_detect = "VULNERABLE", .status = "match", }, + { + .module = "stackrot", + .verified_at = "2026-05-23", + .host_kernel = "6.1.10-060110-generic", + .host_distro = "Ubuntu 22.04.3 LTS", + .vm_box = "generic/ubuntu2204", + .expect_detect = "VULNERABLE", + .actual_detect = "VULNERABLE", + .status = "match", + }, { .module = "sudo_samedit", .verified_at = "2026-05-23", diff --git a/docs/VERIFICATIONS.jsonl b/docs/VERIFICATIONS.jsonl index 8830986..829ea66 100644 --- a/docs/VERIFICATIONS.jsonl +++ b/docs/VERIFICATIONS.jsonl @@ -24,3 +24,7 @@ {"module":"sudoedit_editor","verified_at":"2026-05-23T20:26:02Z","host_kernel":"5.15.0-91-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"} {"module":"af_packet","verified_at":"2026-05-23T20:27:39Z","host_kernel":"4.15.0-213-generic","host_distro":"Ubuntu 18.04.6 LTS","vm_box":"generic/ubuntu1804","expect_detect":"OK","actual_detect":"OK","status":"match"} {"module":"pack2theroot","verified_at":"2026-05-23T20:28:23Z","host_kernel":"6.1.0-17-amd64","host_distro":"Debian GNU/Linux 12 (bookworm)","vm_box":"generic/debian12","expect_detect":"PRECOND_FAIL","actual_detect":"PRECOND_FAIL","status":"match"} +{"module":"nf_tables","verified_at":"2026-05-23T21:22:59Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} +{"module":"af_unix_gc","verified_at":"2026-05-23T21:27:13Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} +{"module":"nft_set_uaf","verified_at":"2026-05-23T21:30:41Z","host_kernel":"5.15.5-051505-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} +{"module":"stackrot","verified_at":"2026-05-23T21:34:12Z","host_kernel":"6.1.10-060110-generic","host_distro":"Ubuntu 22.04.3 LTS","vm_box":"generic/ubuntu2204","expect_detect":"VULNERABLE","actual_detect":"VULNERABLE","status":"match"} diff --git a/tools/verify-vm/Vagrantfile b/tools/verify-vm/Vagrantfile index e7739e2..18f9420 100644 --- a/tools/verify-vm/Vagrantfile +++ b/tools/verify-vm/Vagrantfile @@ -18,10 +18,11 @@ require "yaml" REPO_ROOT = File.expand_path("../..", __dir__) -box = ENV["SKK_VM_BOX"] || "generic/debian12" -pkg = ENV["SKK_VM_KERNEL_PKG"] || "" -kver = ENV["SKK_VM_KERNEL_VERSION"] || "" -host = ENV["SKK_VM_HOSTNAME"] || "skk-verify" +box = ENV["SKK_VM_BOX"] || "generic/debian12" +pkg = ENV["SKK_VM_KERNEL_PKG"] || "" +mainline = ENV["SKK_VM_MAINLINE_VERSION"] || "" +kver = ENV["SKK_VM_KERNEL_VERSION"] || "" +host = ENV["SKK_VM_HOSTNAME"] || "skk-verify" Vagrant.configure("2") do |c| # Define ONE Vagrant machine named after SKK_VM_HOSTNAME. Per-module @@ -62,7 +63,7 @@ Vagrant.configure("2") do |c| fi SHELL - # 2. Pin target kernel if requested. Reboot needed afterward. + # 2a. Pin via apt if requested. Reboot needed afterward. if !pkg.empty? m.vm.provision "shell", name: "pin-kernel-#{pkg}", inline: <<-SHELL set -e @@ -71,18 +72,59 @@ Vagrant.configure("2") do |c| else echo "[+] installing #{pkg} (kernel target #{kver})" export DEBIAN_FRONTEND=noninteractive - apt-get install -y -qq #{pkg} || { - echo "[-] #{pkg} unavailable in apt; trying snapshot.debian.org" >&2 - echo "deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20230101T000000Z bookworm main" \ - >> /etc/apt/sources.list.d/snapshot.list - apt-get update -qq -o Acquire::Check-Valid-Until=false - apt-get install -y -qq --allow-downgrades #{pkg} - } + apt-get install -y -qq #{pkg} echo "[i] kernel #{pkg} installed; reboot via 'vagrant reload'" fi SHELL end + # 2b. Pin via kernel.ubuntu.com/mainline/ if mainline_version is set. + # Fetches the four .debs (linux-headers _all, linux-headers _amd64 + # generic, linux-image-unsigned generic, linux-modules generic), + # dpkg -i's them, regenerates grub, and prints a reboot hint. + # Mainline kernel package version like "5.15.5-051505" sorts ABOVE + # Ubuntu's stock "5.15.0-91" in debian-version-compare (numeric + # 51505 > 91), so update-grub puts it at boot index 0 and the next + # boot lands on it automatically. + if !mainline.empty? + m.vm.provision "shell", name: "pin-mainline-#{mainline}", inline: <<-SHELL + set -e + KVER="#{mainline}" + # already booted into it? + if uname -r | grep -q "^${KVER}-[0-9]\\+-generic"; then + echo "[=] mainline ${KVER} already booted ($(uname -r))" + exit 0 + fi + # already installed on disk (waiting on reboot)? + if ls /boot/vmlinuz-${KVER}-* >/dev/null 2>&1; then + echo "[=] mainline ${KVER} already installed; needs reboot" + exit 0 + fi + echo "[+] fetching kernel.ubuntu.com mainline v${KVER}" + URL="https://kernel.ubuntu.com/mainline/v${KVER}/amd64/" + TMP=$(mktemp -d) + cd "$TMP" + # Pick the 4 canonical generic-kernel .debs by pattern match against + # the directory index. Skip lowlatency variants. + DEBS=$(curl -sL "$URL" | \\ + grep -oE 'href="[^"]+\\.deb"' | sed 's/href="//; s/"$//' | \\ + grep -E '(linux-image-unsigned|linux-modules|linux-headers)-[0-9.]+-[0-9]+-generic_|linux-headers-[0-9.]+-[0-9]+_[^_]+_all\\.deb' | \\ + grep -v lowlatency) + if [ -z "$DEBS" ]; then + echo "[-] no .debs found at $URL — does the version exist on kernel.ubuntu.com?" >&2 + exit 2 + fi + for f in $DEBS; do + echo "[+] $f" + curl -fsSL -O "${URL}${f}" + done + export DEBIAN_FRONTEND=noninteractive + dpkg -i *.deb || apt-get install -f -y -qq + update-grub 2>&1 | tail -3 + echo "[i] mainline ${KVER} installed; reboot via 'vagrant reload'" + SHELL + end + # 3. Build SKELETONKEY in-VM and run --explain --active for the target # module. Runs as the unprivileged 'vagrant' user (NOT root) — most # detect()s gate on "are you already root?" and short-circuit if so, diff --git a/tools/verify-vm/targets.yaml b/tools/verify-vm/targets.yaml index d0b5836..beb3fde 100644 --- a/tools/verify-vm/targets.yaml +++ b/tools/verify-vm/targets.yaml @@ -47,10 +47,11 @@ af_packet2: af_unix_gc: box: ubuntu2204 - kernel_pkg: linux-image-5.15.0-43-generic - kernel_version: "5.15.0-43" + kernel_pkg: "" + mainline_version: "5.15.5" # kernel.ubuntu.com/mainline/v5.15.5/ — below 5.15.130 backport + kernel_version: "5.15.5" expect_detect: VULNERABLE - notes: "CVE-2023-4622; fixed in 6.5 mainline / backported to 5.15.130; 5.15.0-43 is below the backport." + notes: "CVE-2023-4622; fix mainline 6.5 + backports 5.15.130/6.1.51/etc. Mainline 5.15.5 (Nov 2021) predates all backports and any silent distro patching. Installed via kernel.ubuntu.com/mainline/v5.15.5/." cgroup_release_agent: box: debian11 @@ -120,10 +121,11 @@ netfilter_xtcompat: nf_tables: box: ubuntu2204 - kernel_pkg: linux-image-5.15.0-43-generic - kernel_version: "5.15.0-43" + kernel_pkg: "" + mainline_version: "5.15.5" + kernel_version: "5.15.5" expect_detect: VULNERABLE - notes: "CVE-2024-1086; fix 6.8 mainline + 5.15.149 backport; 5.15.0-43 is below." + notes: "CVE-2024-1086; bug introduced 5.14; fix mainline 6.8 + 5.15.149/6.1.74 backports. Mainline 5.15.5 (Nov 2021) is well below 5.15.149 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/." nft_fwd_dup: box: debian11 @@ -141,10 +143,11 @@ nft_payload: nft_set_uaf: box: ubuntu2204 - kernel_pkg: linux-image-5.19.0-32-generic - kernel_version: "5.19.0-32" + kernel_pkg: "" + mainline_version: "5.15.5" + kernel_version: "5.15.5" expect_detect: VULNERABLE - notes: "CVE-2023-32233; fix 6.4-rc4 + 6.1.27 / 5.15.110; 5.19.0-32 is below." + notes: "CVE-2023-32233; bug introduced 5.1; fix mainline 6.4-rc4 + 6.1.27/5.15.110 backports. Mainline 5.15.5 (Nov 2021) is below 5.15.110 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/." overlayfs: box: ubuntu2004 @@ -190,10 +193,11 @@ sequoia: stackrot: box: ubuntu2204 - kernel_pkg: linux-image-6.1.0-13-generic - kernel_version: "6.1.0-13" + kernel_pkg: "" + mainline_version: "6.1.10" # below the 6.1.37 backport + kernel_version: "6.1.10" expect_detect: VULNERABLE - notes: "CVE-2023-3269; fix 6.4 mainline + 6.1.37 LTS / 6.3.10; 6.1.0-13 is below." + notes: "CVE-2023-3269; bug introduced 6.1; fix mainline 6.4 + 6.1.37/6.3.10 backports. Mainline 6.1.10 (Feb 2023) is below 6.1.37 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v6.1.10/." sudo_samedit: box: ubuntu1804 diff --git a/tools/verify-vm/verify.sh b/tools/verify-vm/verify.sh index ecba5ca..f5abcf3 100755 --- a/tools/verify-vm/verify.sh +++ b/tools/verify-vm/verify.sh @@ -95,6 +95,7 @@ fi # ── load target ─────────────────────────────────────────────────────────── BOX=$(yget "$MODULE" box) KERNEL_PKG=$(yget "$MODULE" kernel_pkg) +MAINLINE=$(yget "$MODULE" mainline_version) KERNEL_VER=$(yget "$MODULE" kernel_version) EXPECT=$(yget "$MODULE" expect_detect) MANUAL=$(yget "$MODULE" manual) @@ -126,6 +127,7 @@ echo cd "$VM_DIR" export SKK_VM_BOX="$BOX" export SKK_VM_KERNEL_PKG="$KERNEL_PKG" +export SKK_VM_MAINLINE_VERSION="$MAINLINE" export SKK_VM_KERNEL_VERSION="$KERNEL_VER" export SKK_VM_HOSTNAME="$VM_HOSTNAME" export SKK_MODULE="$MODULE" @@ -137,11 +139,13 @@ if ! vagrant status "$VM_HOSTNAME" 2>&1 | grep -q "running"; then vagrant up "$VM_HOSTNAME" --provider=parallels fi -# Reboot if a kernel pin was applied (uname -r != target). -if [[ -n "$KERNEL_PKG" ]]; then +# Reboot if any kernel pin was applied (uname -r != target). +if [[ -n "$KERNEL_PKG" || -n "$MAINLINE" ]]; then current_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r') - if [[ "$current_kver" != *"$KERNEL_VER"* ]]; then - echo "[*] current kernel $current_kver != target $KERNEL_VER; rebooting..." + target_match="$KERNEL_VER" + [[ -n "$MAINLINE" ]] && target_match="$MAINLINE" + if [[ "$current_kver" != *"$target_match"* ]]; then + echo "[*] current kernel $current_kver != target $target_match; rebooting..." vagrant reload "$VM_HOSTNAME" sleep 5 fi