leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

verify-vm: kernel.ubuntu.com mainline integration — 22 modules verified

Browse Source 
Unblocks the 4 previously-PIN_FAIL modules by adding a fallback path to
kernel.ubuntu.com/mainline/ for any kernel no longer in apt. Adds 4 more
matches to the verified_on table for a total of 22 modules confirmed
against real Linux VMs:

  af_unix_gc     ubuntu2204 + mainline 5.15.5  match
  nf_tables      ubuntu2204 + mainline 5.15.5  match
  nft_set_uaf    ubuntu2204 + mainline 5.15.5  match
  stackrot       ubuntu2204 + mainline 6.1.10  match

Mechanism:

  tools/verify-vm/Vagrantfile — new 'pin-mainline-<X.Y.Z>' shell
  provisioner. Fetches the directory index at
  https://kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/, parses out the 4
  canonical .deb filenames (linux-headers _all, linux-headers
  -generic _amd64, linux-image-unsigned -generic _amd64, linux-modules
  -generic _amd64; skips lowlatency), downloads them, runs 'dpkg -i' +
  'update-grub', and prints a reboot hint.

  Mainline package version like '5.15.5-051505' sorts ABOVE Ubuntu's
  stock '5.15.0-91' in debian-version-compare (numeric 51505 > 91), so
  update-grub puts it at the top of the boot menu and the next
  'vagrant reload' lands on it automatically. uname then reports
  '5.15.5-051505-generic' which our parser sees as 5.15.5 → in our
  kernel_range table's vulnerable window → empirical VULNERABLE.

  tools/verify-vm/verify.sh — new SKK_VM_MAINLINE_VERSION env passed to
  the Vagrantfile. Reload trigger now also fires when uname doesn't
  match the mainline target.

  tools/verify-vm/targets.yaml — new 'mainline_version' field on the 4
  PIN_FAIL targets. kernel_pkg is left empty; mainline_version drives
  the fetch. Picked 5.15.5 (Nov 2021) for the 5.15-line CVEs and
  6.1.10 (Feb 2023) for stackrot — both below every relevant backport.

Final sweep status (22 of 26 CVEs):

  ✓ MATCHES (22):
    pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy,
    nft_fwd_dup, entrybleed, overlayfs, overlayfs_setuid,
    sudoedit_editor, ptrace_traceme, sudo_samedit, af_packet,
    pack2theroot, cls_route4, nft_payload, af_packet2, sequoia,
    dirty_pipe, nf_tables, af_unix_gc, nft_set_uaf, stackrot

  🚫 NOT VERIFIED (4 — flagged in targets.yaml with rationale):
    vmwgfx        — VMware-guest only; no public Vagrant box covers it
    dirtydecrypt  — needs Linux 7.0; not shipping as any distro kernel
    fragnesia     — needs Linux 7.0; same
    dirty_cow     — needs ≤ 4.4 kernel; older than every supported
                    Vagrant box (would need a custom image)

  copy_fail_family entries verified indirectly via the shared
  infrastructure tests in the kernel_range unit-test harness.

The 22 records are baked into core/verifications.c and surface in
--list (VFY ✓ column), --module-info (--- verified on --- section),
--explain (VERIFIED ON section), and JSON output (verified_on array).
22/26 CVEs is the new trust signal; with the mainline fetch path
production-ready, additional pin targets can be added to targets.yaml
without code changes.
This commit is contained in:
KaraZajac
2026-05-23 17:35:13 -04:00
parent 2c131df1bf
commit 312e7d89b5
5 changed files with 122 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/verify-vm/targets.yaml
+16 -12
View File
@@ -47,10 +47,11 @@ af_packet2:
af_unix_gc:
box: ubuntu2204
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
kernel_pkg: ""
mainline_version: "5.15.5" # kernel.ubuntu.com/mainline/v5.15.5/ — below 5.15.130 backport
kernel_version: "5.15.5"
expect_detect: VULNERABLE
notes: "CVE-2023-4622; fixed in 6.5 mainline / backported to 5.15.130; 5.15.0-43 is below the backport."
notes: "CVE-2023-4622; fix mainline 6.5 + backports 5.15.130/6.1.51/etc. Mainline 5.15.5 (Nov 2021) predates all backports and any silent distro patching. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
cgroup_release_agent:
box: debian11
@@ -120,10 +121,11 @@ netfilter_xtcompat:
nf_tables:
box: ubuntu2204
kernel_pkg: linux-image-5.15.0-43-generic
kernel_version: "5.15.0-43"
kernel_pkg: ""
mainline_version: "5.15.5"
kernel_version: "5.15.5"
expect_detect: VULNERABLE
notes: "CVE-2024-1086; fix 6.8 mainline + 5.15.149 backport; 5.15.0-43 is below."
notes: "CVE-2024-1086; bug introduced 5.14; fix mainline 6.8 + 5.15.149/6.1.74 backports. Mainline 5.15.5 (Nov 2021) is well below 5.15.149 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
nft_fwd_dup:
box: debian11
@@ -141,10 +143,11 @@ nft_payload:
nft_set_uaf:
box: ubuntu2204
kernel_pkg: linux-image-5.19.0-32-generic
kernel_version: "5.19.0-32"
kernel_pkg: ""
mainline_version: "5.15.5"
kernel_version: "5.15.5"
expect_detect: VULNERABLE
notes: "CVE-2023-32233; fix 6.4-rc4 + 6.1.27 / 5.15.110; 5.19.0-32 is below."
notes: "CVE-2023-32233; bug introduced 5.1; fix mainline 6.4-rc4 + 6.1.27/5.15.110 backports. Mainline 5.15.5 (Nov 2021) is below 5.15.110 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v5.15.5/."
overlayfs:
box: ubuntu2004
@@ -190,10 +193,11 @@ sequoia:
stackrot:
box: ubuntu2204
kernel_pkg: linux-image-6.1.0-13-generic
kernel_version: "6.1.0-13"
kernel_pkg: ""
mainline_version: "6.1.10" # below the 6.1.37 backport
kernel_version: "6.1.10"
expect_detect: VULNERABLE
notes: "CVE-2023-3269; fix 6.4 mainline + 6.1.37 LTS / 6.3.10; 6.1.0-13 is below."
notes: "CVE-2023-3269; bug introduced 6.1; fix mainline 6.4 + 6.1.37/6.3.10 backports. Mainline 6.1.10 (Feb 2023) is below 6.1.37 — empirically vulnerable. Installed via kernel.ubuntu.com/mainline/v6.1.10/."
sudo_samedit:
box: ubuntu1804