leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

pintheft: drop --full-chain stub (calls undefined finisher symbol)
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / build (x86_64-static / musl) (push) Waiting to run
Details
release / build (arm64-static / musl) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details

Browse Source 
The x86_64 path called finisher_modprobe_path_overwrite() which doesn't
exist — the real API is skeletonkey_finisher_modprobe_path() with a
callback signature. arm64 builds dodged it via the #if guard; x86_64
linker rightly choked. Same fix as tioscpgrp/vsock_uaf/nft_pipapo:
primitive-only modules return EXPLOIT_FAIL honestly per verified-vs-
claimed.
This commit is contained in:
KaraZajac
2026-05-23 22:22:31 -04:00
parent f41eed834e
commit 7f4a6e1c7c
1 changed files with 6 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/pintheft_cve_2026_43494/skeletonkey_modules.c
+6 -22
View File
@@ -344,31 +344,15 @@ static skeletonkey_result_t pintheft_exploit(const struct skeletonkey_ctx *ctx)
fprintf(stderr, "[+] pintheft: primitive fired %d/256 — page refcount delta witnessed\n", leaked); fprintf(stderr, "[+] pintheft: primitive fired %d/256 — page refcount delta witnessed\n", leaked);
/* The cred-overwrite step requires the V12 PoC's io_uring chain. /* The cred-overwrite step requires the V12 PoC's io_uring chain
* We don't ship the full chain here yet. If --full-chain is set * (fixed buffer + page-cache write into the SUID carrier). We don't
* AND we're on x86_64 AND the finisher table has resolved kernel * ship that chain — primitive only. Return EXPLOIT_FAIL honestly per
* offsets, fall through to the shared modprobe_path finisher; * the verified-vs-claimed bar. See V12's PoC for the full payload:
* otherwise return EXPLOIT_FAIL honestly. */ * https://github.com/v12-security/pocs/tree/main/pintheft */
if (!ctx->full_chain) { (void)ctx;
fprintf(stderr,
"[i] pintheft: primitive complete. The cred-overwrite step\n"
" (io_uring fixed buffer + page-cache write into the SUID\n"
" carrier) is x86_64-only and needs the V12 chain. Re-run\n"
" with --full-chain to invoke the shared modprobe_path\n"
" finisher. See V12's PoC for the full payload:\n"
" https://github.com/v12-security/pocs/tree/main/pintheft\n");
return SKELETONKEY_EXPLOIT_FAIL; return SKELETONKEY_EXPLOIT_FAIL;
} }
#if defined(__x86_64__)
fprintf(stderr, "[+] pintheft: --full-chain on x86_64 → invoking modprobe_path finisher\n");
return finisher_modprobe_path_overwrite(ctx);
#else
fprintf(stderr, "[-] pintheft: --full-chain unsupported on non-x86_64 (V12 PoC is x86-only)\n");
return SKELETONKEY_EXPLOIT_FAIL;
#endif
}
#else /* !__linux__ */ #else /* !__linux__ */
static skeletonkey_result_t pintheft_exploit(const struct skeletonkey_ctx *ctx) static skeletonkey_result_t pintheft_exploit(const struct skeletonkey_ctx *ctx)