Phase 7: Dirty COW (CVE-2016-5195) FULL module — old-systems coverage

The iconic 2016 LPE. Fills the 10-year coverage gap (now spanning
2016 → 2026): RHEL 6/7, Ubuntu 14.04, Ubuntu 16.04, embedded boxes,
IoT — many still in production with kernels predating the 4.9 fix.

- modules/dirty_cow_cve_2016_5195/iamroot_modules.{c,h}:
  - kernel_range: backport thresholds for 2.6 / 3.2 / 3.10 / 3.12 /
    3.16 / 3.18 / 4.4 / 4.7 / 4.8 / mainline 4.9
  - dirty_cow_write(): Phil-Oester-style two-thread race
    - mmap /etc/passwd MAP_PRIVATE (writes go COW)
    - writer thread: pwrite to /proc/self/mem at COW page offset
    - madviser thread: madvise(MADV_DONTNEED) to drop COW copy
    - poll-read /etc/passwd via separate fd to check if payload landed
    - 3-second timeout (race usually wins in ms on vulnerable kernels)
  - dirty_cow_exploit(): getpwuid → find_passwd_uid_field → race
    → execlp(su)
  - dirty_cow_cleanup(): POSIX_FADV_DONTNEED + drop_caches
  - Auditd rule: /proc/self/mem writes + madvise MADV_DONTNEED
  - Sigma rule: non-root /proc/self/mem open → high
- Makefile: -lpthread added to LDFLAGS for the binary link.
- iamroot.c + core/registry.h wired.
- CVES.md row added with detailed status; legend updated.

Verified end-to-end on kctf-mgr (6.12.86 — patched):
  iamroot --scan       → 'dirty_cow: kernel is patched' (OK)
  iamroot --exploit dirty_cow --i-know
                       → 'detect() says not vulnerable; refusing'
Module count = 12.

Makefile

@@ -61,17 +61,22 @@ CR4_DIR  := modules/cls_route4_cve_2022_2588
 CR4_SRCS := $(CR4_DIR)/iamroot_modules.c
 CR4_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(CR4_SRCS))
 
+# Family: dirty_cow (CVE-2016-5195) — requires -pthread
+DCOW_DIR  := modules/dirty_cow_cve_2016_5195
+DCOW_SRCS := $(DCOW_DIR)/iamroot_modules.c
+DCOW_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(DCOW_SRCS))
+
 # Top-level dispatcher
 TOP_OBJ  := $(BUILD)/iamroot.o
 
-ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS) $(CR4_OBJS)
+ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS) $(CR4_OBJS) $(DCOW_OBJS)
 
 .PHONY: all clean debug static help
 
 all: $(BIN)
 
 $(BIN): $(ALL_OBJS)
-	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ -lpthread
 
 # Generic compile: any .c → corresponding .o under build/
 $(BUILD)/%.o: %.c