Phase 3: EntryBleed module — working stage-1 kbase leak brick
- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
- iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
+ prefetchnta + KASLR-slot timing sweep) wired into the standard
iamroot_module interface. x86_64 only; ARM/other gracefully
return IAMROOT_PRECOND_FAIL.
- detect(): reads /sys/.../vulnerabilities/meltdown to decide
KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
- exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
(and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
- entrybleed_leak_kbase_lib(off) declared as a public library
helper so future LPE chains needing a stage-1 leak can just
#include the module's header and call it.
- entry_SYSCALL_64 slot offset overridable via
IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).
- __always_inline fallback added since glibc/Linux-kernel macro
isn't universal; module now builds clean under macOS clangd lint
and on musl.
- iamroot.c registers entrybleed alongside the other families;
Makefile gains it as a separate object set.
Verified end-to-end on kctf-mgr (Debian 6.12.86):
iamroot --exploit entrybleed --i-know
→ [+] entrybleed: leaked kbase = 0xffffffff8d800000
This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.
This commit is contained in:
+12
-6
@@ -59,20 +59,26 @@ these).
|
||||
Debian 11 with 5.10.0-8 (vulnerable), Debian 13 with 6.12.x
|
||||
(patched — should detect as OK)
|
||||
|
||||
## Phase 3 — Add EntryBleed (CVE-2023-0458) as stage-1 leak brick
|
||||
## Phase 3 — EntryBleed (CVE-2023-0458) as stage-1 leak brick (DONE 2026-05-16)
|
||||
|
||||
EntryBleed is **not a standalone LPE**. It's a **kbase leak
|
||||
primitive** that other modules can chain. Bundle it because:
|
||||
primitive** that other modules can chain. Bundled because:
|
||||
|
||||
- Stage-1 of any future "build-your-own LPE" workflow
|
||||
- Detection rules for KPTI side-channel attempts are useful for
|
||||
defenders
|
||||
- Already works empirically on lts-6.12.88 (verified 2026-05-16)
|
||||
|
||||
- [ ] `modules/entrybleed_cve_2023_0458/` — leak primitive +
|
||||
detect-mitigations
|
||||
- [ ] Exposed as a library helper: other modules can call
|
||||
`entrybleed_leak_kbase()` when they need a kbase
|
||||
- [x] `modules/entrybleed_cve_2023_0458/` — leak primitive + detect
|
||||
- [x] Exposed as a library helper: other modules can call
|
||||
`entrybleed_leak_kbase_lib()` (declared in iamroot_modules.h)
|
||||
- [x] Wired into iamroot.c registry; `iamroot --exploit entrybleed
|
||||
--i-know` produces a kbase leak. Verified on kctf-mgr:
|
||||
leaked `0xffffffff8d800000` with KASLR slide `0xc800000`.
|
||||
- [x] `entry_SYSCALL_64` slot offset configurable via
|
||||
`IAMROOT_ENTRYBLEED_OFFSET` env var (default matches lts-6.12.x).
|
||||
Future enhancement: auto-detect via /boot/System.map or
|
||||
/proc/kallsyms if accessible.
|
||||
|
||||
## Phase 4 — CI matrix
|
||||
|
||||
|
||||
Reference in New Issue
Block a user