diff --git a/core/nft_compat.h b/core/nft_compat.h new file mode 100644 index 0000000..a8bbe09 --- /dev/null +++ b/core/nft_compat.h @@ -0,0 +1,84 @@ +/* + * SKELETONKEY — nf_tables uapi compat shims. + * + * Older distro kernel headers (e.g. Ubuntu 20.04's linux-libc-dev ships + * the 5.4 uapi; Debian 11 ships 5.10) don't define every nft attribute + * or chain flag the exploits use. The numeric values are stable kernel + * ABI — the target kernel understands them at runtime regardless of + * what was present in the build host's uapi headers. Conditionally + * define them here so modules compile against any reasonable header set. + * + * Sources for the numeric values: + * include/uapi/linux/netfilter/nf_tables.h in mainline at the kernel + * version that introduced each enum. + * + * Include AFTER . + */ + +#ifndef SKELETONKEY_NFT_COMPAT_H +#define SKELETONKEY_NFT_COMPAT_H + +#include + +/* ── chain flags ─────────────────────────────────────────────────── */ + +/* NFT_CHAIN_HW_OFFLOAD: kernel 5.5 (commit be0b86e0594d). Needed by + * nft_fwd_dup_cve_2022_25636. */ +#ifndef NFT_CHAIN_HW_OFFLOAD +#define NFT_CHAIN_HW_OFFLOAD 0x2 +#endif + +/* NFT_CHAIN_BINDING: kernel 5.9 (commit d164385ec572). */ +#ifndef NFT_CHAIN_BINDING +#define NFT_CHAIN_BINDING 0x4 +#endif + +/* ── verdict attrs ──────────────────────────────────────────────── */ + +/* NFTA_VERDICT_CHAIN_ID: kernel 5.14 (commit 4ed8eb6570a4). Needed by + * nf_tables_cve_2024_1086. */ +#ifndef NFTA_VERDICT_CHAIN_ID +#define NFTA_VERDICT_CHAIN_ID 3 /* CODE=1, CHAIN=2, CHAIN_ID=3 */ +#endif + +/* ── set attrs ──────────────────────────────────────────────────── */ + +/* NFTA_SET_DESC_CONCAT: kernel 5.6 (commit 8aeff38e08d2 — concat sets). */ +#ifndef NFTA_SET_DESC_CONCAT +#define NFTA_SET_DESC_CONCAT 2 /* DESC_SIZE=1, DESC_CONCAT=2 */ +#endif + +/* NFTA_SET_EXPR: kernel 5.12 (commit 65038428b2c6 — anon expr on sets). */ +#ifndef NFTA_SET_EXPR +#define NFTA_SET_EXPR 13 +#endif + +/* NFTA_SET_EXPRESSIONS: kernel 5.16 (commit 48b0ae046ed4). */ +#ifndef NFTA_SET_EXPRESSIONS +#define NFTA_SET_EXPRESSIONS 14 +#endif + +/* ── set-element attrs ──────────────────────────────────────────── */ + +/* NFTA_SET_ELEM_KEY_END: kernel 5.6 (commit 7b225d0b5c5b). */ +#ifndef NFTA_SET_ELEM_KEY_END +#define NFTA_SET_ELEM_KEY_END 7 +#endif + +/* NFTA_SET_ELEM_EXPRESSIONS: kernel 5.16 (commit 48b0ae046ed4). */ +#ifndef NFTA_SET_ELEM_EXPRESSIONS +#define NFTA_SET_ELEM_EXPRESSIONS 11 +#endif + +/* ── data attrs (newer additions tend to be backported uneven) ──── */ + +/* Make sure NFTA_DATA_VERDICT and friends exist — present since 3.13; + * here only as a tripwire if a very old header somehow lacks them. */ +#ifndef NFTA_DATA_VERDICT +#define NFTA_DATA_VERDICT 2 +#endif +#ifndef NFTA_DATA_VALUE +#define NFTA_DATA_VALUE 1 +#endif + +#endif /* SKELETONKEY_NFT_COMPAT_H */ diff --git a/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c b/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c index a90c36d..839d0ae 100644 --- a/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c +++ b/modules/nf_tables_cve_2024_1086/skeletonkey_modules.c @@ -88,6 +88,7 @@ #include #include #include +#include "../../core/nft_compat.h" /* shims for newer-kernel uapi constants */ /* ------------------------------------------------------------------ * Kernel-range table diff --git a/modules/nft_fwd_dup_cve_2022_25636/skeletonkey_modules.c b/modules/nft_fwd_dup_cve_2022_25636/skeletonkey_modules.c index 0119ed7..7baea84 100644 --- a/modules/nft_fwd_dup_cve_2022_25636/skeletonkey_modules.c +++ b/modules/nft_fwd_dup_cve_2022_25636/skeletonkey_modules.c @@ -77,6 +77,7 @@ #include #include #include +#include "../../core/nft_compat.h" /* ------------------------------------------------------------------ * Kernel range table — fixes per branch. diff --git a/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c b/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c index 8992894..4f49caf 100644 --- a/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c +++ b/modules/nft_payload_cve_2023_0179/skeletonkey_modules.c @@ -80,6 +80,7 @@ #include #include #include +#include "../../core/nft_compat.h" /* ------------------------------------------------------------------ * Kernel-range table diff --git a/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c b/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c index 2123fce..f7dce47 100644 --- a/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c +++ b/modules/nft_set_uaf_cve_2023_32233/skeletonkey_modules.c @@ -79,6 +79,7 @@ #include #include #include +#include "../../core/nft_compat.h" /* NFT_SET_EVAL was added in 5.6; older UAPI headers may not define it. * Anonymous-set + lookup exploit shape works on builds with this flag, diff --git a/tools/verify-vm/verify.sh b/tools/verify-vm/verify.sh index 1aeaa5d..9fa57db 100755 --- a/tools/verify-vm/verify.sh +++ b/tools/verify-vm/verify.sh @@ -149,11 +149,20 @@ fi # Run the explain probe. LOG="$LOG_DIR/verify-${MODULE}-$(date +%Y%m%d-%H%M%S).log" + +# Force rsync the source tree in. vagrant up runs rsync automatically on +# first up but NOT on a resume/already-running VM, so we always rsync here +# to guarantee /vagrant/ inside the guest matches the host's source tree. +echo "[*] syncing source into VM..." +vagrant rsync "$VM_HOSTNAME" 2>&1 | tail -5 + echo "[*] running verifier..." vagrant provision "$VM_HOSTNAME" --provision-with build-and-verify 2>&1 | tee "$LOG" -# Parse verdict. -VERDICT=$(grep -E "^VERDICT: " "$LOG" | tail -1 | awk '{print $2}') +# Parse verdict. Vagrant prefixes provisioner output with the VM name +# (e.g. " skk-pwnkit: VERDICT: VULNERABLE"), so anchor on the VERDICT +# keyword itself. `|| true` keeps pipefail+set-e from killing us on miss. +VERDICT=$(grep -E "VERDICT:" "$LOG" | tail -1 | awk '{print $NF}' || true) [[ -z "$VERDICT" ]] && VERDICT="?" # Compare.