SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	5a808e3583	modules: 4 new CVE modules — nft_set_uaf + af_unix_gc + nft_fwd_dup + nft_payload Each module: detect with branch-backport ranges + userns reach + hand-rolled trigger + msg_msg cross-cache groom + slabinfo witness + /tmp/iamroot-<name>.log breadcrumb + auditd rules + --full-chain finisher (FALLBACK depth, sentinel-arbitrated). nft_set_uaf (CVE-2023-32233, +1033): anonymous-set UAF (Sondej+Krysiuk). 5.1 → 6.4. nfnetlink batch: NEWTABLE → NEWCHAIN → NEWSET(ANON\|EVAL) → NEWRULE(lookup) → DELSET → DELRULE; cg-512 spray. af_unix_gc (CVE-2023-4622, +813): GC race UAF (Lin Ma). ~2.0 → 6.5 — widest range of any module. Two-thread race driver (SCM_RIGHTS cycle vs unix_gc trigger) + kmalloc-512 spray. No userns needed. nft_fwd_dup (CVE-2022-25636, +1024): nft_fwd_dup_netdev_offload heap OOB (Aaron Adams). 5.4 → 5.17. NFT_CHAIN_HW_OFFLOAD chain + 16 immediates + fwd to overrun action.entries[]. nft_payload (CVE-2023-0179, +1136): set-id memory corruption (Davide Ornaghi). 5.4 → 6.2. NFTA_SET_DESC variable element + NFTA_SET_ELEM_EXPRESSIONS with payload-set whose verdict.code drives the regs->data[] OOB. All 4 honor verified-vs-claimed: trigger fires, primitive grooms, no fabricated offsets. EXPLOIT_OK only via empirical setuid-bash sentinel. Build clean on Debian 6.12.86; all 4 refuse cleanly on both default and --full-chain paths via the existing patched-kernel detect gate.	2026-05-16 22:24:15 -04:00
leviathan	6a0a7d8718	scaffold: 4 new module dirs + registry/Makefile wiring (stubs) Pre-scaffolding for the next batch (CVE-2023-32233, CVE-2023-4622, CVE-2022-25636, CVE-2023-0179). Each module ships as a 21-line stub returning PRECOND_FAIL; parallel agents fill in the real detect/exploit/--full-chain implementations. This commit keeps registry.h / iamroot.c / Makefile in one place so the 4 parallel agents don't collide on shared-file edits — they each own a single iamroot_modules.c. Build clean on Debian 6.12.86; --list shows all 24 modules including the 4 new stubs.	2026-05-16 22:17:47 -04:00

Author

SHA1

Message

Date

leviathan

5a808e3583

modules: 4 new CVE modules — nft_set_uaf + af_unix_gc + nft_fwd_dup + nft_payload

Each module: detect with branch-backport ranges + userns reach +
hand-rolled trigger + msg_msg cross-cache groom + slabinfo witness
+ /tmp/iamroot-<name>.log breadcrumb + auditd rules + --full-chain
finisher (FALLBACK depth, sentinel-arbitrated).

  nft_set_uaf (CVE-2023-32233, +1033): anonymous-set UAF
                (Sondej+Krysiuk). 5.1 → 6.4. nfnetlink batch:
                NEWTABLE → NEWCHAIN → NEWSET(ANON|EVAL) →
                NEWRULE(lookup) → DELSET → DELRULE; cg-512 spray.

  af_unix_gc (CVE-2023-4622, +813): GC race UAF (Lin Ma). ~2.0 → 6.5
                — widest range of any module. Two-thread race driver
                (SCM_RIGHTS cycle vs unix_gc trigger) + kmalloc-512
                spray. No userns needed.

  nft_fwd_dup (CVE-2022-25636, +1024): nft_fwd_dup_netdev_offload
                heap OOB (Aaron Adams). 5.4 → 5.17. NFT_CHAIN_HW_OFFLOAD
                chain + 16 immediates + fwd to overrun action.entries[].

  nft_payload (CVE-2023-0179, +1136): set-id memory corruption
                (Davide Ornaghi). 5.4 → 6.2. NFTA_SET_DESC variable
                element + NFTA_SET_ELEM_EXPRESSIONS with payload-set
                whose verdict.code drives the regs->data[] OOB.

All 4 honor verified-vs-claimed: trigger fires, primitive grooms, no
fabricated offsets. EXPLOIT_OK only via empirical setuid-bash sentinel.

Build clean on Debian 6.12.86; all 4 refuse cleanly on both default
and --full-chain paths via the existing patched-kernel detect gate.

2026-05-16 22:24:15 -04:00

leviathan

6a0a7d8718

scaffold: 4 new module dirs + registry/Makefile wiring (stubs)

Pre-scaffolding for the next batch (CVE-2023-32233, CVE-2023-4622,
CVE-2022-25636, CVE-2023-0179). Each module ships as a 21-line
stub returning PRECOND_FAIL; parallel agents fill in the real
detect/exploit/--full-chain implementations.

This commit keeps registry.h / iamroot.c / Makefile in one place
so the 4 parallel agents don't collide on shared-file edits — they
each own a single iamroot_modules.c.

Build clean on Debian 6.12.86; --list shows all 24 modules
including the 4 new stubs.

2026-05-16 22:17:47 -04:00

2 Commits