SKELETONKEY

leviathan/SKELETONKEY

Fork 0

Commit Graph

Author	SHA1	Message	Date
leviathan	9d88b475c1	v0.3.1: --dump-offsets tool + NOTICE.md per module release / build (arm64) (push) Waiting to run Details release / build (x86_64) (push) Waiting to run Details release / release (push) Blocked by required conditions Details The README has been claiming "each module credits the original CVE reporter and PoC author in its NOTICE.md" since v0.1.0, but only copy_fail_family actually shipped one. Fixed. modules/<name>/NOTICE.md (×19 new + 1 existing): per-module research credit covering CVE ID, discoverer, original advisory URL where public, upstream fix commit, IAMROOT's role. iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets via the existing core/offsets.c four-source chain (env → /proc/kallsyms → /boot/System.map → embedded table), then emits a ready-to-paste C struct entry for kernel_table[]. Run once as root on a target kernel build; upstream via PR. Eliminates fabricating offsets — every shipped entry traces back to a `iamroot --dump-offsets` invocation on a real kernel. docs/OFFSETS.md: documents the --dump-offsets workflow. CVES.md: notes the NOTICE.md convention + offset dump tool. iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.	2026-05-16 22:33:43 -04:00
leviathan	5a808e3583	modules: 4 new CVE modules — nft_set_uaf + af_unix_gc + nft_fwd_dup + nft_payload Each module: detect with branch-backport ranges + userns reach + hand-rolled trigger + msg_msg cross-cache groom + slabinfo witness + /tmp/iamroot-<name>.log breadcrumb + auditd rules + --full-chain finisher (FALLBACK depth, sentinel-arbitrated). nft_set_uaf (CVE-2023-32233, +1033): anonymous-set UAF (Sondej+Krysiuk). 5.1 → 6.4. nfnetlink batch: NEWTABLE → NEWCHAIN → NEWSET(ANON\|EVAL) → NEWRULE(lookup) → DELSET → DELRULE; cg-512 spray. af_unix_gc (CVE-2023-4622, +813): GC race UAF (Lin Ma). ~2.0 → 6.5 — widest range of any module. Two-thread race driver (SCM_RIGHTS cycle vs unix_gc trigger) + kmalloc-512 spray. No userns needed. nft_fwd_dup (CVE-2022-25636, +1024): nft_fwd_dup_netdev_offload heap OOB (Aaron Adams). 5.4 → 5.17. NFT_CHAIN_HW_OFFLOAD chain + 16 immediates + fwd to overrun action.entries[]. nft_payload (CVE-2023-0179, +1136): set-id memory corruption (Davide Ornaghi). 5.4 → 6.2. NFTA_SET_DESC variable element + NFTA_SET_ELEM_EXPRESSIONS with payload-set whose verdict.code drives the regs->data[] OOB. All 4 honor verified-vs-claimed: trigger fires, primitive grooms, no fabricated offsets. EXPLOIT_OK only via empirical setuid-bash sentinel. Build clean on Debian 6.12.86; all 4 refuse cleanly on both default and --full-chain paths via the existing patched-kernel detect gate.	2026-05-16 22:24:15 -04:00
leviathan	6a0a7d8718	scaffold: 4 new module dirs + registry/Makefile wiring (stubs) Pre-scaffolding for the next batch (CVE-2023-32233, CVE-2023-4622, CVE-2022-25636, CVE-2023-0179). Each module ships as a 21-line stub returning PRECOND_FAIL; parallel agents fill in the real detect/exploit/--full-chain implementations. This commit keeps registry.h / iamroot.c / Makefile in one place so the 4 parallel agents don't collide on shared-file edits — they each own a single iamroot_modules.c. Build clean on Debian 6.12.86; --list shows all 24 modules including the 4 new stubs.	2026-05-16 22:17:47 -04:00

Author

SHA1

Message

Date

leviathan

9d88b475c1

v0.3.1: --dump-offsets tool + NOTICE.md per module

release / build (arm64) (push) Waiting to run

Details

release / build (x86_64) (push) Waiting to run

Details

release / release (push) Blocked by required conditions

Details

The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.

  modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
    research credit covering CVE ID, discoverer, original advisory
    URL where public, upstream fix commit, IAMROOT's role.

  iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
    via the existing core/offsets.c four-source chain (env →
    /proc/kallsyms → /boot/System.map → embedded table), then emits
    a ready-to-paste C struct entry for kernel_table[]. Run once
    as root on a target kernel build; upstream via PR. Eliminates
    fabricating offsets — every shipped entry traces back to a
    `iamroot --dump-offsets` invocation on a real kernel.

  docs/OFFSETS.md: documents the --dump-offsets workflow.
  CVES.md: notes the NOTICE.md convention + offset dump tool.

  iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.

2026-05-16 22:33:43 -04:00

leviathan

5a808e3583

modules: 4 new CVE modules — nft_set_uaf + af_unix_gc + nft_fwd_dup + nft_payload

Each module: detect with branch-backport ranges + userns reach +
hand-rolled trigger + msg_msg cross-cache groom + slabinfo witness
+ /tmp/iamroot-<name>.log breadcrumb + auditd rules + --full-chain
finisher (FALLBACK depth, sentinel-arbitrated).

  nft_set_uaf (CVE-2023-32233, +1033): anonymous-set UAF
                (Sondej+Krysiuk). 5.1 → 6.4. nfnetlink batch:
                NEWTABLE → NEWCHAIN → NEWSET(ANON|EVAL) →
                NEWRULE(lookup) → DELSET → DELRULE; cg-512 spray.

  af_unix_gc (CVE-2023-4622, +813): GC race UAF (Lin Ma). ~2.0 → 6.5
                — widest range of any module. Two-thread race driver
                (SCM_RIGHTS cycle vs unix_gc trigger) + kmalloc-512
                spray. No userns needed.

  nft_fwd_dup (CVE-2022-25636, +1024): nft_fwd_dup_netdev_offload
                heap OOB (Aaron Adams). 5.4 → 5.17. NFT_CHAIN_HW_OFFLOAD
                chain + 16 immediates + fwd to overrun action.entries[].

  nft_payload (CVE-2023-0179, +1136): set-id memory corruption
                (Davide Ornaghi). 5.4 → 6.2. NFTA_SET_DESC variable
                element + NFTA_SET_ELEM_EXPRESSIONS with payload-set
                whose verdict.code drives the regs->data[] OOB.

All 4 honor verified-vs-claimed: trigger fires, primitive grooms, no
fabricated offsets. EXPLOIT_OK only via empirical setuid-bash sentinel.

Build clean on Debian 6.12.86; all 4 refuse cleanly on both default
and --full-chain paths via the existing patched-kernel detect gate.

2026-05-16 22:24:15 -04:00

leviathan

6a0a7d8718

scaffold: 4 new module dirs + registry/Makefile wiring (stubs)

Pre-scaffolding for the next batch (CVE-2023-32233, CVE-2023-4622,
CVE-2022-25636, CVE-2023-0179). Each module ships as a 21-line
stub returning PRECOND_FAIL; parallel agents fill in the real
detect/exploit/--full-chain implementations.

This commit keeps registry.h / iamroot.c / Makefile in one place
so the 4 parallel agents don't collide on shared-file edits — they
each own a single iamroot_modules.c.

Build clean on Debian 6.12.86; --list shows all 24 modules
including the 4 new stubs.

2026-05-16 22:17:47 -04:00

3 Commits