Every kernel-LPE module that uses Linux-only headers (splice, posix_fadvise,
linux/netlink.h, sys/ptrace.h, etc.) now follows the same #ifdef __linux__
pattern the new modules already used: Linux body in the ifdef, stub
detect/exploit/cleanup returning SKELETONKEY_PRECOND_FAIL on non-Linux,
platform-neutral rule strings + module struct + register fn left outside.
14 modules wrapped:
dirty_pipe (already done above), af_packet, af_packet2,
cgroup_release_agent, cls_route4, dirty_cow, fuse_legacy,
netfilter_xtcompat, nf_tables, nft_fwd_dup, nft_payload,
overlayfs, overlayfs_setuid, ptrace_traceme.
Several modules previously had ad-hoc partial stubs (af_packet2 faked
SIOCSIFFLAGS/MAP_LOCKED, netfilter_xtcompat faked sysv-msg syscalls,
the nft_* modules had 3 partial __linux__ islands each, fuse_legacy /
nf_tables had inner-only ifdef blocks) — all replaced with the uniform
outer-wrap shape from dirty_pipe / dirtydecrypt / fragnesia / pack2theroot.
Where a module includes core/kernel_range.h, core/finisher.h, or
core/offsets.h, those are now inside the ifdef block as well — silences
clangd's "unused-includes" LSP warning on macOS while keeping them
present for the real Linux build.
No exploit logic, constant, struct, shellcode byte, or rule string was
modified — only include placement and ifdef markers.
Build verification:
macOS (local): make clean && make → Mach-O x86_64, 31 modules
registered, --scan reports each Linux-only module as
"Linux-only module — not applicable here".
Linux (docker gcc:latest + libglib2.0-dev): make clean && make →
ELF 64-bit, 31 modules. Exploit code paths unchanged.
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
dirty_pipe detect: active sentinel probe (Phase 1.5-ish improvement)
- New dirty_pipe_active_probe(): creates a /tmp probe file with known
sentinel bytes, fires the Dirty Pipe primitive against it, re-reads
via the page cache, returns true if the poisoning landed.
- detect() gated on ctx->active_probe: --scan does version-only check
(fast, no side effects); --scan --active fires the empirical probe
and overrides version inference with the empirical verdict. Catches
silent distro backports that don't bump uname() version.
- Three verdicts now distinguishable:
(a) version says patched, no active probe → 'patched (version-only)'
(b) version says vulnerable, --active fires + probe lands → CONFIRMED
(c) version says vulnerable, --active fires + probe blocked → 'likely
patched via distro backport'
- Probe is safe: only /tmp, no /etc/passwd.
nf_tables CVE-2024-1086 (detect-only, new module):
- Famous Notselwyn UAF in nft_verdict_init. Affects 5.14 ≤ K, fixed
mainline 6.8 with backports landing in 5.4.269 / 5.10.210 / 5.15.149
/ 6.1.74 / 6.6.13 / 6.7.2.
- detect() checks: kernel version range, AND unprivileged user_ns clone
availability (the exploit's reachability gate — kernel-vulnerable
but userns-locked-down hosts report PRECOND_FAIL, signalling that
the kernel still needs patching but unprivileged path is closed).
- Ships auditd + sigma detection rules: unshare(CLONE_NEWUSER) chained
with setresuid(0,0,0) on a previously-non-root process is the
exploit's canonical telltale.
- Full Notselwyn-style exploit (cross-cache UAF → arbitrary R/W → cred
overwrite or modprobe_path hijack) is the next commit.
9 modules total now. CVES.md and ROADMAP.md updated.
- Implements the Dirty Pipe primitive: prepare_pipe() fills+drains a
pipe to plant the stale PIPE_BUF_FLAG_CAN_MERGE flag in every
pipe_buffer slot; dirty_pipe_write() splices 1 byte from the target
file at offset-1 (seeding the slot with the file's page) then write()s
the payload, which the buggy kernel merges back into the page cache.
- find_passwd_uid_field() + revert_passwd_page_cache() inlined in the
module. Two-of-two duplication acceptable; extraction into core/host
triggers when a third module needs the same helpers (Phase 1.5).
- dirty_pipe_exploit() resolves current euid via getpwuid, locates the
user's UID field in /etc/passwd, replaces it with same-length zeros
('0000' for a 4-digit UID), then execlp's su <user> -c /bin/sh.
Auto-refuses if detect() reports patched. --no-shell mode plants the
write and returns. Cleanup mode evicts /etc/passwd from page cache.
- _GNU_SOURCE redefine warning fixed: cmdline -D already passes it.
Verified end-to-end on kernel 6.12.86 (patched):
iamroot --scan → dirty_pipe reports OK (patched)
iamroot --exploit dirty_pipe --i-know → refuses cleanly
CI-validation against vulnerable kernel (Ubuntu 20.04 / 5.13) is Phase 4.
CVES.md: dirty_pipe 🔵 → 🟢. ROADMAP.md: Phase 2 marked complete.
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
Every future module needs 'is the host kernel in the affected
range?'; centralized here. Models stable-branch backports
(e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
VULNERABLE while a 5.15.50 host reports OK.
- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
- iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
parses /proc/version and compares against the four known patched
branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
hints in human-readable scan mode.
- exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
implemented' message; landing the actual exploit needs Phase 1.5
extraction of passwd/su helpers into core/.
- detect/auditd.rules: splice() syscall + passwd/shadow file watches
- detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers
- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
the copy_fail_family registration.
- Makefile gains the dirty_pipe family as a separate object set.
Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
leviathan