The kpti_enabled bool in struct skeletonkey_host flattens three
distinct sysfs states into one bit:
/sys/devices/system/cpu/vulnerabilities/meltdown content:
- 'Not affected' → CPU is Meltdown-immune; KPTI off; EntryBleed
doesn't apply (verdict: OK)
- 'Mitigation: PTI' → KPTI on (verdict: VULNERABLE)
- 'Vulnerable' → KPTI off but CPU not hardened (rare;
verdict: VULNERABLE conservatively)
- file unreadable → unknown (verdict: VULNERABLE conservatively)
kpti_enabled=true only captures 'Mitigation: PTI'; kpti_enabled=false
collapses 'Not affected', 'Vulnerable', and 'unreadable' into one
indistinguishable case. That meant entrybleed_detect() had to
re-open the sysfs file to recover the raw string.
Fix by also stashing the raw first line in
ctx->host->meltdown_mitigation[64]. kpti_enabled stays for callers
that only need the simple bool; new code that needs the nuance reads
the string. populate happens once at startup, like every other host
field.
entrybleed migration:
- reads ctx->host->meltdown_mitigation instead of opening sysfs
- removes the file-local read_first_line() helper (now dead code)
- same three-way verdict logic, but driven by a const char *
instead of a fresh fopen() each detect()
Test coverage:
- 3 new test rows on x86_64 fingerprints:
empty mitigation → VULNERABLE (conservative)
'Not affected' → OK
'Mitigation: PTI' → VULNERABLE
- 1 stub-path test row on non-x86_64 fingerprints (PRECOND_FAIL)
- registry coverage report: 30/31 modules now have direct tests
(up from 29/31; copy_fail is the only remaining untested module)
Verification:
- macOS: 33 kernel_range + 1 entrybleed-stub = 34 passes, 0 fails
- Linux (docker gcc:latest): 33 kernel_range + 54 detect = 87
passes, 0 fails. Up from 83 last commit.
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
- modules/entrybleed_cve_2023_0458/ (promoted out of _stubs):
- iamroot_modules.{c,h}: full EntryBleed primitive (rdtsc_start/end
+ prefetchnta + KASLR-slot timing sweep) wired into the standard
iamroot_module interface. x86_64 only; ARM/other gracefully
return IAMROOT_PRECOND_FAIL.
- detect(): reads /sys/.../vulnerabilities/meltdown to decide
KPTI status. Mitigation: PTI → VULNERABLE. Not affected → OK.
- exploit(): sweeps the 16MiB KASLR range, prints leaked kbase
(and KASLR slide). JSON-mode emits {"kbase":"0x..."} to stdout.
- entrybleed_leak_kbase_lib(off) declared as a public library
helper so future LPE chains needing a stage-1 leak can just
#include the module's header and call it.
- entry_SYSCALL_64 slot offset overridable via
IAMROOT_ENTRYBLEED_OFFSET (default 0x5600000 for lts-6.12.x).
- __always_inline fallback added since glibc/Linux-kernel macro
isn't universal; module now builds clean under macOS clangd lint
and on musl.
- iamroot.c registers entrybleed alongside the other families;
Makefile gains it as a separate object set.
Verified end-to-end on kctf-mgr (Debian 6.12.86):
iamroot --exploit entrybleed --i-know
→ [+] entrybleed: leaked kbase = 0xffffffff8d800000
This is the FIRST WORKING-EXPLOIT module in IAMROOT (5
copy_fail_family modules wrap existing code from DIRTYFAIL;
dirty_pipe is detect-only). EntryBleed is x86_64 stage-1 brick
that future chains can compose.
leviathan