leviathan
1552a3bfcb
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
Every future module needs 'is the host kernel in the affected
range?'; centralized here. Models stable-branch backports
(e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
VULNERABLE while a 5.15.50 host reports OK.
- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
- iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
parses /proc/version and compares against the four known patched
branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
hints in human-readable scan mode.
- exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
implemented' message; landing the actual exploit needs Phase 1.5
extraction of passwd/su helpers into core/.
- detect/auditd.rules: splice() syscall + passwd/shadow file watches
- detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers
- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
the copy_fail_family registration.
- Makefile gains the dirty_pipe family as a separate object set.
Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
72 lines
2.5 KiB
C
72 lines
2.5 KiB
C
/*
|
|
* IAMROOT — kernel_range implementation
|
|
*/
|
|
|
|
#include "kernel_range.h"
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
#include <sys/utsname.h>
|
|
|
|
static char g_release_buf[128];
|
|
|
|
bool kernel_version_current(struct kernel_version *out)
|
|
{
|
|
if (out == NULL) return false;
|
|
|
|
struct utsname u;
|
|
if (uname(&u) < 0) return false;
|
|
|
|
/* Stash release string for callers that want to print it. We hold
|
|
* a single static buffer; not threadsafe but iamroot is single-
|
|
* threaded today. */
|
|
snprintf(g_release_buf, sizeof(g_release_buf), "%s", u.release);
|
|
out->release = g_release_buf;
|
|
|
|
out->major = 0; out->minor = 0; out->patch = 0;
|
|
if (sscanf(u.release, "%d.%d.%d", &out->major, &out->minor, &out->patch) < 2)
|
|
return false;
|
|
return true;
|
|
}
|
|
|
|
bool kernel_range_is_patched(const struct kernel_range *r,
|
|
const struct kernel_version *v)
|
|
{
|
|
if (r == NULL || v == NULL) return false;
|
|
|
|
/* If the host's (major, minor) matches an entry AND its patch
|
|
* level is at or above the entry's patch, host is patched. */
|
|
for (size_t i = 0; i < r->n_patched_from; i++) {
|
|
const struct kernel_patched_from *pf = &r->patched_from[i];
|
|
if (v->major == pf->major && v->minor == pf->minor) {
|
|
return v->patch >= pf->patch;
|
|
}
|
|
}
|
|
|
|
/* If the host's (major, minor) is GREATER than every entry's
|
|
* (major, minor), it's on a newer branch that has the fix
|
|
* inherited from mainline — patched. */
|
|
for (size_t i = 0; i < r->n_patched_from; i++) {
|
|
const struct kernel_patched_from *pf = &r->patched_from[i];
|
|
/* host strictly newer than this entry's branch */
|
|
if (v->major > pf->major ||
|
|
(v->major == pf->major && v->minor > pf->minor)) {
|
|
/* keep checking — we want to be patched on ALL applicable
|
|
* branches; if any entry is on the host's branch, that's
|
|
* handled above. If we get here for every entry, host
|
|
* is on a branch strictly newer than each — meaning the
|
|
* mainline fix flowed in. */
|
|
continue;
|
|
} else {
|
|
/* host is on a branch strictly older than this entry —
|
|
* not patched via this entry, and no exact-branch match
|
|
* applied above either → vulnerable. */
|
|
return false;
|
|
}
|
|
}
|
|
/* All entries are on branches at or below the host's — host has
|
|
* the fix inherited via mainline progression. */
|
|
return true;
|
|
}
|