leviathan
1552a3bfcb
- core/kernel_range.{c,h}: branch-aware patched-version comparison.
Every future module needs 'is the host kernel in the affected
range?'; centralized here. Models stable-branch backports
(e.g. 5.10.102, 5.15.25) so a 5.15.20 host correctly reports
VULNERABLE while a 5.15.50 host reports OK.
- modules/dirty_pipe_cve_2022_0847/ (promoted out of _stubs):
- iamroot_modules.{c,h}: dirty_pipe module exposing detect() that
parses /proc/version and compares against the four known patched
branches (5.10.102, 5.15.25, 5.16.11, 5.17+ inherited). Returns
IAMROOT_OK / IAMROOT_VULNERABLE / IAMROOT_TEST_ERROR with stderr
hints in human-readable scan mode.
- exploit() returns IAMROOT_PRECOND_FAIL with a 'not yet
implemented' message; landing the actual exploit needs Phase 1.5
extraction of passwd/su helpers into core/.
- detect/auditd.rules: splice() syscall + passwd/shadow file watches
- detect/sigma.yml: non-root modification of /etc/passwd|shadow|sudoers
- iamroot.c main() calls iamroot_register_dirty_pipe() alongside
the copy_fail_family registration.
- Makefile gains the dirty_pipe family as a separate object set.
Verified end-to-end on kctf-mgr (kernel 6.12.86): build clean, 6
modules in --list, --scan correctly reports dirty_pipe as patched,
JSON output ingest-ready.
60 lines
2.0 KiB
C
60 lines
2.0 KiB
C
/*
|
|
* IAMROOT — kernel version range matching
|
|
*
|
|
* Every CVE module needs to answer "is the host kernel in the affected
|
|
* range?". This file centralizes that.
|
|
*
|
|
* The kernel version space is a tree of stable branches: 5.10.x,
|
|
* 5.15.x, 5.16.x, ..., 6.6.x, 6.12.x, etc. A CVE is typically fixed
|
|
* in mainline at some version, then backported into one or more
|
|
* stable branches at branch-specific minor versions. A host with
|
|
* 5.15.50 is patched if the fix was backported to 5.15.42, but a
|
|
* host with 5.15.10 is still vulnerable.
|
|
*
|
|
* We model this with a list of "patched-from" entries per CVE: each
|
|
* entry says "on branch X.Y, the fix is in versions >= X.Y.Z". The
|
|
* host is patched if its branch matches one of these entries AND its
|
|
* patch version is at or above the threshold.
|
|
*/
|
|
|
|
#ifndef IAMROOT_KERNEL_RANGE_H
|
|
#define IAMROOT_KERNEL_RANGE_H
|
|
|
|
#include <stdbool.h>
|
|
#include <stddef.h>
|
|
|
|
struct kernel_version {
|
|
int major;
|
|
int minor;
|
|
int patch;
|
|
/* Original /proc/version-style release string (e.g. "6.12.88-generic")
|
|
* — for reporting; the comparison logic uses the parsed numerics. */
|
|
const char *release;
|
|
};
|
|
|
|
/* Per-branch "patched-from" entry. To say "fix is in mainline 5.17",
|
|
* use {5, 17, 0}. To say "fix backported to 5.15.25", use {5, 15, 25}. */
|
|
struct kernel_patched_from {
|
|
int major;
|
|
int minor;
|
|
int patch;
|
|
};
|
|
|
|
struct kernel_range {
|
|
/* List of branches that have the fix backported. If the host's
|
|
* (major, minor) matches a branch AND host.patch >= branch.patch,
|
|
* the host is patched. */
|
|
const struct kernel_patched_from *patched_from;
|
|
size_t n_patched_from;
|
|
};
|
|
|
|
/* Parse uname(2)->release / /proc/version into a kernel_version.
|
|
* Returns true on success. Stores nothing in `out` on failure. */
|
|
bool kernel_version_current(struct kernel_version *out);
|
|
|
|
/* Returns true if a host running `v` is PATCHED according to `r`. */
|
|
bool kernel_range_is_patched(const struct kernel_range *r,
|
|
const struct kernel_version *v);
|
|
|
|
#endif /* IAMROOT_KERNEL_RANGE_H */
|