leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
264759832a66fe438df4e198bbc2e0144f642731
SKELETONKEY/modules/nft_fwd_dup_cve_2022_25636
T
History
leviathan f792a3c4a6 verify-vm: close the loop — first successful end-to-end VM verification 
Five fixes that landed us at a working 'verify.sh <module> -> JSON
verification record' loop. Tested with pwnkit on
generic/ubuntu2004 / Ubuntu 20.04.6 LTS / 5.4.0-169-generic.

1. core/nft_compat.h — shim header that conditionally defines newer-
   kernel nft uapi constants that aren't in older distro headers:
     NFT_CHAIN_HW_OFFLOAD     kernel 5.5
     NFT_CHAIN_BINDING        kernel 5.9
     NFTA_VERDICT_CHAIN_ID    kernel 5.14
     NFTA_SET_DESC_CONCAT     kernel 5.6
     NFTA_SET_EXPR            kernel 5.12
     NFTA_SET_EXPRESSIONS     kernel 5.16
     NFTA_SET_ELEM_KEY_END    kernel 5.6
     NFTA_SET_ELEM_EXPRESSIONS kernel 5.16
   Numeric values are stable kernel ABI; the target vulnerable kernel
   understands them at runtime regardless of the build host's headers.
   Without this, nf_tables / nft_fwd_dup / nft_payload / nft_set_uaf
   modules fail to compile on Ubuntu 20.04's libc-dev (5.4 uapi).

2. modules/{nf_tables, nft_fwd_dup, nft_payload, nft_set_uaf}/
   skeletonkey_modules.c — each #includes the new compat shim after
   <linux/netfilter/nf_tables.h>.

3. tools/verify-vm/Vagrantfile — wrap config in 'c.vm.define host do
   |m| ... end' block so 'vagrant up <skk-MODULE>' finds the machine.
   (Earlier without define block, vagrant always treated the Vagrantfile
   as a single anonymous machine.) Also disable Parallels Tools auto-
   install — it fails on Ubuntu 20.04's 5.4 kernel ('current Linux
   kernel version is outdated and not supported by latest tools'); we
   use rsync sync_folder over plain SSH which doesn't need the tools.

4. tools/verify-vm/verify.sh — explicit 'vagrant rsync' before
   'vagrant provision build-and-verify' so the source tree gets synced
   even on already-running VMs (vagrant up runs rsync automatically;
   vagrant provision does not).

5. tools/verify-vm/verify.sh — fix verdict parser. Vagrant prefixes
   provisioner stdout with the VM name ('    skk-pwnkit: VERDICT:
   VULNERABLE'), so the previous '^VERDICT: ' regex never matched.
   New grep allows the prefix; added '|| true' so a grep miss doesn't
   trigger set-e+pipefail and silently exit the script before the JSON
   verification record gets emitted.

First successful verification record:
  {
    "module": "pwnkit",
    "verified_at": "2026-05-23T19:26:02Z",
    "host_kernel": "5.4.0-169-generic",
    "host_distro": "Ubuntu 20.04.6 LTS",
    "vm_box": "generic/ubuntu2004",
    "expect_detect": "VULNERABLE",
    "actual_detect": "VULNERABLE",
    "status": "match"
  }

SKELETONKEY correctly identifies polkit 0.105 on Ubuntu 20.04 as
vulnerable to CVE-2021-4034. The verifier pipeline is now ready for
sweep across the rest of the corpus.
2026-05-23 15:26:51 -04:00
..
NOTICE.md
rename: IAMROOT → SKELETONKEY across the entire project
2026-05-16 22:43:49 -04:00
skeletonkey_modules.c
verify-vm: close the loop — first successful end-to-end VM verification
2026-05-23 15:26:51 -04:00
skeletonkey_modules.h
rename: IAMROOT → SKELETONKEY across the entire project
2026-05-16 22:43:49 -04:00