Unblocks the 4 previously-PIN_FAIL modules by adding a fallback path to
kernel.ubuntu.com/mainline/ for any kernel no longer in apt. Adds 4 more
matches to the verified_on table for a total of 22 modules confirmed
against real Linux VMs:
af_unix_gc ubuntu2204 + mainline 5.15.5 match
nf_tables ubuntu2204 + mainline 5.15.5 match
nft_set_uaf ubuntu2204 + mainline 5.15.5 match
stackrot ubuntu2204 + mainline 6.1.10 match
Mechanism:
tools/verify-vm/Vagrantfile — new 'pin-mainline-<X.Y.Z>' shell
provisioner. Fetches the directory index at
https://kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/, parses out the 4
canonical .deb filenames (linux-headers _all, linux-headers
-generic _amd64, linux-image-unsigned -generic _amd64, linux-modules
-generic _amd64; skips lowlatency), downloads them, runs 'dpkg -i' +
'update-grub', and prints a reboot hint.
Mainline package version like '5.15.5-051505' sorts ABOVE Ubuntu's
stock '5.15.0-91' in debian-version-compare (numeric 51505 > 91), so
update-grub puts it at the top of the boot menu and the next
'vagrant reload' lands on it automatically. uname then reports
'5.15.5-051505-generic' which our parser sees as 5.15.5 → in our
kernel_range table's vulnerable window → empirical VULNERABLE.
tools/verify-vm/verify.sh — new SKK_VM_MAINLINE_VERSION env passed to
the Vagrantfile. Reload trigger now also fires when uname doesn't
match the mainline target.
tools/verify-vm/targets.yaml — new 'mainline_version' field on the 4
PIN_FAIL targets. kernel_pkg is left empty; mainline_version drives
the fetch. Picked 5.15.5 (Nov 2021) for the 5.15-line CVEs and
6.1.10 (Feb 2023) for stackrot — both below every relevant backport.
Final sweep status (22 of 26 CVEs):
✓ MATCHES (22):
pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy,
nft_fwd_dup, entrybleed, overlayfs, overlayfs_setuid,
sudoedit_editor, ptrace_traceme, sudo_samedit, af_packet,
pack2theroot, cls_route4, nft_payload, af_packet2, sequoia,
dirty_pipe, nf_tables, af_unix_gc, nft_set_uaf, stackrot
🚫 NOT VERIFIED (4 — flagged in targets.yaml with rationale):
vmwgfx — VMware-guest only; no public Vagrant box covers it
dirtydecrypt — needs Linux 7.0; not shipping as any distro kernel
fragnesia — needs Linux 7.0; same
dirty_cow — needs ≤ 4.4 kernel; older than every supported
Vagrant box (would need a custom image)
copy_fail_family entries verified indirectly via the shared
infrastructure tests in the kernel_range unit-test harness.
The 22 records are baked into core/verifications.c and surface in
--list (VFY ✓ column), --module-info (--- verified on --- section),
--explain (VERIFIED ON section), and JSON output (verified_on array).
22/26 CVEs is the new trust signal; with the mainline fetch path
production-ready, additional pin targets can be added to targets.yaml
without code changes.
leviathan
312e7d89b5
