leviathan
312e7d89b5
Unblocks the 4 previously-PIN_FAIL modules by adding a fallback path to kernel.ubuntu.com/mainline/ for any kernel no longer in apt. Adds 4 more matches to the verified_on table for a total of 22 modules confirmed against real Linux VMs: af_unix_gc ubuntu2204 + mainline 5.15.5 match nf_tables ubuntu2204 + mainline 5.15.5 match nft_set_uaf ubuntu2204 + mainline 5.15.5 match stackrot ubuntu2204 + mainline 6.1.10 match Mechanism: tools/verify-vm/Vagrantfile — new 'pin-mainline-<X.Y.Z>' shell provisioner. Fetches the directory index at https://kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/, parses out the 4 canonical .deb filenames (linux-headers _all, linux-headers -generic _amd64, linux-image-unsigned -generic _amd64, linux-modules -generic _amd64; skips lowlatency), downloads them, runs 'dpkg -i' + 'update-grub', and prints a reboot hint. Mainline package version like '5.15.5-051505' sorts ABOVE Ubuntu's stock '5.15.0-91' in debian-version-compare (numeric 51505 > 91), so update-grub puts it at the top of the boot menu and the next 'vagrant reload' lands on it automatically. uname then reports '5.15.5-051505-generic' which our parser sees as 5.15.5 → in our kernel_range table's vulnerable window → empirical VULNERABLE. tools/verify-vm/verify.sh — new SKK_VM_MAINLINE_VERSION env passed to the Vagrantfile. Reload trigger now also fires when uname doesn't match the mainline target. tools/verify-vm/targets.yaml — new 'mainline_version' field on the 4 PIN_FAIL targets. kernel_pkg is left empty; mainline_version drives the fetch. Picked 5.15.5 (Nov 2021) for the 5.15-line CVEs and 6.1.10 (Feb 2023) for stackrot — both below every relevant backport. Final sweep status (22 of 26 CVEs): ✓ MATCHES (22): pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy, nft_fwd_dup, entrybleed, overlayfs, overlayfs_setuid, sudoedit_editor, ptrace_traceme, sudo_samedit, af_packet, pack2theroot, cls_route4, nft_payload, af_packet2, sequoia, dirty_pipe, nf_tables, af_unix_gc, nft_set_uaf, stackrot 🚫 NOT VERIFIED (4 — flagged in targets.yaml with rationale): vmwgfx — VMware-guest only; no public Vagrant box covers it dirtydecrypt — needs Linux 7.0; not shipping as any distro kernel fragnesia — needs Linux 7.0; same dirty_cow — needs ≤ 4.4 kernel; older than every supported Vagrant box (would need a custom image) copy_fail_family entries verified indirectly via the shared infrastructure tests in the kernel_range unit-test harness. The 22 records are baked into core/verifications.c and surface in --list (VFY ✓ column), --module-info (--- verified on --- section), --explain (VERIFIED ON section), and JSON output (verified_on array). 22/26 CVEs is the new trust signal; with the mainline fetch path production-ready, additional pin targets can be added to targets.yaml without code changes.
216 lines
8.6 KiB
Bash
Executable File
216 lines
8.6 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
# tools/verify-vm/verify.sh — verify ONE module in the right pre-built VM.
|
|
#
|
|
# Usage:
|
|
# verify.sh <module> # provision, run --explain --active, suspend VM
|
|
# verify.sh <module> --keep # keep VM running after for inspection
|
|
# verify.sh <module> --destroy # destroy VM after (full reset; slow next run)
|
|
# verify.sh --list # show every module + the box it's mapped to
|
|
#
|
|
# What it does:
|
|
# 1. Reads tools/verify-vm/targets.yaml: <module> -> (box, kernel_pkg, kver,
|
|
# expect_detect).
|
|
# 2. Sets SKK_VM_* env vars + spins up the right Vagrant VM.
|
|
# 3. If a kernel pin is needed, installs it + reboots the VM.
|
|
# 4. Runs `skeletonkey --explain <module> --active` inside the VM via
|
|
# `vagrant provision --provision-with build-and-verify`.
|
|
# 5. Captures stdout, parses the VERDICT line, compares against expect_detect.
|
|
# 6. Emits a JSON verification record on stdout (timestamped) suitable for
|
|
# piping into the per-module verified-on table (separate follow-up).
|
|
#
|
|
# Requirements:
|
|
# - tools/verify-vm/setup.sh has been run successfully (Vagrant +
|
|
# vagrant-parallels + boxes cached).
|
|
# - Module name matches a key in targets.yaml.
|
|
|
|
set -euo pipefail
|
|
|
|
REPO_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
|
|
VM_DIR="$REPO_ROOT/tools/verify-vm"
|
|
TARGETS="$VM_DIR/targets.yaml"
|
|
LOG_DIR="$VM_DIR/logs"
|
|
mkdir -p "$LOG_DIR"
|
|
|
|
# Minimal YAML field reader for targets.yaml's flat 2-level structure.
|
|
# Usage: yget <module> <field>
|
|
# yget af_packet box -> "ubuntu1804"
|
|
# Strips surrounding quotes and trailing whitespace; empty fields -> "".
|
|
yget() {
|
|
local module="$1"
|
|
local field="$2"
|
|
awk -v m="${module}:" -v f=" ${field}:" '
|
|
$0 ~ "^"m"[[:space:]]*$" { inmod=1; next }
|
|
inmod && /^[a-zA-Z]/ { inmod=0 } # next top-level key
|
|
inmod && $0 ~ "^"f {
|
|
sub("^[^:]+:[[:space:]]*", "")
|
|
sub("[[:space:]]+#.*$", "") # trim trailing comment
|
|
sub("^\"", ""); sub("\"$", "")
|
|
print; exit
|
|
}
|
|
' "$TARGETS"
|
|
}
|
|
|
|
# ── arg parsing ───────────────────────────────────────────────────────────
|
|
KEEP=0; DESTROY=0; LIST=0; MODULE=""
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--keep) KEEP=1 ;;
|
|
--destroy) DESTROY=1 ;;
|
|
--list) LIST=1 ;;
|
|
-h|--help)
|
|
sed -n '1,30p' "$0"; exit 0 ;;
|
|
--*)
|
|
echo "[-] unknown flag: $1" >&2; exit 2 ;;
|
|
*)
|
|
MODULE="$1" ;;
|
|
esac
|
|
shift
|
|
done
|
|
|
|
# ── --list mode ───────────────────────────────────────────────────────────
|
|
if [[ $LIST -eq 1 ]]; then
|
|
printf "%-22s %-14s %-18s %-14s %s\n" "MODULE" "BOX" "KERNEL" "EXPECT" "NOTES"
|
|
printf "%-22s %-14s %-18s %-14s %s\n" "------" "---" "------" "------" "-----"
|
|
# Iterate top-level keys (lines starting in column 0 with `something:`).
|
|
awk '/^[a-z_][a-zA-Z0-9_]*:[[:space:]]*$/ { sub(":", ""); print }' "$TARGETS" | \
|
|
while read -r mod; do
|
|
box=$(yget "$mod" box)
|
|
kv=$(yget "$mod" kernel_version)
|
|
exp=$(yget "$mod" expect_detect)
|
|
notes=$(yget "$mod" notes | head -c 60)
|
|
[[ -z "$box" ]] && box="(manual)"
|
|
[[ -z "$kv" ]] && kv="stock"
|
|
[[ -z "$exp" ]] && exp="?"
|
|
printf "%-22s %-14s %-18s %-14s %s\n" "$mod" "$box" "$kv" "$exp" "$notes"
|
|
done
|
|
exit 0
|
|
fi
|
|
|
|
if [[ -z "$MODULE" ]]; then
|
|
echo "[-] usage: verify.sh <module> [--keep|--destroy]"
|
|
echo " verify.sh --list # show all targets"
|
|
exit 2
|
|
fi
|
|
|
|
# ── load target ───────────────────────────────────────────────────────────
|
|
BOX=$(yget "$MODULE" box)
|
|
KERNEL_PKG=$(yget "$MODULE" kernel_pkg)
|
|
MAINLINE=$(yget "$MODULE" mainline_version)
|
|
KERNEL_VER=$(yget "$MODULE" kernel_version)
|
|
EXPECT=$(yget "$MODULE" expect_detect)
|
|
MANUAL=$(yget "$MODULE" manual)
|
|
NOTES=$(yget "$MODULE" notes)
|
|
|
|
if ! grep -q "^${MODULE}:" "$TARGETS"; then
|
|
echo "[-] module not in targets.yaml: $MODULE" >&2
|
|
exit 3
|
|
fi
|
|
if [[ "$MANUAL" == "true" || -z "$BOX" ]]; then
|
|
echo "[-] $MODULE is marked manual: true (${NOTES:0:80})" >&2
|
|
exit 4
|
|
fi
|
|
BOX="generic/$BOX"
|
|
VM_HOSTNAME="skk-${MODULE}"
|
|
SHORT_NOTES="${NOTES:0:80}"
|
|
|
|
# ── kick off provisioning ─────────────────────────────────────────────────
|
|
echo
|
|
echo "════════════════════════════════════════════════════"
|
|
echo " SKELETONKEY VM verifier: $MODULE"
|
|
echo "════════════════════════════════════════════════════"
|
|
echo " box: $BOX"
|
|
echo " kernel: ${KERNEL_PKG:-(stock)} → $KERNEL_VER"
|
|
echo " expect: $EXPECT"
|
|
echo " notes: $SHORT_NOTES"
|
|
echo
|
|
|
|
cd "$VM_DIR"
|
|
export SKK_VM_BOX="$BOX"
|
|
export SKK_VM_KERNEL_PKG="$KERNEL_PKG"
|
|
export SKK_VM_MAINLINE_VERSION="$MAINLINE"
|
|
export SKK_VM_KERNEL_VERSION="$KERNEL_VER"
|
|
export SKK_VM_HOSTNAME="$VM_HOSTNAME"
|
|
export SKK_MODULE="$MODULE"
|
|
export VAGRANT_VAGRANTFILE="$VM_DIR/Vagrantfile"
|
|
|
|
# Spin up if not running.
|
|
if ! vagrant status "$VM_HOSTNAME" 2>&1 | grep -q "running"; then
|
|
echo "[*] vagrant up..."
|
|
vagrant up "$VM_HOSTNAME" --provider=parallels
|
|
fi
|
|
|
|
# Reboot if any kernel pin was applied (uname -r != target).
|
|
if [[ -n "$KERNEL_PKG" || -n "$MAINLINE" ]]; then
|
|
current_kver=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
|
target_match="$KERNEL_VER"
|
|
[[ -n "$MAINLINE" ]] && target_match="$MAINLINE"
|
|
if [[ "$current_kver" != *"$target_match"* ]]; then
|
|
echo "[*] current kernel $current_kver != target $target_match; rebooting..."
|
|
vagrant reload "$VM_HOSTNAME"
|
|
sleep 5
|
|
fi
|
|
fi
|
|
|
|
# Run the explain probe.
|
|
LOG="$LOG_DIR/verify-${MODULE}-$(date +%Y%m%d-%H%M%S).log"
|
|
|
|
# Force rsync the source tree in. vagrant up runs rsync automatically on
|
|
# first up but NOT on a resume/already-running VM, so we always rsync here
|
|
# to guarantee /vagrant/ inside the guest matches the host's source tree.
|
|
echo "[*] syncing source into VM..."
|
|
vagrant rsync "$VM_HOSTNAME" 2>&1 | tail -5
|
|
|
|
echo "[*] running verifier..."
|
|
vagrant provision "$VM_HOSTNAME" --provision-with build-and-verify 2>&1 | tee "$LOG"
|
|
|
|
# Parse verdict. Vagrant prefixes provisioner output with the VM name
|
|
# (e.g. " skk-pwnkit: VERDICT: VULNERABLE"), so anchor on the VERDICT
|
|
# keyword itself. `|| true` keeps pipefail+set-e from killing us on miss.
|
|
VERDICT=$(grep -E "VERDICT:" "$LOG" | tail -1 | awk '{print $NF}' || true)
|
|
[[ -z "$VERDICT" ]] && VERDICT="?"
|
|
|
|
# Compare.
|
|
if [[ "$VERDICT" == "$EXPECT" ]]; then
|
|
STATUS=match
|
|
else
|
|
STATUS=MISMATCH
|
|
fi
|
|
|
|
# Verification record (JSON).
|
|
NOW=$(date -u +%Y-%m-%dT%H:%M:%SZ)
|
|
HOST_KVER=$(vagrant ssh "$VM_HOSTNAME" -c "uname -r" 2>/dev/null | tr -d '\r')
|
|
HOST_DISTRO=$(vagrant ssh "$VM_HOSTNAME" -c \
|
|
"(. /etc/os-release && echo \"\$PRETTY_NAME\")" 2>/dev/null | tr -d '\r')
|
|
|
|
echo
|
|
echo "════════════════════════════════════════════════════"
|
|
echo " Verification record"
|
|
echo "════════════════════════════════════════════════════"
|
|
RECORD=$(cat <<JSON
|
|
{"module":"$MODULE","verified_at":"$NOW","host_kernel":"$HOST_KVER","host_distro":"$HOST_DISTRO","vm_box":"$BOX","expect_detect":"$EXPECT","actual_detect":"$VERDICT","status":"$STATUS"}
|
|
JSON
|
|
)
|
|
printf '%s\n' "$RECORD" | python3 -m json.tool 2>/dev/null || printf '%s\n' "$RECORD"
|
|
|
|
# Append to the permanent JSONL store (one record per line, dedup happens
|
|
# at refresh time in tools/refresh-verifications.py).
|
|
echo "$RECORD" >> "$REPO_ROOT/docs/VERIFICATIONS.jsonl"
|
|
echo
|
|
echo "[i] appended to docs/VERIFICATIONS.jsonl"
|
|
echo "[i] run 'tools/refresh-verifications.py' to regenerate core/verifications.c"
|
|
echo
|
|
|
|
# Lifecycle.
|
|
if [[ $DESTROY -eq 1 ]]; then
|
|
echo "[*] --destroy: tearing down VM..."
|
|
vagrant destroy -f "$VM_HOSTNAME"
|
|
elif [[ $KEEP -eq 1 ]]; then
|
|
echo "[i] --keep: VM left running. Reconnect with:"
|
|
echo " cd tools/verify-vm && vagrant ssh $VM_HOSTNAME"
|
|
else
|
|
echo "[*] suspending VM (resume next time)..."
|
|
vagrant suspend "$VM_HOSTNAME"
|
|
fi
|
|
|
|
[[ "$STATUS" == "match" ]] && exit 0 || exit 5
|