leviathan
b206610a8e
entrybleed: active probe (--active runs reduced sweep + sanity-checks kbase)
When --active is set, detect() runs a quick KASLR sweep and verifies
the leaked address looks plausible (kernel high half, 2MiB-aligned,
nonzero). This catches CPUs / mitigations / build-time changes that
neutralize prefetchnta timing in ways the meltdown sysfs node doesn't
reflect. Same pattern as dirty_pipe's active probe.
Three verdicts now distinguishable for entrybleed:
--scan: 'KPTI active → VULNERABLE' (version/config inference)
--scan --active + sane kbase: 'ACTIVE PROBE CONFIRMED — leak yields
plausible kbase 0x...'
--scan --active + implausible kbase: 'leak technique not reliable
here' → IAMROOT_TEST_ERROR
Verified end-to-end on kctf-mgr: --scan --active reports
'ACTIVE PROBE CONFIRMED — leak yields plausible kbase
0xffffffff8d800000' (matches the full --exploit output).