leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
7f4a6e1c7cf3afdb65178206915a2e61b37cd257
SKELETONKEY/core/verifications.c
T
leviathan 312e7d89b5 verify-vm: kernel.ubuntu.com mainline integration — 22 modules verified 
Unblocks the 4 previously-PIN_FAIL modules by adding a fallback path to
kernel.ubuntu.com/mainline/ for any kernel no longer in apt. Adds 4 more
matches to the verified_on table for a total of 22 modules confirmed
against real Linux VMs:

  af_unix_gc     ubuntu2204 + mainline 5.15.5  match
  nf_tables      ubuntu2204 + mainline 5.15.5  match
  nft_set_uaf    ubuntu2204 + mainline 5.15.5  match
  stackrot       ubuntu2204 + mainline 6.1.10  match

Mechanism:

  tools/verify-vm/Vagrantfile — new 'pin-mainline-<X.Y.Z>' shell
  provisioner. Fetches the directory index at
  https://kernel.ubuntu.com/mainline/v<X.Y.Z>/amd64/, parses out the 4
  canonical .deb filenames (linux-headers _all, linux-headers
  -generic _amd64, linux-image-unsigned -generic _amd64, linux-modules
  -generic _amd64; skips lowlatency), downloads them, runs 'dpkg -i' +
  'update-grub', and prints a reboot hint.

  Mainline package version like '5.15.5-051505' sorts ABOVE Ubuntu's
  stock '5.15.0-91' in debian-version-compare (numeric 51505 > 91), so
  update-grub puts it at the top of the boot menu and the next
  'vagrant reload' lands on it automatically. uname then reports
  '5.15.5-051505-generic' which our parser sees as 5.15.5 → in our
  kernel_range table's vulnerable window → empirical VULNERABLE.

  tools/verify-vm/verify.sh — new SKK_VM_MAINLINE_VERSION env passed to
  the Vagrantfile. Reload trigger now also fires when uname doesn't
  match the mainline target.

  tools/verify-vm/targets.yaml — new 'mainline_version' field on the 4
  PIN_FAIL targets. kernel_pkg is left empty; mainline_version drives
  the fetch. Picked 5.15.5 (Nov 2021) for the 5.15-line CVEs and
  6.1.10 (Feb 2023) for stackrot — both below every relevant backport.

Final sweep status (22 of 26 CVEs):

  ✓ MATCHES (22):
    pwnkit, cgroup_release_agent, netfilter_xtcompat, fuse_legacy,
    nft_fwd_dup, entrybleed, overlayfs, overlayfs_setuid,
    sudoedit_editor, ptrace_traceme, sudo_samedit, af_packet,
    pack2theroot, cls_route4, nft_payload, af_packet2, sequoia,
    dirty_pipe, nf_tables, af_unix_gc, nft_set_uaf, stackrot

  🚫 NOT VERIFIED (4 — flagged in targets.yaml with rationale):
    vmwgfx        — VMware-guest only; no public Vagrant box covers it
    dirtydecrypt  — needs Linux 7.0; not shipping as any distro kernel
    fragnesia     — needs Linux 7.0; same
    dirty_cow     — needs ≤ 4.4 kernel; older than every supported
                    Vagrant box (would need a custom image)

  copy_fail_family entries verified indirectly via the shared
  infrastructure tests in the kernel_range unit-test harness.

The 22 records are baked into core/verifications.c and surface in
--list (VFY ✓ column), --module-info (--- verified on --- section),
--explain (VERIFIED ON section), and JSON output (verified_on array).
22/26 CVEs is the new trust signal; with the mainline fetch path
production-ready, additional pin targets can be added to targets.yaml
without code changes.
2026-05-23 17:35:13 -04:00

270 lines
8.8 KiB
C
Raw Blame History

/*
* SKELETONKEY — verification records table
*
* AUTO-GENERATED by tools/refresh-verifications.py from
* docs/VERIFICATIONS.jsonl. Do not hand-edit; rerun the script.
*
* Source: tools/verify-vm/verify.sh appends one JSON record per
* run; this generator dedupes to (module, vm_box, kernel, expect)
* and keeps the latest by verified_at.
*/
#include "verifications.h"
#include <stddef.h>
#include <string.h>
#include <stdbool.h>
const struct verification_record verifications[] = {
{
.module = "af_packet",
.verified_at = "2026-05-23",
.host_kernel = "4.15.0-213-generic",
.host_distro = "Ubuntu 18.04.6 LTS",
.vm_box = "generic/ubuntu1804",
.expect_detect = "OK",
.actual_detect = "OK",
.status = "match",
},
{
.module = "af_packet2",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "af_unix_gc",
.verified_at = "2026-05-23",
.host_kernel = "5.15.5-051505-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "cgroup_release_agent",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "cls_route4",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-43-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "dirty_pipe",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "OK",
.actual_detect = "OK",
.status = "match",
},
{
.module = "entrybleed",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "fuse_legacy",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "netfilter_xtcompat",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "nf_tables",
.verified_at = "2026-05-23",
.host_kernel = "5.15.5-051505-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "nft_fwd_dup",
.verified_at = "2026-05-23",
.host_kernel = "5.10.0-27-amd64",
.host_distro = "Debian GNU/Linux 11 (bullseye)",
.vm_box = "generic/debian11",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "nft_payload",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-43-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "nft_set_uaf",
.verified_at = "2026-05-23",
.host_kernel = "5.15.5-051505-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "overlayfs",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "overlayfs_setuid",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "pack2theroot",
.verified_at = "2026-05-23",
.host_kernel = "6.1.0-17-amd64",
.host_distro = "Debian GNU/Linux 12 (bookworm)",
.vm_box = "generic/debian12",
.expect_detect = "PRECOND_FAIL",
.actual_detect = "PRECOND_FAIL",
.status = "match",
},
{
.module = "ptrace_traceme",
.verified_at = "2026-05-23",
.host_kernel = "4.15.0-213-generic",
.host_distro = "Ubuntu 18.04.6 LTS",
.vm_box = "generic/ubuntu1804",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "pwnkit",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "sequoia",
.verified_at = "2026-05-23",
.host_kernel = "5.4.0-169-generic",
.host_distro = "Ubuntu 20.04.6 LTS",
.vm_box = "generic/ubuntu2004",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "stackrot",
.verified_at = "2026-05-23",
.host_kernel = "6.1.10-060110-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "sudo_samedit",
.verified_at = "2026-05-23",
.host_kernel = "4.15.0-213-generic",
.host_distro = "Ubuntu 18.04.6 LTS",
.vm_box = "generic/ubuntu1804",
.expect_detect = "VULNERABLE",
.actual_detect = "VULNERABLE",
.status = "match",
},
{
.module = "sudoedit_editor",
.verified_at = "2026-05-23",
.host_kernel = "5.15.0-91-generic",
.host_distro = "Ubuntu 22.04.3 LTS",
.vm_box = "generic/ubuntu2204",
.expect_detect = "PRECOND_FAIL",
.actual_detect = "PRECOND_FAIL",
.status = "match",
},
};
const size_t verifications_count =
sizeof(verifications) / sizeof(verifications[0]);
const struct verification_record *
verifications_for_module(const char *module, size_t *count_out)
{
if (count_out) *count_out = 0;
if (!module) return NULL;
const struct verification_record *first = NULL;
size_t n = 0;
for (size_t i = 0; i < verifications_count; i++) {
if (strcmp(verifications[i].module, module) == 0) {
if (first == NULL) first = &verifications[i];
n++;
}
}
if (count_out) *count_out = n;
return first;
}
bool verifications_module_has_match(const char *module)
{
size_t n = 0;
const struct verification_record *r = verifications_for_module(module, &n);
for (size_t i = 0; i < n; i++)
if (r[i].status && strcmp(r[i].status, "match") == 0)
return true;
return false;
}
Reference in New Issue View Git Blame Copy Permalink