leviathan
9d88b475c1
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
1.0 KiB
1.0 KiB
NOTICE — af_packet (CVE-2017-7308)
Vulnerability
CVE-2017-7308 — AF_PACKET TPACKET_V3 integer overflow in
tp_block_size * tp_block_nr → heap write-where via sendmmsg spray.
Research credit
Discovered by Andrey Konovalov (Google), March 2017. A research-era classic — Konovalov found multiple AF_PACKET bugs in this campaign.
Original advisory + writeup: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
Upstream fix: mainline 4.11 / stable 4.10.6 (March 2017). Branch backports: 4.10.6 / 4.9.18 / 4.4.57 / 3.18.49.
IAMROOT role
x86_64-only. Userns gives CAP_NET_RAW; socket(AF_PACKET, SOCK_RAW)
- TPACKET_V3 with overflowing tp_block_size triggers the integer
overflow + heap spray via 200 raw skbs on lo. Best-effort cred-race
finisher (64 child workers polling geteuid). Offset table covers
Ubuntu 16.04/4.4 and 18.04/4.15; other kernels via the
IAMROOT_AFPACKET_OFFSETSenv var.
--full-chain engages the shared modprobe_path finisher with
stride-seeded sk_buff data-pointer overwrite.