leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
9d88b475c12b5e3019f773502d6fe7d4d019f255
SKELETONKEY/modules/af_unix_gc_cve_2023_4622/NOTICE.md
T
leviathan 9d88b475c1
release / build (arm64) (push) Waiting to run
Details
release / build (x86_64) (push) Waiting to run
Details
release / release (push) Blocked by required conditions
Details
v0.3.1: --dump-offsets tool + NOTICE.md per module 
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.

  modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
    research credit covering CVE ID, discoverer, original advisory
    URL where public, upstream fix commit, IAMROOT's role.

  iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
    via the existing core/offsets.c four-source chain (env →
    /proc/kallsyms → /boot/System.map → embedded table), then emits
    a ready-to-paste C struct entry for kernel_table[]. Run once
    as root on a target kernel build; upstream via PR. Eliminates
    fabricating offsets — every shipped entry traces back to a
    `iamroot --dump-offsets` invocation on a real kernel.

  docs/OFFSETS.md: documents the --dump-offsets workflow.
  CVES.md: notes the NOTICE.md convention + offset dump tool.

  iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
2026-05-16 22:33:43 -04:00

1.3 KiB
Raw Blame History

NOTICE — af_unix_gc (CVE-2023-4622)

Vulnerability

CVE-2023-4622 — AF_UNIX garbage-collector race against SCM_RIGHTS fd-passing → struct unix_sock freed while still reachable → slab UAF in SLAB_TYPESAFE_BY_RCU kmalloc-512 bucket.

Research credit

Discovered and disclosed by Lin Ma (Zhejiang University), August 2023.

Writeup: https://github.com/google/security-research/security/advisories/GHSA-7p7m-3xv8-2pq2 (disclosure record), plus Lin Ma's public PoC repo.

Upstream fix: mainline 6.6-rc1 (commit 0cabe18a8b80c, Aug 2023). Branch backports: 4.14.326 / 4.19.295 / 5.4.257 / 5.10.197 / 5.15.130 / 6.1.51 / 6.5.0.

IAMROOT role

Widest deployment of any module in the corpus — bug present in every Linux kernel below the fix (back to ~2.0 era).

Two-thread race driver: Thread A cycles SCM_RIGHTS fd-passing through a socketpair; Thread B triggers unix_gc by closing a socket in a reference cycle. msg_msg spray refills the freed slot. CPU-pinned. Bounded budget: 5 s default, 30 s with --full-chain.

Bug is reachable as a plain unprivileged user — no userns required, no CAP_* needed. Race-win rate per run is iteration- dependent; Lin Ma's PoC reports thousands of iterations to first reclaim. The shared finisher's sentinel timeout handles no-land outcomes gracefully.

Reference in New Issue View Git Blame Copy Permalink