leviathan
9d88b475c1
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
761 B
761 B
NOTICE — entrybleed
Vulnerability
CVE-2023-0458 — KPTI prefetchnta timing side-channel leaks the
kernel base address (KASLR bypass).
Research credit
Discovered by Will Findlay. Formally presented at USENIX Security '23:
"EntryBleed: A Universal KASLR Bypass against KPTI on Linux" Bert Jan Schijf, Cristiano Giuffrida — USENIX Security 2023
Mainline status: no canonical patch — partial mitigations only.
IAMROOT role
This is a stage-1 leak primitive, not a standalone LPE. Other
modules can call entrybleed_leak_kbase_lib() to obtain a KASLR
slide and feed it to the offset resolver in core/offsets.c. x86_64
only; the entry_SYSCALL_64 slot offset is configurable via the
IAMROOT_ENTRYBLEED_OFFSET env var.