leviathan
9d88b475c1
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
24 lines
761 B
Markdown
24 lines
761 B
Markdown
# NOTICE — entrybleed
|
|
|
|
## Vulnerability
|
|
|
|
**CVE-2023-0458** — KPTI `prefetchnta` timing side-channel leaks the
|
|
kernel base address (KASLR bypass).
|
|
|
|
## Research credit
|
|
|
|
Discovered by **Will Findlay**. Formally presented at USENIX Security '23:
|
|
|
|
> "EntryBleed: A Universal KASLR Bypass against KPTI on Linux"
|
|
> Bert Jan Schijf, Cristiano Giuffrida — USENIX Security 2023
|
|
|
|
Mainline status: no canonical patch — partial mitigations only.
|
|
|
|
## IAMROOT role
|
|
|
|
This is a **stage-1 leak primitive**, not a standalone LPE. Other
|
|
modules can call `entrybleed_leak_kbase_lib()` to obtain a KASLR
|
|
slide and feed it to the offset resolver in `core/offsets.c`. x86_64
|
|
only; the `entry_SYSCALL_64` slot offset is configurable via the
|
|
`IAMROOT_ENTRYBLEED_OFFSET` env var.
|