leviathan
9d88b475c1
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
1.1 KiB
NOTICE — fuse_legacy (CVE-2022-0185)
Vulnerability
CVE-2022-0185 — legacy_parse_param in fsconfig() doesn't validate
PAGE_SIZE against the running fs_context's key/value length →
4 KB heap OOB write → cross-cache UAF → cred overwrite from a
rootless container.
Research credit
Discovered and disclosed by William Liu + Jamie Hill-Daniel (Crusaders of Rust), January 2022.
Original writeup: https://www.willsroot.io/2022/01/cve-2022-0185.html Public PoC: https://github.com/Crusaders-of-Rust/CVE-2022-0185
Upstream fix: mainline 5.16.2 (Jan 2022). Branch backports: 5.16.2 / 5.15.14 / 5.10.91 / 5.4.171.
IAMROOT role
userns+mountns reach, fsopen("cgroup2") + double
fsconfig(FSCONFIG_SET_STRING, "source", ...) fires the 4k OOB,
msg_msg cross-cache groom in kmalloc-4k. MSG_COPY read-back detects
whether the OOB landed in an adjacent neighbour — the sanity gate
that prevents fake-success claims.
--full-chain extends with forged m_list/m_ts overflow toward
modprobe_path via the shared finisher.
Container-escape angle — relevant to rootless docker/podman/snap.