leviathan
9d88b475c1
The README has been claiming "each module credits the original CVE
reporter and PoC author in its NOTICE.md" since v0.1.0, but only
copy_fail_family actually shipped one. Fixed.
modules/<name>/NOTICE.md (×19 new + 1 existing): per-module
research credit covering CVE ID, discoverer, original advisory
URL where public, upstream fix commit, IAMROOT's role.
iamroot.c: new --dump-offsets subcommand. Resolves kernel offsets
via the existing core/offsets.c four-source chain (env →
/proc/kallsyms → /boot/System.map → embedded table), then emits
a ready-to-paste C struct entry for kernel_table[]. Run once
as root on a target kernel build; upstream via PR. Eliminates
fabricating offsets — every shipped entry traces back to a
`iamroot --dump-offsets` invocation on a real kernel.
docs/OFFSETS.md: documents the --dump-offsets workflow.
CVES.md: notes the NOTICE.md convention + offset dump tool.
iamroot.c: bump IAMROOT_VERSION 0.3.0 → 0.3.1.
960 B
960 B
NOTICE — nft_fwd_dup (CVE-2022-25636)
Vulnerability
CVE-2022-25636 — nft_fwd_dup_netdev_offload writes
flow->rule->action.entries[ctx->num_actions] without bounds-checking
against the allocated array size → heap OOB write in kmalloc-512.
Research credit
Discovered and disclosed by Aaron Adams (NCC Group), February 2022.
Original writeup: https://research.nccgroup.com/2022/03/02/exploit-engineering-attacking-the-linux-kernel/
Upstream fix: mainline 5.17 (commit fa54fee62954, Feb 2022).
Branch backports: 5.16.11 / 5.15.25 / 5.10.102 / 5.4.181.
IAMROOT role
userns+netns reach. Hand-rolled nfnetlink batch: NEWTABLE →
NEWCHAIN with NFT_CHAIN_HW_OFFLOAD → NEWRULE with 16 immediates
- fwd, overruning
action.entries[1]. msg_msg cross-cache groom into kmalloc-512 withIAMROOT_FWDtags.
--full-chain extends with stride-seeded forged action_entry
overwrite aimed at modprobe_path via the shared finisher.