47 lines
1.7 KiB
C
47 lines
1.7 KiB
C
/*
|
|
* DIRTYFAIL — dirtyfrag_esp6.h
|
|
*
|
|
* IPv6 dual of the xfrm-ESP page-cache write (CVE-2026-43284).
|
|
*
|
|
* `esp6_input()` carries the same `if (!skb_has_frag_list(skb)) goto
|
|
* skip_cow` branch as `esp_input()`. The mainline patch
|
|
* f4c50a4034e62ab75f1d5cdd191dd5f9c77fdff4 covers BOTH v4 and v6,
|
|
* but some distro backports may have shipped only the v4 fix —
|
|
* particularly when they cherry-picked the ipv4 patch in isolation.
|
|
*
|
|
* A vulnerable system in the wild may therefore be:
|
|
* - patched on v4, vulnerable on v6
|
|
* - patched on v6, vulnerable on v4
|
|
* - vulnerable on both
|
|
*
|
|
* This module is the v6 detector + exploit. Differences from the v4
|
|
* path:
|
|
* - AF_INET6 sockets, ::1 source/dest, sockaddr_in6
|
|
* - XFRM SA registered with family=AF_INET6 and 16-byte addresses
|
|
* - ESP packet padded to >= 48 bytes total to clear the
|
|
* `xfrm6_input.c` size gate (which v4 does not have)
|
|
*/
|
|
|
|
#ifndef DIRTYFAIL_DIRTYFRAG_ESP6_H
|
|
#define DIRTYFAIL_DIRTYFRAG_ESP6_H
|
|
|
|
#include "common.h"
|
|
|
|
df_result_t dirtyfrag_esp6_detect(void);
|
|
|
|
/* OUTER (init ns): prompts → fork → wait → verify → su.
|
|
* INNER (bypass userns): SA reg + trigger only. */
|
|
df_result_t dirtyfrag_esp6_exploit(bool do_shell);
|
|
df_result_t dirtyfrag_esp6_exploit_inner(void);
|
|
|
|
/* Active probe: fires the v6 ESP-in-UDP trigger against a /tmp sentinel
|
|
* file (never /etc/passwd) and reports whether the marker landed.
|
|
* Used by `--scan --active`. Returns DF_VULNERABLE on marker hit, DF_OK
|
|
* if the kernel is patched (no STORE), DF_PRECOND_FAIL if AA-blocked.
|
|
* The inner half runs in the bypass userns and reads
|
|
* DIRTYFAIL_PROBE_SENTINEL for the target path. */
|
|
df_result_t dirtyfrag_esp6_active_probe(void);
|
|
df_result_t dirtyfrag_esp6_active_probe_inner(void);
|
|
|
|
#endif
|