Add kernelCTF CVE-2025-37798_lts_cos_mitigation

[phlaie]

No description provided.

[koczkatamas]

LTS only had 70% stability, which would make it ineligible for the stability bonus. I am running the tests again to see if stability will be better this time.

[phlaie]

Thanks for the catch. I think there might be some issues with the prefetch sidechannel (used to get KASLR leak) when on Github Actions runner. I'll check again.

[koczkatamas]

Hey!

If I compile the 6.6 stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=829c49b6b2ff45b043739168fd1245e4e1a91a30) with KASAN and run the exploit, it still crashes the kernel just earlier at a different place: list_del corruption, ffff88810380d050->next is LIST_POISON1 (dead000000000100).

Can you help us understand why is that? Is this patch commit complete and fixes the vulnerability properly?

(This blocks the payout of the first half of the reward.)

Logs after the patch:

[>] kernel base address: 0xffffffff81000000
[+] prepping UAF
[+] create hfsc (grandparent)
[+] allocate victim class
[    2.261292] drr_dequeue: plug qdisc 4: is non-work-conserving?
[    2.263442] HFSC: drr qdisc 2: is non-work-conserving?
[~] sending 7 reqs to fq_codel
[~] resetting interface[    2.268011] list_del corruption, ffff88810380d050->next is LIST_POISON1 (dead000000000100)
[    2.270904] ------------[ cut here ]------------
[    2.272588] kernel BUG at lib/list_debug.c:56!
[    2.274233] invalid opcode: 0000 [#1] PREEMPT SMP KASAN NOPTI
[    2.276258] CPU: 0 PID: 119 Comm: exp Not tainted 6.6.87+ #179
[    2.278273] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.281503] RIP: 0010:__list_del_entry_valid_or_report+0xb0/0x100
[    2.283708] Code: e8 a5 3e 40 ff 0f 0b 48 89 de 48 c7 c7 e0 d7 b1 83 e8 94 3e 40 ff 0f 0b 48 89 ea 48 89 de 48 c7 c7 40 d8 b1 83 e8 80 3e 40 ff <0f> 0b 4c 89 e2 48 89 de 48 c7 c7 a0 d8 b1 83 e8 6c 3e 40 ff 0f 0b
[    2.289998] RSP: 0018:ffff888152209d98 EFLAGS: 00010246
[    2.291838] RAX: 000000000000004e RBX: ffff88810380d050 RCX: 0000000000000000
[    2.294284] RDX: 0000000000000000 RSI: ffffffff812ec704 RDI: ffffffff86a5f580
[    2.296741] RBP: dead000000000100 R08: 0000000000000001 R09: ffffed102a44135a
[    2.299211] R10: ffff888152209ad7 R11: 6c65645f7473696c R12: dead000000000122
[    2.301688] R13: ffff88810380d058 R14: ffff8881050d88e8 R15: ffff8881039d9800
[    2.304153] FS:  0000000008a7e380(0000) GS:ffff888152200000(0000) knlGS:0000000000000000
[    2.306914] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.308928] CR2: 0000785645c93008 CR3: 000000010517a004 CR4: 0000000000370ef0
[    2.311408] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.313860] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.316364] Call Trace:
[    2.317266]  <IRQ>
[    2.318031]  drr_dequeue+0x41b/0x490
[    2.319331]  qdisc_peek_dequeued+0x49/0xf0
[    2.320766]  hfsc_dequeue+0x2f5/0x630
[    2.322075]  __qdisc_run+0xf0/0xa20
[    2.323343]  net_tx_action+0x287/0x460
[    2.324677]  handle_softirqs+0x16c/0x460
[    2.326074]  ? hrtimer_interrupt+0x31f/0x360
[    2.327685]  ? __pfx_handle_softirqs+0x10/0x10
[    2.329470]  __irq_exit_rcu+0x91/0xe0
[    2.330919]  sysvec_apic_timer_interrupt+0x9e/0xc0
[    2.332645]  </IRQ>
[    2.333448]  <TASK>
[    2.334242]  asm_sysvec_apic_timer_interrupt+0x16/0x20
[    2.336042] RIP: 0010:_raw_spin_unlock_irqrestore+0x19/0x40
[    2.337989] Code: ff 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 0f 1f 44 00 00 e8 f6 10 00 00 90 f7 c6 00 02 00 00 74 06 fb 0f 1f 44 00 00 <bf> 01 00 00 00 e8 5d 3e 28 fe 65 8b 05 2e 9d fd 7c 85 c0 74 05 c3
[    2.344310] RSP: 0018:ffff88810507f960 EFLAGS: 00000206
[    2.346121] RAX: 0000000000000001 RBX: ffffffff86b00200 RCX: 0000000000000000
[    2.348607] RDX: 0000000000000002 RSI: 0000000000000246 RDI: ffffffff86b00200
[    2.351358] RBP: ffffffff86b002d0 R08: 0000000000000001 R09: ffffed10204ea836
[    2.353852] R10: ffff8881027541b7 R11: 0000000000000000 R12: 0000000000000eee
[    2.356340] R13: 0000000000000000 R14: 0000000000000111 R15: ffff888103029000
[    2.358792]  uart_write+0x17f/0x2e0
[    2.360063]  n_tty_write+0x295/0x7e0
[    2.361350]  ? __pfx_n_tty_write+0x10/0x10
[    2.362810]  ? __pfx_woken_wake_function+0x10/0x10
[    2.364526]  ? preempt_count_sub+0x14/0xc0
[    2.365959]  ? __virt_addr_valid+0x128/0x1a0
[    2.367500]  ? __check_object_size+0x269/0x400
[    2.369061]  ? __pfx_n_tty_write+0x10/0x10
[    2.370509]  file_tty_write.isra.0+0x284/0x4c0
[    2.372095]  ? __pfx_redirected_tty_write+0x10/0x10
[    2.373821]  vfs_write+0x3d0/0x6a0
[    2.375040]  ? __pfx_vfs_write+0x10/0x10
[    2.376456]  ? __pfx____sys_sendmsg+0x10/0x10
[    2.378014]  ? __fget_light+0x1b0/0x200
[    2.379389]  ksys_write+0xc6/0x160
[    2.380603]  ? __pfx_ksys_write+0x10/0x10
[    2.382038]  do_syscall_64+0x5e/0x90
[    2.383332]  ? __fget_light+0x1b0/0x200
[    2.384708]  ? __sys_sendmsg+0x163/0x1b0
[    2.386107]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.387795]  ? __pfx___sys_sendmsg+0x10/0x10
[    2.389317]  ? __call_rcu_common.constprop.0+0x223/0x390
[    2.391176]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.392899]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.394585]  ? do_syscall_64+0x6a/0x90
[    2.395922]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.397601]  ? do_syscall_64+0x6a/0x90
[    2.398940]  ? clear_bhb_loop+0x45/0xa0
[    2.400361]  ? clear_bhb_loop+0x45/0xa0
[    2.401730]  ? clear_bhb_loop+0x45/0xa0
[    2.403098]  ? clear_bhb_loop+0x45/0xa0
[    2.404495]  ? clear_bhb_loop+0x45/0xa0
[    2.405856]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.407651] RIP: 0033:0x432474
[    2.408799] Code: 89 02 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 80 3d ed 1b 09 00 00 74 13 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 55 48 89 e5 48 83 ec 20 48 89
[    2.415052] RSP: 002b:00007ffe7218a598 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[    2.417662] RAX: ffffffffffffffda RBX: 0000000000000017 RCX: 0000000000432474
[    2.420128] RDX: 0000000000000017 RSI: 0000000000494839 RDI: 0000000000000001
[    2.422585] RBP: 00007ffe7218a5c0 R08: 0000000000000000 R09: 0000000000000000
[    2.425069] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000017
[    2.427537] R13: 0000000000494839 R14: 00000000004c3320 R15: 0000000000000017
[    2.429992]  </TASK>
[    2.430819] Modules linked in:
[    2.431998] ---[ end trace 0000000000000000 ]---
[    2.433674] RIP: 0010:__list_del_entry_valid_or_report+0xb0/0x100
[    2.435831] Code: e8 a5 3e 40 ff 0f 0b 48 89 de 48 c7 c7 e0 d7 b1 83 e8 94 3e 40 ff 0f 0b 48 89 ea 48 89 de 48 c7 c7 40 d8 b1 83 e8 80 3e 40 ff <0f> 0b 4c 89 e2 48 89 de 48 c7 c7 a0 d8 b1 83 e8 6c 3e 40 ff 0f 0b
[    2.442172] RSP: 0018:ffff888152209d98 EFLAGS: 00010246
[    2.444078] RAX: 000000000000004e RBX: ffff88810380d050 RCX: 0000000000000000
[    2.446584] RDX: 0000000000000000 RSI: ffffffff812ec704 RDI: ffffffff86a5f580
[    2.449081] RBP: dead000000000100 R08: 0000000000000001 R09: ffffed102a44135a
[    2.451607] R10: ffff888152209ad7 R11: 6c65645f7473696c R12: dead000000000122
[    2.454103] R13: ffff88810380d058 R14: ffff8881050d88e8 R15: ffff8881039d9800
[    2.456611] FS:  0000000008a7e380(0000) GS:ffff888152200000(0000) knlGS:0000000000000000
[    2.459414] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    2.461448] CR2: 0000785645c93008 CR3: 000000010517a004 CR4: 0000000000370ef0
[    2.463951] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    2.466481] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    2.468977] Kernel panic - not syncing: Fatal exception in interrupt
[    2.471917] Kernel Offset: disabled

Compared with before the patch (parent commit of 829c49b - https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=24e6280cdd7f8d01fc6b9b365fb800c2fb7ea9bb):

[>] kernel base address: 0xffffffff81000000
[+] prepping UAF
[+] create hfsc (grandparent)
[+] allocate victim class
[    2.267575] drr_dequeue: plug qdisc 4: is non-work-conserving?
[    2.269694] HFSC: drr qdisc 2: is non-work-conserving?
[~] sending 7 reqs to fq_codel
[~] resetting interface
[+] enqueueing packet to sibling
[+] deleting drr parent class
[+] spraying slab to reclaim with key_desc
[+] sending request, will trigger hfsc dequeue
[    2.282803] ==================================================================
[    2.285339] BUG: KASAN: slab-use-after-free in rb_first+0x1a/0x40
[    2.287516] Read of size 8 at addr ffff8881047f70b0 by task exp/119
[    2.289706] 
[    2.290315] CPU: 0 PID: 119 Comm: exp Not tainted 6.6.87+ #178
[    2.292385] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.295674] Call Trace:
[    2.296591]  <TASK>
[    2.297384]  dump_stack_lvl+0x49/0x60
[    2.298736]  print_report+0xc5/0x650
[    2.300021]  ? preempt_count_add+0x1c/0xc0
[    2.301477]  ? preempt_count_sub+0x14/0xc0
[    2.302962]  ? __virt_addr_valid+0x128/0x1a0
[    2.304517]  ? rb_first+0x1a/0x40
[    2.305727]  kasan_report+0xb9/0xf0
[    2.307004]  ? rb_first+0x1a/0x40
[    2.308228]  rb_first+0x1a/0x40
[    2.309397]  hfsc_dequeue+0x5d/0x630
[    2.310691]  ? __pfx_hfsc_enqueue+0x10/0x10
[    2.312192]  __qdisc_run+0xf0/0xa20
[    2.313496]  __dev_queue_xmit+0xdc0/0x16f0
[    2.314985]  ? __pfx___dev_queue_xmit+0x10/0x10
[    2.316604]  ? __orc_find+0x6c/0xd0
[    2.317869]  ? __orc_find+0x6c/0xd0
[    2.319177]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.320773]  ? __orc_find+0x6c/0xd0
[    2.322032]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.323669]  ? stack_access_ok+0x35/0xd0
[    2.325084]  ? preempt_count_sub+0x14/0xc0
[    2.326545]  ? skb_put+0x6e/0xb0
[    2.327720]  ? get_random_u32+0x131/0x1b0
[    2.329136]  ? __pfx_get_random_u32+0x10/0x10
[    2.330710]  ip_finish_output2+0x55e/0xac0
[    2.332161]  ? __pfx_ip_skb_dst_mtu+0x10/0x10
[    2.333729]  ? __pfx_ip_finish_output2+0x10/0x10
[    2.335367]  ip_output+0xe0/0x1b0
[    2.336570]  ? __pfx_ip_output+0x10/0x10
[    2.337961]  ? __pfx_ip_finish_output+0x10/0x10
[    2.339585]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.341234]  ? __pfx_ip_make_skb+0x10/0x10
[    2.342704]  ip_send_skb+0xbd/0xd0
[    2.343954]  udp_send_skb+0x2db/0x690
[    2.345278]  udp_sendmsg+0xc85/0x12c0
[    2.346633]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.348305]  ? __pfx_udp_sendmsg+0x10/0x10
[    2.349776]  ? preempt_count_sub+0x14/0xc0
[    2.351241]  ? __local_bh_enable_ip+0x37/0x90
[    2.352824]  ? __rcu_read_unlock+0x48/0x70
[    2.354312]  ? ip4_datagram_release_cb+0xfb/0x440
[    2.355984]  ? __pfx_ip4_datagram_release_cb+0x10/0x10
[    2.357818]  ? __pfx_udp_lib_get_port+0x10/0x10
[    2.359467]  ? __pfx__raw_spin_lock_bh+0x10/0x10
[    2.361114]  ? preempt_count_sub+0x14/0xc0
[    2.362593]  ? __local_bh_enable_ip+0x37/0x90
[    2.364151]  ? inet_autobind+0x81/0xa0
[    2.365493]  ? inet_send_prepare+0x6f/0x120
[    2.366972]  ? __sys_sendto+0x338/0x380
[    2.368359]  __sys_sendto+0x338/0x380
[    2.369685]  ? __pfx___sys_sendto+0x10/0x10
[    2.371168]  ? _raw_spin_lock_bh+0x85/0xe0
[    2.372656]  ? release_sock+0xa0/0xd0
[    2.373977]  ? preempt_count_sub+0x14/0xc0
[    2.375436]  ? __local_bh_enable_ip+0x37/0x90
[    2.377001]  ? alloc_file_pseudo+0x126/0x1b0
[    2.378566]  ? __pfx_alloc_file_pseudo+0x10/0x10
[    2.380202]  __x64_sys_sendto+0x72/0x90
[    2.381603]  do_syscall_64+0x5e/0x90
[    2.382918]  ? fd_install+0xa1/0x150
[    2.384203]  ? udp_lib_setsockopt+0x4a1/0x750
[    2.385770]  ? __pfx_udp_push_pending_frames+0x10/0x10
[    2.387606]  ? __pfx_udp_lib_setsockopt+0x10/0x10
[    2.389300]  ? __pfx_aa_sk_perm+0x10/0x10
[    2.390734]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.392457]  ? _raw_spin_lock+0x85/0xe0
[    2.393841]  ? __pfx__raw_spin_lock+0x10/0x10
[    2.395404]  ? udp_setsockopt+0x2c/0x40
[    2.396793]  ? __pfx_udp_push_pending_frames+0x10/0x10
[    2.398607]  ? do_sock_setsockopt+0x17b/0x2c0
[    2.400174]  ? preempt_count_sub+0x14/0xc0
[    2.401652]  ? _raw_spin_unlock+0x15/0x30
[    2.403105]  ? do_fcntl+0x434/0x870
[    2.404368]  ? __pfx_do_fcntl+0x10/0x10
[    2.405773]  ? __fget_light+0x1b0/0x200
[    2.407161]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.408885]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.410610]  ? do_syscall_64+0x6a/0x90
[    2.411947]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.413674]  ? do_syscall_64+0x6a/0x90
[    2.415029]  ? __fget_light+0x1b0/0x200
[    2.416397]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.418121]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.419825]  ? do_syscall_64+0x6a/0x90
[    2.421163]  ? clear_bhb_loop+0x45/0xa0
[    2.422561]  ? clear_bhb_loop+0x45/0xa0
[    2.423939]  ? clear_bhb_loop+0x45/0xa0
[    2.425315]  ? clear_bhb_loop+0x45/0xa0
[    2.426707]  ? clear_bhb_loop+0x45/0xa0
[    2.428090]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.429855] RIP: 0033:0x4340e7
[    2.430991] Code: c7 c0 ff ff ff ff eb be 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 7d ff 08 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d d0
[    2.437301] RSP: 002b:00007ffcb8cbbeb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[    2.439925] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004340e7
[    2.442408] RDX: 0000000000000000 RSI: 0000000000494286 RDI: 0000000000000006
[    2.444934] RBP: 00007ffcb8cbbf10 R08: 00007ffcb8cbbef0 R09: 0000000000000010
[    2.447458] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffcb8cbc1a8
[    2.449946] R13: 00007ffcb8cbc1b8 R14: 00000000004be828 R15: 0000000000000001
[    2.452449]  </TASK>
[    2.453273] 
[    2.453891] Allocated by task 119:
[    2.455133]  kasan_save_stack+0x2c/0x50
[    2.456512]  kasan_set_track+0x21/0x30
[    2.457861]  __kasan_kmalloc+0x8b/0x90
[    2.459221]  hfsc_change_class+0x2c1/0x16c0
[    2.460733]  tc_ctl_tclass+0x28d/0x770
[    2.462079]  rtnetlink_rcv_msg+0x206/0x580
[    2.463541]  netlink_rcv_skb+0xdd/0x210
[    2.464915]  netlink_unicast+0x392/0x4e0
[    2.466351]  netlink_sendmsg+0x3ce/0x6f0
[    2.467765]  ____sys_sendmsg+0x594/0x5d0
[    2.469165]  ___sys_sendmsg+0xfd/0x170
[    2.470550]  __sys_sendmsg+0x163/0x1b0
[    2.471904]  do_syscall_64+0x5e/0x90
[    2.473182]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.474989] 
[    2.475616] Freed by task 119:
[    2.476760]  kasan_save_stack+0x2c/0x50
[    2.478141]  kasan_set_track+0x21/0x30
[    2.479512]  kasan_save_free_info+0x27/0x50
[    2.480999]  ____kasan_slab_free+0x11f/0x1a0
[    2.482569]  __kmem_cache_free+0x164/0x300
[    2.484044]  hfsc_delete_class+0x2e3/0x410
[    2.485511]  tc_ctl_tclass+0x619/0x770
[    2.486890]  rtnetlink_rcv_msg+0x206/0x580
[    2.488340]  netlink_rcv_skb+0xdd/0x210
[    2.489721]  netlink_unicast+0x392/0x4e0
[    2.491150]  netlink_sendmsg+0x3ce/0x6f0
[    2.492577]  ____sys_sendmsg+0x594/0x5d0
[    2.493964]  ___sys_sendmsg+0xfd/0x170
[    2.495375]  __sys_sendmsg+0x163/0x1b0
[    2.496740]  do_syscall_64+0x5e/0x90
[    2.498034]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.499815] 
[    2.500422] The buggy address belongs to the object at ffff8881047f7000
[    2.500422]  which belongs to the cache kmalloc-1k of size 1024
[    2.504693] The buggy address is located 176 bytes inside of
[    2.504693]  freed 1024-byte region [ffff8881047f7000, ffff8881047f7400)
[    2.508861] 
[    2.509471] The buggy address belongs to the physical page:
[    2.511466] page:00000000fffc8cad refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1047f0
[    2.514697] head:00000000fffc8cad order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[    2.517475] flags: 0x100000000000840(slab|head|node=0|zone=2)
[    2.519517] page_type: 0xffffffff()
[    2.520773] raw: 0100000000000840 ffff888100041dc0 dead000000000122 0000000000000000
[    2.523472] raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
[    2.526162] page dumped because: kasan: bad access detected
[    2.528127] 
[    2.528743] Memory state around the buggy address:
[    2.530458]  ffff8881047f6f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.532954]  ffff8881047f7000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.535450] >ffff8881047f7080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.537961]                                      ^
[    2.539664]  ffff8881047f7100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.542182]  ffff8881047f7180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.544702] ==================================================================
[    2.547270] Kernel panic - not syncing: kasan.fault=panic set ...
[    2.549434] CPU: 0 PID: 119 Comm: exp Not tainted 6.6.87+ #178
[    2.551493] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.554779] Call Trace:
[    2.555686]  <TASK>
[    2.556485]  dump_stack_lvl+0x49/0x60
[    2.557801]  panic+0x216/0x410
[    2.558942]  ? __pfx_panic+0x10/0x10
[    2.560240]  ? rb_first+0x1a/0x40
[    2.561456]  ? check_panic_on_warn+0x2b/0x80
[    2.563011]  ? rb_first+0x1a/0x40
[    2.564223]  end_report+0xe3/0xf0
[    2.565429]  kasan_report+0xc9/0xf0
[    2.566698]  ? rb_first+0x1a/0x40
[    2.567932]  rb_first+0x1a/0x40
[    2.569099]  hfsc_dequeue+0x5d/0x630
[    2.570407]  ? __pfx_hfsc_enqueue+0x10/0x10
[    2.571916]  __qdisc_run+0xf0/0xa20
[    2.573193]  __dev_queue_xmit+0xdc0/0x16f0
[    2.574654]  ? __pfx___dev_queue_xmit+0x10/0x10
[    2.576255]  ? __orc_find+0x6c/0xd0
[    2.577522]  ? __orc_find+0x6c/0xd0
[    2.578791]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.580373]  ? __orc_find+0x6c/0xd0
[    2.581656]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.583260]  ? stack_access_ok+0x35/0xd0
[    2.584670]  ? preempt_count_sub+0x14/0xc0
[    2.586146]  ? skb_put+0x6e/0xb0
[    2.587338]  ? get_random_u32+0x131/0x1b0
[    2.588791]  ? __pfx_get_random_u32+0x10/0x10
[    2.590369]  ip_finish_output2+0x55e/0xac0
[    2.591842]  ? __pfx_ip_skb_dst_mtu+0x10/0x10
[    2.593405]  ? __pfx_ip_finish_output2+0x10/0x10
[    2.595043]  ip_output+0xe0/0x1b0
[    2.596242]  ? __pfx_ip_output+0x10/0x10
[    2.597650]  ? __pfx_ip_finish_output+0x10/0x10
[    2.599272]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.600962]  ? __pfx_ip_make_skb+0x10/0x10
[    2.602418]  ip_send_skb+0xbd/0xd0
[    2.603676]  udp_send_skb+0x2db/0x690
[    2.605002]  udp_sendmsg+0xc85/0x12c0
[    2.606322]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.608017]  ? __pfx_udp_sendmsg+0x10/0x10
[    2.609504]  ? preempt_count_sub+0x14/0xc0
[    2.610964]  ? __local_bh_enable_ip+0x37/0x90
[    2.612536]  ? __rcu_read_unlock+0x48/0x70
[    2.613998]  ? ip4_datagram_release_cb+0xfb/0x440
[    2.615679]  ? __pfx_ip4_datagram_release_cb+0x10/0x10
[    2.617513]  ? __pfx_udp_lib_get_port+0x10/0x10
[    2.619174]  ? __pfx__raw_spin_lock_bh+0x10/0x10
[    2.620849]  ? preempt_count_sub+0x14/0xc0
[    2.622311]  ? __local_bh_enable_ip+0x37/0x90
[    2.623904]  ? inet_autobind+0x81/0xa0
[    2.625393]  ? inet_send_prepare+0x6f/0x120
[    2.626926]  ? __sys_sendto+0x338/0x380
[    2.628321]  __sys_sendto+0x338/0x380
[    2.629661]  ? __pfx___sys_sendto+0x10/0x10
[    2.631166]  ? _raw_spin_lock_bh+0x85/0xe0
[    2.632639]  ? release_sock+0xa0/0xd0
[    2.633947]  ? preempt_count_sub+0x14/0xc0
[    2.635408]  ? __local_bh_enable_ip+0x37/0x90
[    2.636968]  ? alloc_file_pseudo+0x126/0x1b0
[    2.638574]  ? __pfx_alloc_file_pseudo+0x10/0x10
[    2.640222]  __x64_sys_sendto+0x72/0x90
[    2.641602]  do_syscall_64+0x5e/0x90
[    2.642913]  ? fd_install+0xa1/0x150
[    2.644204]  ? udp_lib_setsockopt+0x4a1/0x750
[    2.645745]  ? __pfx_udp_push_pending_frames+0x10/0x10
[    2.647553]  ? __pfx_udp_lib_setsockopt+0x10/0x10
[    2.649208]  ? __pfx_aa_sk_perm+0x10/0x10
[    2.650647]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.652358]  ? _raw_spin_lock+0x85/0xe0
[    2.653729]  ? __pfx__raw_spin_lock+0x10/0x10
[    2.655303]  ? udp_setsockopt+0x2c/0x40
[    2.656676]  ? __pfx_udp_push_pending_frames+0x10/0x10
[    2.658475]  ? do_sock_setsockopt+0x17b/0x2c0
[    2.660024]  ? preempt_count_sub+0x14/0xc0
[    2.661479]  ? _raw_spin_unlock+0x15/0x30
[    2.662934]  ? do_fcntl+0x434/0x870
[    2.664195]  ? __pfx_do_fcntl+0x10/0x10
[    2.665604]  ? __fget_light+0x1b0/0x200
[    2.666978]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.668691]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.670406]  ? do_syscall_64+0x6a/0x90
[    2.671755]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.673476]  ? do_syscall_64+0x6a/0x90
[    2.674850]  ? __fget_light+0x1b0/0x200
[    2.676220]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.677941]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.679683]  ? do_syscall_64+0x6a/0x90
[    2.681021]  ? clear_bhb_loop+0x45/0xa0
[    2.682408]  ? clear_bhb_loop+0x45/0xa0
[    2.683779]  ? clear_bhb_loop+0x45/0xa0
[    2.685159]  ? clear_bhb_loop+0x45/0xa0
[    2.686554]  ? clear_bhb_loop+0x45/0xa0
[    2.687933]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.689702] RIP: 0033:0x4340e7
[    2.690841] Code: c7 c0 ff ff ff ff eb be 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 80 3d 7d ff 08 00 00 41 89 ca 74 10 b8 2c 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 69 c3 55 48 89 e5 53 48 83 ec 38 44 89 4d d0
[    2.697140] RSP: 002b:00007ffcb8cbbeb8 EFLAGS: 00000202 ORIG_RAX: 000000000000002c
[    2.699780] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004340e7
[    2.702286] RDX: 0000000000000000 RSI: 0000000000494286 RDI: 0000000000000006
[    2.704800] RBP: 00007ffcb8cbbf10 R08: 00007ffcb8cbbef0 R09: 0000000000000010
[    2.707282] R10: 0000000000000000 R11: 0000000000000202 R12: 00007ffcb8cbc1a8
[    2.709753] R13: 00007ffcb8cbc1b8 R14: 00000000004be828 R15: 0000000000000001
[    2.712293]  </TASK>
[    2.713901] Kernel Offset: disabled

[phlaie]

@koczkatamas I've fixed the reliability issues stemming from the prefetch side-channel leak. Let me get back to you on the KASAN crash report.

[phlaie]

@koczkatamas Thanks for the report. To resolve the KASAN crash, you have to apply the rest of the patches in the patchset as well. The specified commit 829c49b6b2ff45b043739168fd1245e4e1a91a30 is part of this patchset, which I worked on together with Cong Wang to address the vulnerability. Crucially, the fix only works as the patchset, and not as a singular commit. For this particular PoC, the other relevant commits from the patchset are commits df008598b3a00be02a8051fde89ca0fbc416bd55 (drr) and 51eb3b65544c9efd6a1026889ee5fb5aa62da3bb (hfsc).

(I can reproduce the KASAN error when applying only the single commit)

[koczkatamas]

Thanks! I could verify using the upstream commit which contains all the patches.

[matrizzo]

Hi, thanks for your submission. Please have a look at our style guide and the comments and make sure that you adjust your exploits to follow them.

[matrizzo]

The header <arpa/inet.h> is already included at line 5 and can be removed.

https://google.github.io/security-research/kernelctf/style_guide#unused-code

[matrizzo]

The header <sys/socket.h> is already included at line 3 and can be removed.

https://google.github.io/security-research/kernelctf/style_guide#unused-code

[matrizzo]

The header <linux/keyctl.h> is already included at line 10 and can be removed.

https://google.github.io/security-research/kernelctf/style_guide#unused-code

[matrizzo]

The header <err.h> is already included at line 12 and can be removed.

https://google.github.io/security-research/kernelctf/style_guide#unused-code

[matrizzo]

Add a comment with the full ROP gadget instruction (e.g., // 0x... : pop rdi ; ret) next to the #define.

https://google.github.io/security-research/kernelctf/style_guide#rop-chains

[matrizzo]

The link seems to be missing here.

[matrizzo]

All sleeps need a comment explaining what they do.

[matrizzo]

All ROP gadgets should include the disassembly of the instructions at the gadget's address https://google.github.io/security-research/kernelctf/style_guide#rop-chains

[matrizzo]

This should be #defined to NUM_TRIALS like in the AMD code.

[matrizzo]

This whole section seems to be unused and should be removed.