Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add kernelCTF CVE-2024-26581_lts_cos_mitigation #109

Merged
merged 33 commits into from
Aug 29, 2024
Merged

Add kernelCTF CVE-2024-26581_lts_cos_mitigation #109

merged 33 commits into from
Aug 29, 2024

Conversation

lonialcon2
Copy link
Contributor

No description provided.

@lonialcon2 lonialcon2 changed the title Add kernelCTF CVE-2024-1085_lts_cos_mitigation Add kernelCTF CVE-2024-26581_lts_cos_mitigation Jul 12, 2024
chanijindal1
chanijindal1 reviewed Aug 19, 2024
View reviewed changes
Copy link
Collaborator

@chanijindal1 chanijindal1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Exploit looks nicely written, left some comments where I'd like to see more details in the writeup

pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/vulnerability.md Show resolved Hide resolved
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md Show resolved Hide resolved
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md Outdated Show resolved Hide resolved
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md Outdated Show resolved Hide resolved
pocs/linux/kernelctf/CVE-2024-26581_lts_cos_mitigation/docs/exploit.md Outdated
- msg[3]: Error message and finally trigger __nf_tables_abort. All previous messages will be rolled back:
- The element created in msg[2] will be removed by function `nft_rbtree_remove` and will be freed by function `nft_set_elem_destroy`
- The element `B` created in msg[1] will be removed and freed.
- The element `A` created in msg[0] will be removed by function `nft_rbtree_remove` and will be freed by function `nft_set_elem_destroy` again! `rb_erase` will replace element B to the left child node of element A's parent node again! This means that we reinserted the element `B` that was about to be freed into the rbtree!
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The element A created in msg[0] will be removed by function nft_rbtree_remove and will be freed by function nft_set_elem_destroy again! rb_erase will replace element B to the left child node of element A's parent node again! This means that we reinserted the element B that was about to be freed into the rbtree!

this makes it sound like A is freed 2x. I think what you meant is that A is freed by the nft_set_elem_destroy, calling rb_erase. This means that we reinserted the element B that was about to be freed into the rbtree.
after this you have a UAF on B?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, after that, I have a UAF on B.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add a note that this gives a UAF on B? I think it helps readers a lot to have the victim object be clear.

@lonialcon2
Copy link
Contributor Author

Thanks! Exploit looks nicely written, left some comments where I'd like to see more details in the writeup

Hi, I've added more details in the exploit.md. Thanks.

@chanijindal1
Copy link
Collaborator

Thanks! Added one last request here: https://github.com/google/security-research/pull/109/files/c0b2d52e922b5fa3499deade6c4b30cab8ca0193#r1731889215

@lonialcon2
Copy link
Contributor Author

Thanks! Added one last request here: https://github.com/google/security-research/pull/109/files/c0b2d52e922b5fa3499deade6c4b30cab8ca0193#r1731889215

Hi, I've updated the exploit.md. Thanks.

@chanijindal1 chanijindal1 merged commit 7f0fd3f into google:master Aug 29, 2024
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chanijindal1 chanijindal1 chanijindal1 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lonialcon2 @chanijindal1 @conlonial