kernelCTF: added CVE-2024-1086 lts mitigation

[Notselwyn]

No description provided.

[Notselwyn]

Apparently docs/exploit.md got corrupted locally in between git commits. It seems like I'll need to rewrite a large part of docs/exploit.md again. I hope I can get it done before you're done evaluating the older entries 👍

[Notselwyn]

All documentation is completed now and the PR is ready for merge in my eyes. Force-push above was required to correct git email in a commit (required due to CLA).

The only thing left to fix is the attached files (due to static glibc compiles causing trouble), as spoken with KT, but they would look into it.

Feel free to give feedback :-)

[koczkatamas]

I've made a few suggestions, please take a look!

[koczkatamas]

Can you please add references like [1], [2], [3] into this text and the code below which lines do the followings:

• "we simply allocate an skb (remove from the freelist) [1] before"
• "the double-free [2]"
• "we free (append to the freelist) [3] in between the double-free."

[Notselwyn]

Fixed in af171cb 👍

I tried to prevent boilerplate in the write-up by just linking the other double-free code. Is this acceptable?

[koczkatamas]

Can you use relative paths, e.g. ../exploit/lts-6.1.72/src/exploit.c#L362 instead of https://github.com/Notselwyn/security-research/blob/a4da96327b8bd940e4d5ae0c565d060b11e54ce7/pocs/linux/kernelctf/CVE-2024-1086_lts_mitigation/exploit/lts-6.1.72/src/exploit.c#L362, GH should be able to handle this link format after we merge the change.

Thanks!

[Notselwyn]

Fixed in e79a21a 👍

[matrizzo]

It would be useful to link to your blog post in the writeup (https://pwning.tech/nftables/) because some techniques like dirty pagedirectory are explained in more detail there.
Also specifically regarding dirty PGD, I think the explanation (both here in the PR and on your website) is a bit hard to understand, maybe instead of this diagram you could have something where you show that the PUD points back to itself (that is, there is a cycle in the page tables)?
Sometimes OS developers set up the page tables like this intentionally (they call it "recursive page tables") so some of the diagrams from an article like this can help https://medium.com/@connorstack/recursive-page-tables-ad1e03b20a85

[Notselwyn]

Great feedback, thanks! I'll try to fix it before the end of the week

[Notselwyn]

Also specifically regarding dirty PGD, I think the explanation (both here in the PR and on your website) is a bit hard to understand, maybe instead of this diagram you could have something where you show that the PUD points back to itself (that is, there is a cycle in the page tables)? Sometimes OS developers set up the page tables like this intentionally (they call it "recursive page tables") so some of the diagrams from an article like this can help https://medium.com/@connorstack/recursive-page-tables-ad1e03b20a85

Thanks for the feedback. I believe my explanation may have accidentally misled you: it does not implement recursive pagetable-like mechanisms. It simply causes an arbitrary Page Upper Directory (PUD) and arbitrary Page Middle Directory (PMD) to be overlapped (called "PUD+PMD" in the writeups). Hence no recursion happens, as the overlapping PMD is not a child of the overlapped PUD, but is the child of a normal PUD.

Do you have ideas for I could clear this up in the write-ups? I tried to convey this in the original diagram by showing that the table index used differs between the PUDs

[matrizzo]

Ah I see, yes now the diagram makes more sense. Yeah I don't really know how to make that clearer, maybe you could add the note from your latest comment to the writeup.

[Notselwyn]

Done 👍 @koczkatamas can I resolve the changes you requested?

[koczkatamas]

Done 👍 @koczkatamas can I resolve the changes you requested?

Thanks! I've made one comment.

The review will be continued by @matrizzo, but he is out-of-office this week, so probably next week earliest.

[HerrSpace]

@matrizzo This seems to have fallen through the cracks. :^)

[Notselwyn]

Yeah, I think it would be great if we could continue with the review :-)

[koczkatamas]

Hey! Sorry for the long process...

Meanwhile you could please take a look at another nftables submissions (we got a ton) and how did they solve that they don't include the Linux kernel header files?

This also needs to be resolved before we can merge the commit.

I will ping @matrizzo to try to finish the review this week.

[matrizzo]

I see there is still a TODO here, do you want to make any changes before we merge this?

[Notselwyn]

Thanks for picking it up. If you believe the explanations are detailed enough, I'm fine with the way it currently is :-)

[koczkatamas]

Could you please still look into if you can exclude the header files?

There are several other nftables submissions in the repo and in the PRs. Is there anything different in your submission which does not make this possible?

[Notselwyn]

@koczkatamas @matrizzo it took a couple of tries but I got rid of the headers 👍

[matrizzo]

Looks good, thanks for the submission