-
Notifications
You must be signed in to change notification settings - Fork 417
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kernelCTF CVE-2023-31436 #34
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We switched JSON schema version, please accept these changes to make the PR check succeed.
Hey! Sorry for the late response. We created a Github Actions job to verify the submission PRs. The current test run mostly failed because we switched the After you fix these issues the Github Action will run again, and it will test the exploit compilation and exploit reproduction too. The compilation failed for us with The exploit reproduction (10 tries) will also probably fail based on our internal tests, but maybe this happens because of the mentioned If the reproduction fails for some other reason, then please take a look why it fails. The reproduction system is a bit different than the live one (it runs the exploit directly from So feel free to modify the PR and the Github Action will run again and you will see the new verification results. Thank you for your submission and participating in kernelCTF! |
Co-authored-by: Tamás Koczka <[email protected]>
Co-authored-by: Tamás Koczka <[email protected]>
Co-authored-by: Tamás Koczka <[email protected]>
Hey. Thanks for the update. My Makefile was using a slightly different target, so I fixed that. The exploit is using side channels for KASLR bypass. This does not appear to be working on the runner, does however work on the real instances. (tbh I haven't checked in a while, where there any infra changes?). Any suggestions on how to proceed here? I can have a closer look in a week or so. |
So I checked again, the cache timing side channel works fine on the real instance. Both use QEMUs Would KASLR disabled be an option for the CI job? As far as the CTF is concerned KASLR bruteforce is a valid strategy anyway, so you probably do not want such submissions to spam your runner too. Also the CLA check is failing because apparently you (@koczkatamas) are not approved as a contributor and we shared some commits. (sorry for closing the PR, the buttons are pretty close ..) |
Hey!
Yeah, we will provide an option to disable KASLR. When it's ready (ETA:
next week), I will comment here.
…On Fri, Sep 1, 2023, 15:38 liona24 ***@***.***> wrote:
Reopened #34 <#34>.
—
Reply to this email directly, view it on GitHub
<#34 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAT4XUTUVAZVKQ5EL4DERJDXYHQN5ANCNFSM6AAAAAA2VGHKII>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Implemented, KASLR base will be supplied as the first argument to You need to change to the v3 metadata schema and modify the exploits node to this: "exploits": {
"mitigation-6.1": {
"uses": ["userns"],
"stability_notes": "5% success rate",
"requires_separate_kaslr_leak": true
}
} See the full modified file here: https://github.com/koczkatamas2/security-research/pull/1/files#diff-a3e5b8f8744c0ae7ff2ed99f0c28cb0a940bf5b6964a86eeecc0fa42d19bdd6d |
Alright thank you very much. The only thing missing now is the CLA check because of the co-authored commits. |
No description provided.