Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add kernelCTF CVE-2023-31436 #34

Merged
merged 7 commits into from
Sep 20, 2023
Merged

Add kernelCTF CVE-2023-31436 #34

merged 7 commits into from
Sep 20, 2023

Conversation

liona24
Copy link
Contributor

@liona24 liona24 commented Jul 24, 2023

No description provided.

@koczkatamas koczkatamas added recheck Triggers kernelCTF PR verification again and removed recheck Triggers kernelCTF PR verification again labels Aug 24, 2023
Copy link
Collaborator

@koczkatamas koczkatamas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We switched JSON schema version, please accept these changes to make the PR check succeed.

@koczkatamas
Copy link
Collaborator

Hey!

Sorry for the late response. We created a Github Actions job to verify the submission PRs.

The current test run mostly failed because we switched the metadata.json schema version, I made code change suggestion above how to fix these issues. You can see the current test run results here: https://github.com/google/security-research/actions/runs/5964149526

After you fix these issues the Github Action will run again, and it will test the exploit compilation and exploit reproduction too.

The compilation failed for us with undefined reference to 'flush_cache'.

The exploit reproduction (10 tries) will also probably fail based on our internal tests, but maybe this happens because of the mentioned 5% success rate. In this case we will re-run the tests, as long as it repros at least once, you are good to go.

If the reproduction fails for some other reason, then please take a look why it fails. The reproduction system is a bit different than the live one (it runs the exploit directly from /init and there is no nsjail). You can also give feedback how we should modify our reproduction procedure.

So feel free to modify the PR and the Github Action will run again and you will see the new verification results.

Thank you for your submission and participating in kernelCTF!

@liona24
Copy link
Contributor Author

liona24 commented Aug 25, 2023

Hey. Thanks for the update. My Makefile was using a slightly different target, so I fixed that. The exploit is using side channels for KASLR bypass. This does not appear to be working on the runner, does however work on the real instances. (tbh I haven't checked in a while, where there any infra changes?). Any suggestions on how to proceed here? I can have a closer look in a week or so.

@liona24
Copy link
Contributor Author

liona24 commented Sep 1, 2023

So I checked again, the cache timing side channel works fine on the real instance. Both use QEMUs -cpu host, not sure what is underneath here.

Would KASLR disabled be an option for the CI job? As far as the CTF is concerned KASLR bruteforce is a valid strategy anyway, so you probably do not want such submissions to spam your runner too.

Also the CLA check is failing because apparently you (@koczkatamas) are not approved as a contributor and we shared some commits.

(sorry for closing the PR, the buttons are pretty close ..)

@liona24 liona24 closed this Sep 1, 2023
@liona24 liona24 reopened this Sep 1, 2023
@koczkatamas
Copy link
Collaborator

koczkatamas commented Sep 1, 2023 via email

@koczkatamas
Copy link
Collaborator

Implemented, KASLR base will be supplied as the first argument to ./exploit. Example full command line: su user -c '/tmp/exp/exploit ffffffff8a000000'.

You need to change to the v3 metadata schema and modify the exploits node to this:

    "exploits": {
        "mitigation-6.1": {
            "uses": ["userns"],
            "stability_notes": "5% success rate",
            "requires_separate_kaslr_leak": true
        }
    }

See the full modified file here: https://github.com/koczkatamas2/security-research/pull/1/files#diff-a3e5b8f8744c0ae7ff2ed99f0c28cb0a940bf5b6964a86eeecc0fa42d19bdd6d

@liona24
Copy link
Contributor Author

liona24 commented Sep 18, 2023

Alright thank you very much. The only thing missing now is the CLA check because of the co-authored commits.

@koczkatamas koczkatamas merged commit 7b14d11 into google:master Sep 20, 2023
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants