Skip to content

Add kernelCTF CVE-2026-31533_lts_cos#33

Open
d4em0n wants to merge 2 commits into
masterfrom
CVE-2026-31533_lts_cos
Open

Add kernelCTF CVE-2026-31533_lts_cos#33
d4em0n wants to merge 2 commits into
masterfrom
CVE-2026-31533_lts_cos

Conversation

@d4em0n

@d4em0n d4em0n commented Jun 22, 2026

Copy link
Copy Markdown
Collaborator

kernelCTF submission exp466net/tls use-after-free in the -EBUSY error path of tls_do_encryption() (CVE-2026-31533).

  • Targets: lts-6.12.77, cos-121-18867.381.30 (0-day on LTS)
  • Fix: a9b8b18364ff (net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption)
  • Introduced: 859054147318 (v6.8)
  • original.tar.gz SHA256 matches the recorded exploit hash (4f2a274…ede92).

Status / plan

  1. This commit establishes the baseline with the original, flag-capturing exploit (verbatim) so we can read the CI exploit_repro reliability on the real bzImages.
  2. Follow-up commit: kernelXDK / libxdk port (mandatory — flag captured after 2025-10-23 and the exploit uses ROP) + reliability hardening to reach ≥90% repro reliability + --vuln-trigger KASAN mode.

Internal CI dry-run on this branch (check-submission.py) passes structure verification.

net/tls use-after-free in the -EBUSY error path of tls_do_encryption()
(double-decrement of the encrypt_pending sentinel + double scatterlist
restore). Exploited as a 0-day on lts-6.12.77 and cos-121-18867.381.30
(submission exp466). Reproduces at 100% in the exploit_repro workflow.
@d4em0n d4em0n force-pushed the CVE-2026-31533_lts_cos branch from 63f641f to c886f9c Compare June 22, 2026 04:33
The previous --vuln-trigger used the full exploit's heavy saturation (3000
threads / 4000 fds) and setrlimit(0x8000), which fails under the vuln-verify
environment (unprivileged fd limit ~1024, KASAN ~3-5x slower) -- it never
landed -EBUSY, so no KASAN report and vuln_verify returned UNKNOWN.

Rework the trigger to fit that environment: raise RLIMIT_NOFILE to the hard
limit, use a lean op-fd pool (~1008) for a finite AF_ALG MAY_BACKLOG burst that
momentarily overflows the per-CPU cryptd queue (cryptd_max_cpu_qlen=1000), push
a pending TLS record with sk_err set to corrupt the encrypt_pending sentinel,
then submit one more async encrypt so the tls_rec is freed while a cryptd
callback is still pending. With no heap spray the freed record's scatterlist is
walked by __sk_msg_free()/bpf_exec_tx_verdict(), producing a KASAN report on
the unpatched kernel (locally reproduced on a KASAN 6.12.77 build); the patch
skips the double cleanup so it stays silent. Counts are overridable via
VT_N / VT_DELAY / VT_RETRY. The normal (flag-capturing) exploit path is
unchanged.
@d4em0n d4em0n force-pushed the CVE-2026-31533_lts_cos branch from 6969d79 to 536274e Compare June 22, 2026 07:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant