Add kernelCTF CVE-2026-31533_lts_cos#33
Open
d4em0n wants to merge 2 commits into
Open
Conversation
cb8d4f4 to
f83c9ab
Compare
net/tls use-after-free in the -EBUSY error path of tls_do_encryption() (double-decrement of the encrypt_pending sentinel + double scatterlist restore). Exploited as a 0-day on lts-6.12.77 and cos-121-18867.381.30 (submission exp466). Reproduces at 100% in the exploit_repro workflow.
63f641f to
c886f9c
Compare
The previous --vuln-trigger used the full exploit's heavy saturation (3000 threads / 4000 fds) and setrlimit(0x8000), which fails under the vuln-verify environment (unprivileged fd limit ~1024, KASAN ~3-5x slower) -- it never landed -EBUSY, so no KASAN report and vuln_verify returned UNKNOWN. Rework the trigger to fit that environment: raise RLIMIT_NOFILE to the hard limit, use a lean op-fd pool (~1008) for a finite AF_ALG MAY_BACKLOG burst that momentarily overflows the per-CPU cryptd queue (cryptd_max_cpu_qlen=1000), push a pending TLS record with sk_err set to corrupt the encrypt_pending sentinel, then submit one more async encrypt so the tls_rec is freed while a cryptd callback is still pending. With no heap spray the freed record's scatterlist is walked by __sk_msg_free()/bpf_exec_tx_verdict(), producing a KASAN report on the unpatched kernel (locally reproduced on a KASAN 6.12.77 build); the patch skips the double cleanup so it stays silent. Counts are overridable via VT_N / VT_DELAY / VT_RETRY. The normal (flag-capturing) exploit path is unchanged.
6969d79 to
536274e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
kernelCTF submission exp466 —
net/tlsuse-after-free in the-EBUSYerror path oftls_do_encryption()(CVE-2026-31533).lts-6.12.77,cos-121-18867.381.30(0-day on LTS)a9b8b18364ff(net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption)859054147318(v6.8)original.tar.gzSHA256 matches the recorded exploit hash (4f2a274…ede92).Status / plan
exploit_reproreliability on the real bzImages.--vuln-triggerKASAN mode.Internal CI dry-run on this branch (
check-submission.py) passes structure verification.