Add kernelCTF CVE-2026-31419_cos (fix CI hang)#398
Closed
winmin wants to merge 8 commits into
Closed
Conversation
The exploit's infinite retry loops caused CI verification to hang: - main() while(1) loop retried forever on patched kernels where the race can never succeed - exploit() inner race loop also had no bound Add MAX_EXPLOIT_RETRIES (50), EXPLOIT_TIMEOUT_SEC (120s), and MAX_RACE_ATTEMPTS (2000) so the exploit exits cleanly when it fails, allowing the CI to distinguish "exploit failed" from "VM hung".
The original prefetch side-channel KASLR leak fails in CI's QEMU/KVM environment, returning wrong kernel base addresses every time. Replace with the approach from CVE-2025-21700 (adapted from IAIK prefetch project) which uses: - Asymmetric fences (mfence/lfence) for better timing precision - prefetchnta + prefetcht2 combo instead of dual prefetcht0 - 16 iterations per probe (vs 12) for better noise averaging - Boyer-Moore majority vote with 7 rounds and automatic retry - Wider scan range (up to 0xffffffffD0000000)
CI runners use AMD EPYC 7763 where prefetch timing is inverted: mapped kernel pages show HIGHER latency (not lower like Intel). Switch to the AMD-compatible technique from CVE-2025-39946: - 2MB scan steps instead of 16MB (finer granularity for AMD) - Sliding window of 11 consecutive entries to find the largest contiguous high-latency region (= mapped kernel text) - 9 voting rounds with Boyer-Moore majority vote - Same rdtsc/prefetch primitives (prefetchnta + prefetcht2)
The core_pattern flag-reading mechanism failed in CI because crash(666, "/tmp/exp") couldn't find the binary at /tmp/exp. Use /proc/self/exe which always resolves to the current executable regardless of the deployment path.
Contributor
|
LLM saved my life |
Contributor
|
It seems our exploit didn't work on the remote, but the CI is broken. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vuln_verifyto report "VM hanged before running exploit"MAX_RACE_ATTEMPTS(2000),MAX_EXPLOIT_RETRIES(50), andEXPLOIT_TIMEOUT_SEC(120s) to ensure clean exit on failureChanges from original PR
exploit.c: Inner racewhile(1)→ bounded loop (2000 iterations)exploit.c: Outer retrywhile(1)→ bounded loop (50 retries, 120s timeout)Test plan
vuln_verifyshould no longer hang on patched KASAN kernel (clean exit instead)vuln_verifyshould no longer hang on COS kernel (clean exit or successful exploit)