Add kernelCTF CVE-2026-31533_lts_cos#401
Open
d4em0n wants to merge 2 commits into
Open
Conversation
net/tls use-after-free in the -EBUSY error path of tls_do_encryption() (double-decrement of the encrypt_pending sentinel + double scatterlist restore). Exploited as a 0-day on lts-6.12.77 and cos-121-18867.381.30 (submission exp466). Reproduces at 100% in the exploit_repro workflow.
The previous --vuln-trigger used the full exploit's heavy saturation (3000 threads / 4000 fds) and setrlimit(0x8000), which fails under the vuln-verify environment (unprivileged fd limit ~1024, KASAN ~3-5x slower) -- it never landed -EBUSY, so no KASAN report and vuln_verify returned UNKNOWN. Rework the trigger to fit that environment: raise RLIMIT_NOFILE to the hard limit, use a lean op-fd pool (~1008) for a finite AF_ALG MAY_BACKLOG burst that momentarily overflows the per-CPU cryptd queue (cryptd_max_cpu_qlen=1000), push a pending TLS record with sk_err set to corrupt the encrypt_pending sentinel, then submit one more async encrypt so the tls_rec is freed while a cryptd callback is still pending. With no heap spray the freed record's scatterlist is walked by __sk_msg_free()/bpf_exec_tx_verdict(), producing a KASAN report on the unpatched kernel (locally reproduced on a KASAN 6.12.77 build); the patch skips the double cleanup so it stays silent. Counts are overridable via VT_N / VT_DELAY / VT_RETRY. The normal (flag-capturing) exploit path is unchanged.
6969d79 to
536274e
Compare
Collaborator
|
Hey! We did not find a bughunters.google.com report for this submission, so the payment process is blocked. Please file a Bughunters report, so we can pay out the first half of the reward. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.