Skip to content

Add kernelCTF CVE-2026-31533_lts_cos#401

Open
d4em0n wants to merge 2 commits into
google:masterfrom
star-sg:CVE-2026-31533_lts_cos
Open

Add kernelCTF CVE-2026-31533_lts_cos#401
d4em0n wants to merge 2 commits into
google:masterfrom
star-sg:CVE-2026-31533_lts_cos

Conversation

@d4em0n

@d4em0n d4em0n commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

No description provided.

d4em0n added 2 commits June 22, 2026 12:33
net/tls use-after-free in the -EBUSY error path of tls_do_encryption()
(double-decrement of the encrypt_pending sentinel + double scatterlist
restore). Exploited as a 0-day on lts-6.12.77 and cos-121-18867.381.30
(submission exp466). Reproduces at 100% in the exploit_repro workflow.
The previous --vuln-trigger used the full exploit's heavy saturation (3000
threads / 4000 fds) and setrlimit(0x8000), which fails under the vuln-verify
environment (unprivileged fd limit ~1024, KASAN ~3-5x slower) -- it never
landed -EBUSY, so no KASAN report and vuln_verify returned UNKNOWN.

Rework the trigger to fit that environment: raise RLIMIT_NOFILE to the hard
limit, use a lean op-fd pool (~1008) for a finite AF_ALG MAY_BACKLOG burst that
momentarily overflows the per-CPU cryptd queue (cryptd_max_cpu_qlen=1000), push
a pending TLS record with sk_err set to corrupt the encrypt_pending sentinel,
then submit one more async encrypt so the tls_rec is freed while a cryptd
callback is still pending. With no heap spray the freed record's scatterlist is
walked by __sk_msg_free()/bpf_exec_tx_verdict(), producing a KASAN report on
the unpatched kernel (locally reproduced on a KASAN 6.12.77 build); the patch
skips the double cleanup so it stays silent. Counts are overridable via
VT_N / VT_DELAY / VT_RETRY. The normal (flag-capturing) exploit path is
unchanged.
@d4em0n d4em0n force-pushed the CVE-2026-31533_lts_cos branch from 6969d79 to 536274e Compare June 22, 2026 07:38
@koczkatamas koczkatamas added the kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification) label Jun 30, 2026
@koczkatamas

Copy link
Copy Markdown
Collaborator

Hey! We did not find a bughunters.google.com report for this submission, so the payment process is blocked. Please file a Bughunters report, so we can pay out the first half of the reward.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants