security-research kernelCTF: added CVE-2024-1086 lts mitigation

Apr 03 '24 15:04 Notselwyn

Apparently docs/exploit.md got corrupted locally in between git commits. It seems like I'll need to rewrite a large part of docs/exploit.md again. I hope I can get it done before you're done evaluating the older entries 👍

Apr 17 '24 17:04 Notselwyn

All documentation is completed now and the PR is ready for merge in my eyes. Force-push above was required to correct git email in a commit (required due to CLA).

The only thing left to fix is the attached files (due to static glibc compiles causing trouble), as spoken with KT, but they would look into it.

Feel free to give feedback :-)

May 15 '24 20:05 Notselwyn

It would be useful to link to your blog post in the writeup (https://pwning.tech/nftables/) because some techniques like dirty pagedirectory are explained in more detail there. Also specifically regarding dirty PGD, I think the explanation (both here in the PR and on your website) is a bit hard to understand, maybe instead of this diagram you could have something where you show that the PUD points back to itself (that is, there is a cycle in the page tables)? Sometimes OS developers set up the page tables like this intentionally (they call it "recursive page tables") so some of the diagrams from an article like this can help https://medium.com/@connorstack/recursive-page-tables-ad1e03b20a85

Jul 23 '24 15:07 matrizzo

Great feedback, thanks! I'll try to fix it before the end of the week

Jul 24 '24 10:07 Notselwyn

Also specifically regarding dirty PGD, I think the explanation (both here in the PR and on your website) is a bit hard to understand, maybe instead of this diagram you could have something where you show that the PUD points back to itself (that is, there is a cycle in the page tables)? Sometimes OS developers set up the page tables like this intentionally (they call it "recursive page tables") so some of the diagrams from an article like this can help https://medium.com/@connorstack/recursive-page-tables-ad1e03b20a85

Thanks for the feedback. I believe my explanation may have accidentally misled you: it does not implement recursive pagetable-like mechanisms. It simply causes an arbitrary Page Upper Directory (PUD) and arbitrary Page Middle Directory (PMD) to be overlapped (called "PUD+PMD" in the writeups). Hence no recursion happens, as the overlapping PMD is not a child of the overlapped PUD, but is the child of a normal PUD.

Do you have ideas for I could clear this up in the write-ups? I tried to convey this in the original diagram by showing that the table index used differs between the PUDs

Jul 24 '24 14:07 Notselwyn

Ah I see, yes now the diagram makes more sense. Yeah I don't really know how to make that clearer, maybe you could add the note from your latest comment to the writeup.

Jul 25 '24 15:07 matrizzo

Done 👍 @koczkatamas can I resolve the changes you requested?

Jul 25 '24 18:07 Notselwyn

Done 👍 @koczkatamas can I resolve the changes you requested?

Thanks! I've made one comment.

The review will be continued by @matrizzo, but he is out-of-office this week, so probably next week earliest.

Jul 29 '24 12:07 koczkatamas

@matrizzo This seems to have fallen through the cracks. :^)

Sep 07 '24 20:09 RonjaPonja

Yeah, I think it would be great if we could continue with the review :-)

Sep 08 '24 07:09 Notselwyn

Hey! Sorry for the long process...

Meanwhile you could please take a look at another nftables submissions (we got a ton) and how did they solve that they don't include the Linux kernel header files?

This also needs to be resolved before we can merge the commit.

I will ping @matrizzo to try to finish the review this week.

Sep 09 '24 11:09 koczkatamas

@koczkatamas @matrizzo it took a couple of tries but I got rid of the headers 👍

Sep 11 '24 16:09 Notselwyn

Looks good, thanks for the submission

Sep 12 '24 12:09 matrizzo