Add kernelCTF CVE-2025-38000_lts_cos_mitigation

[mingi]

No description provided.

[koczkatamas]

Hey!

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=93c276942e75de0e5bc91576300d292e968f5a02) with KASAN and run the exploit, it still crashes the kernel.

Can you help us understand why is that? Is this the right patch commit?

(This blocks the payout of the first half of the reward.)

Logs:

[    2.294229] drr_dequeue: hfsc qdisc 2: is non-work-conserving?
[    2.347588] ==================================================================
[    2.350135] BUG: KASAN: slab-use-after-free in drr_dequeue+0x53/0x470
[    2.352384] Read of size 8 at addr ffff88810476e260 by task exp/119
[    2.354556] 
[    2.355170] CPU: 0 PID: 119 Comm: exp Not tainted 6.6.92+ #189
[    2.357206] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.360498] Call Trace:
[    2.361411]  <TASK>
[    2.362215]  dump_stack_lvl+0x49/0x60
[    2.363532]  print_report+0xc5/0x650
[    2.364830]  ? preempt_count_add+0x1c/0xc0
[    2.366280]  ? preempt_count_sub+0x14/0xc0
[    2.367750]  ? __virt_addr_valid+0x128/0x1a0
[    2.369286]  ? drr_dequeue+0x53/0x470
[    2.370612]  kasan_report+0xb9/0xf0
[    2.371899]  ? drr_dequeue+0x53/0x470
[    2.373213]  drr_dequeue+0x53/0x470
[    2.374531]  __qdisc_run+0xf3/0xa20
[    2.375846]  __dev_queue_xmit+0xdc0/0x16f0
[    2.377305]  ? __check_object_size+0x269/0x400
[    2.378962]  ? __pfx___dev_queue_xmit+0x10/0x10
[    2.380595]  ? ip_generic_getfrag+0xb0/0x170
[    2.382133]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.383842]  ? chacha_block_generic+0xde/0x140
[    2.385417]  ? __pfx_chacha_block_generic+0x10/0x10
[    2.387146]  ? __rmqueue_pcplist+0x1e6/0x1170
[    2.388699]  ? __ip_append_data+0x1313/0x1d40
[    2.390264]  ip_finish_output2+0x55e/0xac0
[    2.391758]  ? __pfx_ip_skb_dst_mtu+0x10/0x10
[    2.393371]  ? __pfx_ip_finish_output2+0x10/0x10
[    2.395037]  ip_output+0xe0/0x1b0
[    2.396248]  ? __pfx_ip_output+0x10/0x10
[    2.397657]  ? __pfx_ip_finish_output+0x10/0x10
[    2.399356]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.401103]  ? __pfx_ip_make_skb+0x10/0x10
[    2.402552]  ip_send_skb+0xbd/0xd0
[    2.403802]  udp_send_skb+0x2db/0x690
[    2.405141]  udp_sendmsg+0xc85/0x12c0
[    2.406464]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.408139]  ? __pfx_udp_sendmsg+0x10/0x10
[    2.409592]  ? __orc_find+0x6c/0xd0
[    2.410861]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.412461]  ? unwind_next_frame+0x73b/0xd70
[    2.414002]  ? __orc_find+0x6c/0xd0
[    2.415262]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[    2.417153]  ? is_bpf_text_address+0x1e/0x30
[    2.418738]  ? kernel_text_address+0x11f/0x130
[    2.420352]  ? arch_stack_walk+0xa8/0x100
[    2.421771]  ? inet_send_prepare+0x2f/0x120
[    2.423258]  ? sock_write_iter+0x296/0x2e0
[    2.424738]  sock_write_iter+0x296/0x2e0
[    2.426138]  ? __pfx_sock_write_iter+0x10/0x10
[    2.427743]  ? apparmor_file_permission+0xfe/0x180
[    2.429435]  ? __pfx_sock_write_iter+0x10/0x10
[    2.431030]  vfs_write+0x5da/0x6a0
[    2.432268]  ? __pfx_vfs_write+0x10/0x10
[    2.433675]  ? __fget_light+0x1b0/0x200
[    2.435067]  ? __rcu_read_unlock+0x2f/0x70
[    2.436524]  ksys_write+0x131/0x160
[    2.437840]  ? __pfx_ksys_write+0x10/0x10
[    2.439315]  ? __pfx_ip4_datagram_release_cb+0x10/0x10
[    2.441116]  do_syscall_64+0x5e/0x90
[    2.442400]  ? release_sock+0xa0/0xd0
[    2.443727]  ? preempt_count_sub+0x14/0xc0
[    2.445194]  ? __local_bh_enable_ip+0x37/0x90
[    2.446772]  ? ip4_datagram_connect+0x31/0x40
[    2.448340]  ? __sys_connect+0x10c/0x130
[    2.449745]  ? __pfx___sys_connect+0x10/0x10
[    2.451300]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.453046]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.454749]  ? do_syscall_64+0x6a/0x90
[    2.456136]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.457861]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.459560]  ? do_syscall_64+0x6a/0x90
[    2.460910]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.462633]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.464348]  ? do_syscall_64+0x6a/0x90
[    2.465701]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.467402]  ? do_syscall_64+0x6a/0x90
[    2.468737]  ? do_syscall_64+0x6a/0x90
[    2.470077]  ? clear_bhb_loop+0x60/0xb0
[    2.471451]  ? clear_bhb_loop+0x60/0xb0
[    2.472831]  ? clear_bhb_loop+0x60/0xb0
[    2.474484]  ? clear_bhb_loop+0x60/0xb0
[    2.476370]  ? clear_bhb_loop+0x60/0xb0
[    2.477957]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.479767] RIP: 0033:0x466d37
[    2.480889] Code: 48 89 fa 4c 89 df e8 98 1d 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[    2.487236] RSP: 002b:00007fff9b4ab9f0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[    2.489842] RAX: ffffffffffffffda RBX: 000000003bf8b3c0 RCX: 0000000000466d37
[    2.492320] RDX: 0000000000000001 RSI: 00007fff9b4aba50 RDI: 0000000000000013
[    2.494792] RBP: 00007fff9b4bba80 R08: 0000000000000000 R09: 0000000000000000
[    2.497302] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff9b4bbff8
[    2.499813] R13: 0000000000000002 R14: 00000000004cd760 R15: 0000000000000002
[    2.502291]  </TASK>
[    2.503132] 
[    2.503735] Allocated by task 119:
[    2.504973]  kasan_save_stack+0x2c/0x50
[    2.506352]  kasan_set_track+0x21/0x30
[    2.507719]  __kasan_kmalloc+0x8b/0x90
[    2.509066]  drr_change_class+0x24b/0x650
[    2.510484]  tc_ctl_tclass+0x28d/0x770
[    2.511841]  rtnetlink_rcv_msg+0x206/0x580
[    2.513285]  netlink_rcv_skb+0xdd/0x210
[    2.514658]  netlink_unicast+0x392/0x4e0
[    2.516063]  netlink_sendmsg+0x3ce/0x6f0
[    2.517464]  ____sys_sendmsg+0x594/0x5d0
[    2.518931]  ___sys_sendmsg+0xfd/0x170
[    2.520285]  __sys_sendmsg+0x163/0x1b0
[    2.521625]  do_syscall_64+0x5e/0x90
[    2.522936]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.524708] 
[    2.525309] Freed by task 119:
[    2.526425]  kasan_save_stack+0x2c/0x50
[    2.527838]  kasan_set_track+0x21/0x30
[    2.529171]  kasan_save_free_info+0x27/0x50
[    2.530718]  ____kasan_slab_free+0x11f/0x1a0
[    2.532271]  __kmem_cache_free+0x164/0x300
[    2.533739]  drr_delete_class+0x1cb/0x2d0
[    2.535174]  tc_ctl_tclass+0x61c/0x770
[    2.536530]  rtnetlink_rcv_msg+0x206/0x580
[    2.537978]  netlink_rcv_skb+0xdd/0x210
[    2.539342]  netlink_unicast+0x392/0x4e0
[    2.540727]  netlink_sendmsg+0x3ce/0x6f0
[    2.542124]  ____sys_sendmsg+0x594/0x5d0
[    2.543540]  ___sys_sendmsg+0xfd/0x170
[    2.544918]  __sys_sendmsg+0x163/0x1b0
[    2.546257]  do_syscall_64+0x5e/0x90
[    2.547547]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.549338] 
[    2.549949] The buggy address belongs to the object at ffff88810476e200
[    2.549949]  which belongs to the cache kmalloc-128 of size 128
[    2.554204] The buggy address is located 96 bytes inside of
[    2.554204]  freed 128-byte region [ffff88810476e200, ffff88810476e280)
[    2.558361] 
[    2.559064] The buggy address belongs to the physical page:
[    2.561032] page:00000000383a559e refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10476e
[    2.564278] flags: 0x100000000000800(slab|node=0|zone=2)
[    2.566121] page_type: 0xffffffff()
[    2.567400] raw: 0100000000000800 ffff8881000418c0 dead000000000122 0000000000000000
[    2.570086] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
[    2.572768] page dumped because: kasan: bad access detected
[    2.574726] 
[    2.575339] Memory state around the buggy address:
[    2.577028]  ffff88810476e100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.579537]  ffff88810476e180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.582063] >ffff88810476e200: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.584570]                                                        ^
[    2.586773]  ffff88810476e280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[    2.589286]  ffff88810476e300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[    2.591844] ==================================================================
[    2.594407] Kernel panic - not syncing: kasan.fault=panic set ...
[    2.596553] CPU: 0 PID: 119 Comm: exp Not tainted 6.6.92+ #189
[    2.598631] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    2.601919] Call Trace:
[    2.602821]  <TASK>
[    2.603639]  dump_stack_lvl+0x49/0x60
[    2.604953]  panic+0x216/0x410
[    2.606072]  ? __pfx_panic+0x10/0x10
[    2.607379]  ? drr_dequeue+0x53/0x470
[    2.608685]  ? check_panic_on_warn+0x2b/0x80
[    2.610209]  ? drr_dequeue+0x53/0x470
[    2.611536]  end_report+0xe3/0xf0
[    2.612858]  kasan_report+0xc9/0xf0
[    2.614144]  ? drr_dequeue+0x53/0x470
[    2.615478]  drr_dequeue+0x53/0x470
[    2.616742]  __qdisc_run+0xf3/0xa20
[    2.618038]  __dev_queue_xmit+0xdc0/0x16f0
[    2.619509]  ? __check_object_size+0x269/0x400
[    2.621094]  ? __pfx___dev_queue_xmit+0x10/0x10
[    2.622730]  ? ip_generic_getfrag+0xb0/0x170
[    2.624278]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.625943]  ? chacha_block_generic+0xde/0x140
[    2.627549]  ? __pfx_chacha_block_generic+0x10/0x10
[    2.629270]  ? __rmqueue_pcplist+0x1e6/0x1170
[    2.630843]  ? __ip_append_data+0x1313/0x1d40
[    2.632428]  ip_finish_output2+0x55e/0xac0
[    2.633900]  ? __pfx_ip_skb_dst_mtu+0x10/0x10
[    2.635474]  ? __pfx_ip_finish_output2+0x10/0x10
[    2.637111]  ip_output+0xe0/0x1b0
[    2.638317]  ? __pfx_ip_output+0x10/0x10
[    2.639739]  ? __pfx_ip_finish_output+0x10/0x10
[    2.641338]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.643019]  ? __pfx_ip_make_skb+0x10/0x10
[    2.644461]  ip_send_skb+0xbd/0xd0
[    2.645683]  udp_send_skb+0x2db/0x690
[    2.647024]  udp_sendmsg+0xc85/0x12c0
[    2.648334]  ? __pfx_ip_generic_getfrag+0x10/0x10
[    2.649999]  ? __pfx_udp_sendmsg+0x10/0x10
[    2.651448]  ? __orc_find+0x6c/0xd0
[    2.652709]  ? ftrace_graph_ret_addr+0x1f/0xa0
[    2.654282]  ? unwind_next_frame+0x73b/0xd70
[    2.655866]  ? __orc_find+0x6c/0xd0
[    2.657141]  ? __pfx_stack_trace_consume_entry+0x10/0x10
[    2.659024]  ? is_bpf_text_address+0x1e/0x30
[    2.660546]  ? kernel_text_address+0x11f/0x130
[    2.662127]  ? arch_stack_walk+0xa8/0x100
[    2.663551]  ? inet_send_prepare+0x2f/0x120
[    2.665039]  ? sock_write_iter+0x296/0x2e0
[    2.666532]  sock_write_iter+0x296/0x2e0
[    2.667958]  ? __pfx_sock_write_iter+0x10/0x10
[    2.669527]  ? apparmor_file_permission+0xfe/0x180
[    2.671236]  ? __pfx_sock_write_iter+0x10/0x10
[    2.672815]  vfs_write+0x5da/0x6a0
[    2.674047]  ? __pfx_vfs_write+0x10/0x10
[    2.675445]  ? __fget_light+0x1b0/0x200
[    2.676825]  ? __rcu_read_unlock+0x2f/0x70
[    2.678273]  ksys_write+0x131/0x160
[    2.679547]  ? __pfx_ksys_write+0x10/0x10
[    2.680987]  ? __pfx_ip4_datagram_release_cb+0x10/0x10
[    2.682801]  do_syscall_64+0x5e/0x90
[    2.684095]  ? release_sock+0xa0/0xd0
[    2.685407]  ? preempt_count_sub+0x14/0xc0
[    2.686863]  ? __local_bh_enable_ip+0x37/0x90
[    2.688415]  ? ip4_datagram_connect+0x31/0x40
[    2.689965]  ? __sys_connect+0x10c/0x130
[    2.691356]  ? __pfx___sys_connect+0x10/0x10
[    2.692885]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.694591]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.696284]  ? do_syscall_64+0x6a/0x90
[    2.697626]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.699327]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.701018]  ? do_syscall_64+0x6a/0x90
[    2.702352]  ? exit_to_user_mode_prepare+0x1a/0x150
[    2.704067]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.705768]  ? do_syscall_64+0x6a/0x90
[    2.707117]  ? syscall_exit_to_user_mode+0x27/0x40
[    2.708810]  ? do_syscall_64+0x6a/0x90
[    2.710165]  ? do_syscall_64+0x6a/0x90
[    2.711520]  ? clear_bhb_loop+0x60/0xb0
[    2.712915]  ? clear_bhb_loop+0x60/0xb0
[    2.714284]  ? clear_bhb_loop+0x60/0xb0
[    2.715653]  ? clear_bhb_loop+0x60/0xb0
[    2.717012]  ? clear_bhb_loop+0x60/0xb0
[    2.718418]  entry_SYSCALL_64_after_hwframe+0x78/0xe2
[    2.720245] RIP: 0033:0x466d37
[    2.721359] Code: 48 89 fa 4c 89 df e8 98 1d 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 fa 08 75 de e8 23 ff ff ff
[    2.727663] RSP: 002b:00007fff9b4ab9f0 EFLAGS: 00000202 ORIG_RAX: 0000000000000001
[    2.730266] RAX: ffffffffffffffda RBX: 000000003bf8b3c0 RCX: 0000000000466d37
[    2.732762] RDX: 0000000000000001 RSI: 00007fff9b4aba50 RDI: 0000000000000013
[    2.735217] RBP: 00007fff9b4bba80 R08: 0000000000000000 R09: 0000000000000000
[    2.737684] R10: 0000000000000000 R11: 0000000000000202 R12: 00007fff9b4bbff8
[    2.740166] R13: 0000000000000002 R14: 00000000004cd760 R15: 0000000000000002
[    2.742645]  </TASK>
[    2.744179] Kernel Offset: disabled

[mingi]

Hi!

When the vulnerability was reported, the maintainer first created the patch 93c27694. After realizing this patch did not fix the vulnerability, they created another patch to prevent UAF (https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/? id=103406b38c600fec1fe375a77b27d87e314aea09).

[koczkatamas]

Hey!

Unfortunately, the kernelCTF panel determined that commit 103406b - rather than yours - was the official patch fixing the vulnerability. Since that commit had already been claimed by another researcher, we cannot attribute it to you.

We encourage all researchers to ensure that the vulnerabilities they report are correctly fixed by the kernel; the panel concluded that this requirement was not met in this instance.

[mingi]

Hi!

I don't think it's fair to give all the credit to the commit 103406b. This is because I reported this vulnerability first, and Lion created a new patch based on publicly available information during the vulnerability patching process. I identified that the initially applied commit 3f98113 was insufficient and notified the maintainer as I mentioned in Discord. Meanwhile, Lion simultaneously reported the patch. Therefore, Lion was able to create the fix because I reported the vulnerability. It is unreasonable that the vulnerability founder receives no credit at all.

[koczkatamas]

Hey! We will discuss this on our next panel meeting (next Tuesday).

[koczkatamas]

Good news! The panel decided that we are making an exception in this case and accept your submission.

But won't accept this in the future and we've added the following clause to the rules:

Make sure that the patch correctly fixes the vulnerability you reported. If it does not, report the issue to the kernel and wait for the correct patch commit, otherwise your submission will be ineligible.

[mingi]

Thank you for sharing the good news! I’ll be more careful next time.