Minor QoL changes

ctf/misc/extract-vmlinux.sh

@@ -11,38 +11,44 @@
 # ----------------------------------------------------------------------
 
 check_vmlinux() {
-    # Use readelf to check if it's a valid ELF
-    readelf -h "$1" > /dev/null 2>&1 || return 1
-
-    cat "$1"
-    exit 0
+	# Use readelf to check if it's a valid ELF
+	readelf -h "$1" >/dev/null 2>&1 || return 1
+	res=$(readlink -fn "$2")
+	cat "$1" >"$res"
+	exit 0
 }
 
 try_decompress() {
-    # The obscure use of the "tr" filter is to work around older versions of
-    # "grep" that report the byte offset of the line instead of the pattern.
-
-    # Try to find the header ($1) and decompress from here
-    for pos in $(LC_CTYPE=C tr "$1\n$2" "\n$2=" < "$img" | grep -abo "^$2"); do
-        pos=${pos%%:*}
-        tail -c+"$pos" "$img" | $3 > "$tmp" 2> /dev/null
-        check_vmlinux "$tmp"
-    done
+	# The obscure use of the "tr" filter is to work around older versions of
+	# "grep" that report the byte offset of the line instead of the pattern.
+
+	# Try to find the header ($1) and decompress from here
+	for pos in $(LC_CTYPE=C tr "$1\n$2" "\n$2=" <"$img" | grep -abo "^$2"); do
+		pos=${pos%%:*}
+		tail -c+"$pos" "$img" | $3 >"$tmp" 2>/dev/null
+		check_vmlinux "$tmp" "$res"
+	done
 }
 
 # Check invocation:
 me=${0##*/}
 img=$1
-if [ $# -ne 1 ] || [ ! -s "$img" ]; then
-    echo "Usage: $me <kernel-image>" >&2
-    exit 2
+if [ $# -lt 1 ] || [ ! -s "$img" ]; then
+	echo "Usage: $me <kernel-image> <ouput_file>" >&2
+	exit 2
+fi
+
+res="vmlinux"
+if [ $# -eq 2 ]; then
+	res="$2"
 fi
 
 # Prepare temp files:
 tmp=$(mktemp /tmp/vmlinux-XXX)
 trap 'rm -f $tmp' 0
 
 # That didn't work, so retry after decompression.
+echo "[>] Attempting to write output into \"$res\""
 try_decompress '\037\213\010' xy gunzip
 try_decompress '\3757zXZ\000' abcde unxz
 try_decompress 'BZh' xy bunzip2
@@ -52,7 +58,7 @@ try_decompress '\002!L\030' xxx 'lz4 -d'
 try_decompress '(\265/\375' xxx unzstd
 
 # Finally check for uncompressed images or objects:
-check_vmlinux "$img"
+check_vmlinux "$img" "$res"
 
 # Bail out:
 echo "$me: Cannot find vmlinux." >&2

examples/c_kmod/ioctl_test_drv/Makefile

@@ -1,2 +1,3 @@
 obj-$(CONFIG_LIKEDBG_IOCTL_DEMO) := ioctldemo.o
+CFLAGS_ioctldemo.o := -O0
 

examples/c_kmod/ioctl_test_drv/expl.c

@@ -20,8 +20,8 @@ int open_driver(const char *driver_name) {
   printf("[>] Opening %s from user-land!\n", driver_name);
   int fd_driver = open(driver_name, O_RDWR);
   if (fd_driver == -1) {
-    printf("ERROR: could not open \"%s\".\n", driver_name);
-    printf("    errno = %s\n", strerror(errno));
+    printf("[ERROR]: could not open \"%s\" - %s.\n", driver_name,
+           (strerror(errno)));
     exit(EXIT_FAILURE);
   }
 
@@ -32,8 +32,8 @@ void close_driver(const char *driver_name, int fd_driver) {
   printf("[>] Closing %s from user-land!\n", driver_name);
   int result = close(fd_driver);
   if (result == -1) {
-    printf("ERROR: could not close \"%s\".\n", driver_name);
-    printf("    errno = %s\n", strerror(errno));
+    printf("[ERROR]: could not close \"%s\" - %s.\n", driver_name,
+           (strerror(errno)));
     exit(EXIT_FAILURE);
   }
 }
@@ -43,22 +43,22 @@ void do_ioctl(unsigned long cmd, int fd) {
   case (0xdead0): {
     uint32_t value = 0;
     if (ioctl(fd, cmd, &value) < 0) {
-      perror("Error ioctl PL_AXI_DMA_GET_NUM_DEVICES");
+      perror("[ERROR] ioctl: 0xdead0\n");
       exit(EXIT_FAILURE);
     }
     printf("Value is %#08x\n", value);
     break;
   }
   case (0xdead1): {
     if (ioctl(fd, cmd, NULL) < 0) {
-      perror("Error ioctl: 0xdead1\n");
+      perror("[ERROR] ioctl: 0xdead1\n");
       exit(EXIT_FAILURE);
     }
     break;
   }
   case (0xdead2): {
     if (ioctl(fd, cmd, NULL) < 0) {
-      perror("Error ioctl: 0xdead2\n");
+      perror("[ERROR] ioctl: 0xdead2\n");
       exit(EXIT_FAILURE);
     }
     break;
@@ -67,7 +67,7 @@ void do_ioctl(unsigned long cmd, int fd) {
     uint64_t sz = 0x400 / sizeof(uint64_t);
     uint64_t buf[sz];
     if (ioctl(fd, cmd, &buf) < 0) {
-      perror("Error ioctl: 0xdead3\n");
+      perror("[ERROR] ioctl: 0xdead3\n");
       exit(EXIT_FAILURE);
     }
     for (uint64_t i = 0; i <= sz; i++) {
@@ -81,7 +81,7 @@ void do_ioctl(unsigned long cmd, int fd) {
   case (0xdead4): {
     char *ptr = "Hello World Yo!\n";
     if (ioctl(fd, cmd, ptr) < 0) {
-      perror("Error ioctl: 0xdead4\n");
+      perror("[ERROR] ioctl: 0xdead4\n");
       exit(EXIT_FAILURE);
     }
   }

examples/c_kmod/ioctl_test_drv/ioctldemo.c

@@ -1,3 +1,4 @@
+#include "linux/gfp.h"
 #include <asm-generic/errno-base.h>
 #include <asm/atomic.h>
 #include <linux/cdev.h>
@@ -33,7 +34,7 @@ typedef struct {
   struct cdev cdev;
 } likedbg_ioctl_d_iface;
 
-char *gbuf;
+char *gbuf = NULL;
 
 likedbg_ioctl_d_iface ldbg_ioctl;
 
@@ -163,35 +164,45 @@ long do_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) {
   unsigned int val;
   pr_warn("<%s> ioctl: %08x\n", DEV_NAME, cmd);
   switch (cmd) {
-  case (0xdead0):
+  case (0xdead0): {
     val = 0x12345678;
     if (copy_to_user((uint32_t *)arg, &val, sizeof(val))) {
       return -EFAULT;
     }
     break;
-  case (0xdead1):
+  }
+  case (0xdead1): {
     gbuf = kmalloc(BUF_SZ, GFP_KERNEL);
+    if (!gbuf) {
+      pr_warn("gbuf kmalloc failed");
+      return -ENOMEM;
+    }
     break;
-  case (0xdead2):
+  }
+  case (0xdead2): {
     if (gbuf) {
       kfree(gbuf);
     }
     break;
-  case (0xdead3):
-    if (_copy_to_user((char __user *)arg, gbuf, BUF_SZ)) {
+  }
+  case (0xdead3): {
+    if (_copy_to_user((char __user *)arg, gbuf, BUF_SZ * 2)) {
       pr_warn("COPY_TO_USER FAILED\n");
       return -EFAULT;
     }
     break;
-  case (0xdead4):
-    if (_copy_from_user(gbuf, (char __user *)arg, BUF_SZ)) {
+  }
+  case (0xdead4): {
+    if (_copy_from_user(gbuf, (char __user *)arg, BUF_SZ + 0x100)) {
       pr_warn("COPY_from_USER FAILED\n");
       return -EFAULT;
     }
     break;
-  default:
+  }
+  default: {
     break;
   }
+  }
   return EXIT_SUCCESS;
 }
 

examples/like_dbg_confs/ioctl_module_x86.ini

@@ -4,3 +4,12 @@ custom_modules = examples/c_kmod/ioctl_test_drv/
 
 [kernel_dl]
 tag = 5.15
+
+[debuggee]
+memory = 1024
+smp = 1
+kaslr = no
+smep = no
+smap = no
+kpti = no
+panic = halt

examples/like_dbg_confs/pawnyable/LK01.ini

@@ -0,0 +1,8 @@
+[debuggee]
+memory = 1024
+smp = 1
+kaslr = no
+smep = no
+smap = no
+kpti = no
+panic = halt

examples/like_dbg_confs/pawnyable/LK01_all_miti.ini

@@ -0,0 +1,8 @@
+[debuggee]
+memory = 1024
+smp = 1
+kaslr = yes
+smep = yes
+smap = yes
+kpti = yes
+panic = halt

kb/README.md

@@ -46,6 +46,9 @@ Section to dump good write-ups that either feature an actual exploit, a new tech
 
 ### Public exploits
 
+* [[CVE-2022-101(5|6)] How The Tables Have Turned: An analysis of two new Linux vulnerabilities in nf_tables](https://blog.dbouman.nl/2022/04/02/How-The-Tables-Have-Turned-CVE-2022-1015-1016/)
+* [[CVE-2022-32250] SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables](https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/)
+* [[CVE-2022-2586] N-day exploit for CVE-2022-2586: Linux kernel nft_object UAF](https://www.openwall.com/lists/oss-security/2022/08/29/5)
 * [[CVE-2022-1786] A Journey To The Dawn](https://blog.kylebot.net/2022/10/16/CVE-2022-1786/)
 * [Writing a Linux Kernel Remote in 2022](https://blog.immunityinc.com/p/writing-a-linux-kernel-remote-in-2022/)
 * [Four Bytes of Power: Exploiting CVE-2021-26708 in the Linux kernel](https://a13xp0p0v.github.io/2021/02/09/CVE-2021-26708.html)

src/debugger.py

@@ -42,7 +42,7 @@ def _extract_vmlinux(self) -> int:
         vml_ext = Path(glob("**/extract-vmlinux.sh", recursive=True)[0]).resolve().absolute()
         pkernel = self.ctf_kernel.resolve().absolute()
         with new_context(self.ctf_dir):
-            cmd = f"{vml_ext} {pkernel} > vmlinux"
+            cmd = f"{vml_ext} {pkernel}"
             ret = sp.run(f"{cmd}", shell=True, capture_output=True)
             if ret.returncode == 0:
                 logger.info("Successfully extracted 'vmlinux' from compressed kernel")