Merge branch 'google:master' into CVE-2023-5717_mitigation

Author: msh1307

.github/workflows/kernelctf-submission-verification.yaml

@@ -3,16 +3,34 @@ on:
   pull_request_target:
     types: [opened, synchronize, reopened, labeled]
     paths: [pocs/linux/kernelctf/**]
+  workflow_call:
+    inputs:
+      prNumber:
+        description: 'PR number'
+        type: number
+      shaHash:
+        description: 'SHA hash'
+        type: string
+      skipRepro:
+        description: 'Skip reproduction'
+        type: boolean
+        required: false
+        default: false
   workflow_dispatch:
     inputs:
       prNumber:
         description: 'PR number'
         type: number
       shaHash:
         description: 'SHA hash'
+      skipRepro:
+        description: 'Skip reproduction'
+        type: boolean
+        required: false
+        default: false
 permissions: {}
 env:
-  PR_REF: ${{ github.event_name == 'workflow_dispatch' && (github.event.inputs.shaHash || format('refs/pull/{0}/merge', github.event.inputs.prNumber)) || github.event.pull_request.head.sha }}
+  PR_REF: ${{ contains(github.event_name, 'workflow_') && (inputs.shaHash || format('refs/pull/{0}/merge', inputs.prNumber)) || github.event.pull_request.head.sha }}
 jobs:
   structure_check:
     # if labeling triggered the job then only run in case of the "recheck" label
@@ -84,15 +102,15 @@ jobs:
         if: success()
         uses: actions/upload-artifact@v4
         with:
-          name: exploit_${{ env.RELEASE_ID }}
+          name: ${{ needs.structure_check.outputs.artifact_backup_dir }}_exploit_${{ env.RELEASE_ID }}
           path: ${{ env.EXPLOIT_DIR }}/exploit
           if-no-files-found: error
 
       - name: Upload exploit (original, build failed)
         if: failure() && steps.build_exploit.outcome == 'failure'
         uses: actions/upload-artifact@v4
         with:
-          name: exploit_${{ env.RELEASE_ID }}
+          name: ${{ needs.structure_check.outputs.artifact_backup_dir }}_exploit_${{ env.RELEASE_ID }}
           path: ./exploit
           if-no-files-found: error
 
@@ -104,16 +122,60 @@ jobs:
         if: failure() && steps.build_exploit.outcome == 'failure'
         run: printf '❌ The exploit compilation failed.\n\nPlease fix it.\n\nYou can see the build logs by clicking on `...` here and then on "View job logs". Or by selecting `exploit_build (${{ env.RELEASE_ID }})` under Jobs in the left menubar.\n' >> $GITHUB_STEP_SUMMARY
 
+  exploit_build_debug:
+    runs-on: ubuntu-latest
+    needs: structure_check
+    permissions: {}
+    strategy:
+      matrix:
+        target: ${{ fromJSON(needs.structure_check.outputs.targets) }}
+      fail-fast: false # do not cancel other targets
+    env:
+      RELEASE_ID: ${{ matrix.target }}
+      EXPLOIT_DIR: pr/pocs/linux/kernelctf/${{ needs.structure_check.outputs.submission_dir }}/exploit/${{ matrix.target }}
+    steps:
+      - name: Checkout PR content
+        uses: actions/checkout@v4
+        with:
+          path: pr
+          ref: ${{ env.PR_REF }}
+          fetch-depth: 0
+
+      - name: Convert exploit to debug build
+        working-directory: ${{ env.EXPLOIT_DIR }}
+        run: |
+          sed -i '/gcc -g/!s/gcc/gcc -g/g' Makefile
+          sed -i '/configure --enable-debug/!s/configure/configure --enable-debug/g' Makefile
+          sed -i 's/-o exploit /-o exploit_debug /g' Makefile
+          sed -i 's/ -s\b//g' Makefile
+          sed -i 's/exploit:/exploit_debug:/g' Makefile
+
+      - name: Build exploit
+        working-directory: ${{ env.EXPLOIT_DIR }}
+        run: |
+          if make -n prerequisites; then
+            make prerequisites
+          fi
+          make exploit_debug
+          file exploit_debug | grep debug_info
+
+      - name: Upload debug build
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ needs.structure_check.outputs.artifact_backup_dir }}_exploit_debug_${{ env.RELEASE_ID }}
+          path: ${{ env.EXPLOIT_DIR }}/exploit_debug
+          if-no-files-found: error
+
   exploit_repro:
-    runs-on: ubuntu-22.04-4core
+    runs-on: ubuntu-latest
     timeout-minutes: 300
     permissions: {}
     needs: [structure_check, exploit_build]
     strategy:
       matrix:
         target: ${{ fromJSON(needs.structure_check.outputs.targets) }}
       fail-fast: false
-    if: always() && needs.structure_check.result == 'success'
+    if: always() && needs.structure_check.result == 'success' && !inputs.skipRepro
     env:
       RELEASE_ID: ${{ matrix.target }}
       SUBMISSION_DIR: ${{ needs.structure_check.outputs.submission_dir }}
@@ -210,7 +272,7 @@ jobs:
       - name: Upload repro QEMU logs as an artifact
         uses: actions/upload-artifact@v4
         with:
-          name: repro_logs_${{ env.RELEASE_ID }}
+          name: ${{ needs.structure_check.outputs.artifact_backup_dir }}_repro_logs_${{ env.RELEASE_ID }}
           path: ./kernelctf/repro/repro_log_*.txt
 
       - name: Reproduction // Summary
@@ -223,13 +285,13 @@ jobs:
       - name: Upload repro summary as an artifact
         uses: actions/upload-artifact@v4
         with:
-          name: repro_summary_${{ env.RELEASE_ID }}
+          name: ${{ needs.structure_check.outputs.artifact_backup_dir }}_repro_summary_${{ env.RELEASE_ID }}
           path: ./kernelctf/repro/repro_summary.md
 
   backup_artifacts:
     runs-on: ubuntu-latest
-    needs: [structure_check, exploit_build, exploit_repro]
-    if: always() && needs.structure_check.result == 'success'
+    needs: [structure_check, exploit_build, exploit_build_debug, exploit_repro]
+    if: always() && needs.structure_check.result == 'success' && github.event_name != 'workflow_call'
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@v4

.github/workflows/kernelctf-verify-all.yaml

@@ -0,0 +1,49 @@
+name: kernelCTF verify all PRs again
+on:
+  workflow_dispatch:
+    inputs:
+      prs:
+        description: 'PRs to verify'
+        type: string
+        required: true
+      skipRepro:
+        description: 'Skip reproduction'
+        type: boolean
+        required: false
+        default: false
+permissions: {}
+jobs:
+  verify:
+    strategy:
+      matrix:
+        pr: ${{ fromJSON(format('[{0}]', inputs.prs)) }}
+      fail-fast: false # do not cancel test of other targets
+    uses: ./.github/workflows/kernelctf-submission-verification.yaml
+    secrets: inherit
+    with:
+      prNumber: ${{ matrix.pr }}
+      skipRepro: ${{ inputs.skipRepro }}
+
+  backup_artifacts:
+    runs-on: ubuntu-latest
+    needs: [verify]
+    if: always()
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: ./artifacts
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: '${{secrets.KERNELCTF_GCS_SA_KEY}}'
+
+      - name: Upload artifacts to GCS
+        uses: 'google-github-actions/upload-cloud-storage@v2'
+        with:
+          path: ./artifacts
+          destination: kernelctf-build/artifacts/verify_all_${{ github.run_id }}_pr${{ join(fromJSON(format('[{0}]', inputs.prs)), '_') }}
+          parent: false
+          predefinedAcl: publicRead
+          process_gcloudignore: false # removes warnings that .gcloudignore file does not exist

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "pocs/cpus/entrysign/zentool/CPUMicrocodes"]
+	path = pocs/cpus/entrysign/zentool/data/CPUMicrocodes
+	url = https://github.com/platomav/CPUMicrocodes

README.md

@@ -20,28 +20,6 @@ advisories, which can be browsed in the [Security
 Advisories](https://github.com/google/security-research/security/advisories?state=published)
 page.
 
-## Proof of Concepts
-
-Accompanying proof-of-concept code will be used to demonstrate the
-security vulnerabilities.
-
-| Year | Title | Advisories | Links |
-| ---- | ----- | ---------- | ----- |
-| 2023 | Oracle VM VirtualBox 7.0.10 r158379 Escape | [CVE-2023-22098](https://github.com/google/security-research/security/advisories/GHSA-q7p4-pxjx-6h42) | [PoC](pocs/oracle/virtualbox/cve-2023-22098)
-| 2023 | Linux: eBPF Path Pruning gone wrong | [CVE-2023-2163](https://github.com/google/security-research/security/advisories/GHSA-j87x-j6mh-mv8v) | [PoC](pocs/linux/cve-2023-2163)
-| 2023 | XGETBV is non-deterministic on Intel CPUs | | [PoC](pocs/cpus/xgetbv)
-| 2023 | XSAVES Instruction May Fail to Save XMM Registers | | [PoC](pocs/cpus/errata/amd/1386)
-| 2022 | RET2ASLR - Leaking ASLR from return instructions | | [PoC](pocs/cpus/ret2aslr/src)
-| 2022 | Unexpected Speculation Control of RETs | | [PoC](pocs/cpus/top-of-stack)
-| 2022 | Bleve Library: Traversal Vulnerabilities in Create / Delete IndexHandler | [GHSA-gc7p-j7x8-h873](https://github.com/google/security-research/security/advisories/GHSA-gc7p-j7x8-h873) | [PoC](pocs/bleve)
-| 2022 | Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library | [CVE-2022-30187](https://github.com/google/security-research/security/advisories/GHSA-6m8q-r22q-vfxh) | [PoC](pocs/azure/oracle/net/keymaterial/azure)
-| 2022 | Apple: Heap-based Buffer Overflow in libresolv | [GHSA-6cjw-q72j-mh57](https://github.com/google/security-research/security/advisories/GHSA-6cjw-q72j-mh57) | [PoC](pocs/apple/libresolv)
-| 2022 | Apache: Code execution in log4j2 | [CVE-2021-45046](https://github.com/google/security-research/security/advisories/GHSA-ggmf-hg75-88gg) | [PoC](pocs/log4j)
-| 2021 | Surface Pro 3: BIOS False Health Attestation (TPM Carte Blanche) | [CVE-2021-42299](https://github.com/google/security-research/security/advisories/GHSA-c4qg-jj77-rcc3) | [Write-up](https://google.github.io/security-research/pocs/bios/tpm-carte-blanche/writeup.html), [PoC](pocs/bios/tpm-carte-blanche)
-| 2021 | CVE-2021-22555: Turning \x00\x00 into 10000$ | [CVE-2021-22555](https://github.com/google/security-research/security/advisories/GHSA-xxx5-8mvq-3528) | [Write-up](https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html), [PoC](pocs/linux/cve-2021-22555)
-| 2021 | Linux: KVM VM_IO\|VM_PFNMAP vma mishandling | [CVE-2021-22543](https://github.com/google/security-research/security/advisories/GHSA-7wq5-phmq-m584) | [PoC](pocs/linux/kvm_vma)
-| 2021 | BleedingTooth: Linux Bluetooth Zero-Click Remote Code Execution | [CVE-2020-24490](https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649), [CVE-2020-12351](https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq), [CVE-2020-12352](https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq) | [Write-up](https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup.html), [PoC](pocs/linux/bleedingtooth)
-
 # License & Patents
 
 The advisories and patches posted here are free and open source.

kernelctf/server/qemu.sh

@@ -14,7 +14,7 @@ HARDENING=""
 if [[ "$RELEASE" == "mitigation-"* ]]; then
   HARDENING="sysctl.kernel.dmesg_restrict=1 sysctl.kernel.kptr_restrict=2 sysctl.kernel.unprivileged_bpf_disabled=2 sysctl.net.core.bpf_jit_harden=1 sysctl.kernel.yama.ptrace_scope=1 slab_virtual=1 slab_virtual_guards=1";
 elif [[ $(date +%Y-%m-%d) > "2025-02-28" ]]; then
-  HARDENING="net.core.bpf_jit_harden=2"
+  HARDENING="sysctl.net.core.bpf_jit_harden=2"
 fi
 
 IO_URING="sysctl.kernel.io_uring_disabled=2"

kernelctf/server/releases.yaml

@@ -1,3 +1,10 @@
+lts-6.6.80:
+  release-date: 2025-03-07T12:00:00Z
+cos-105-17412.535.61:
+  release-date: 2025-03-07T12:00:00Z
+cos-109-17800.436.42:
+  release-date: 2025-03-07T12:00:00Z
+
 lts-6.6.77:
   release-date: 2025-02-21T12:00:00Z
 cos-105-17412.535.55:

kernelctf/server/server.py

@@ -149,7 +149,7 @@ def main():
             print()
 
             # long random generated secret, not bruteforcable
-            root = hashlib.sha1(action.encode('utf-8')).hexdigest() == server_secrets.root_mode_hash
+            root = '--root' in sys.argv or hashlib.sha1(action.encode('utf-8')).hexdigest() == server_secrets.root_mode_hash
 
             if action == 'back':
                 break
@@ -182,8 +182,24 @@ def main():
 
                 flagPrefix = 'invalid:'
                 if release['status'] == 'future':
-                    flagPrefix = 'future:'
-                    if not are_you_sure('[!] Warning: this target is not released yet and not eligible! Use only for pre-testing.'):
+                    print('[!] Warning: this target is not released yet and not eligible! Use only for pre-testing.')
+                    answer = input('Do you want to run anyway (y/n) or wait until the slot opening (w) ')
+                    if answer == 'y':
+                        flagPrefix = 'future:'
+                    elif answer == 'w':
+                        prev_notification = 0
+                        while True:
+                            time_left = int((release['release-date'] - datetime.now(timezone.utc)).total_seconds())
+                            if time_left <= 0:
+                                flagPrefix = ''
+                                break
+
+                            if prev_notification != time_left:
+                                print(f'Only {time_left} seconds left...')
+                                prev_notification = time_left
+
+                            time.sleep(0.05) # check 20 times per second, start as soon as possible
+                    else:
                         continue
                 elif release['status'] == 'deprecated' and "io_uring" in capabilities and now >= datetime(2025, 1, 23, 12, 00, 00, tzinfo=timezone.utc):
                     # you can target deprecated releases during the io_uring promotion

kernelctf/server/service.sh

@@ -2,4 +2,4 @@
 echo running!
 
 cd /home/poprdi
-socat ssl-l:1337,reuseaddr,fork,cert=server_cert_and_key.pem,verify=0,openssl-min-proto-version=tls1.3 exec:"nsjail/nsjail --chroot / --user 99999 --group 99999 --disable_clone_newnet --rlimit_cpu 1800 -T /tmp/ -- /usr/bin/timeout 1800 /home/poprdi/server.py"
+socat -dd ssl-l:1337,reuseaddr,fork,cert=server_cert_and_key.pem,verify=0,openssl-min-proto-version=tls1.3 exec:"nsjail/nsjail --chroot / --user 99999 --group 99999 --disable_clone_newnet --disable_rlimits -T /tmp/ -- /usr/bin/timeout 1800 /home/poprdi/server.py"

pocs/cpus/entrysign/zentool/.gitignore

@@ -0,0 +1,13 @@
+*.sw?
+*.o
+data/*.bin.txt
+data/updates
+/*.bin
+mcas
+mcop
+zentool
+opcodes
+mtalk
+NOTES
+*_fields.h
+*.tar.gz

pocs/cpus/entrysign/zentool/.rsync-filter

@@ -0,0 +1,16 @@
++ data/*.json
++ data/*.bin
+- *.bin
+- *.o
+- *.a
+- .*.sw?
+- *.json
+- .git
+- .sw?
+- autoexec.sh
+- opcodes
+- mcas
+- mcop
+- zentool
+- mtalk
+- *.tar.gz