kernelCTF: add CVE-2024-26583_lts

[lambdasprocket]

No description provided.

[koczkatamas]

Hey!

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7a3ca06d04d589deec81f56229a9a9d62352ce01) with KASAN and run the exploit, it still crashes the kernel.

Can you help us understand why is that? Is this the right patch commit?

(This blocks the payout of the first half of the reward.)

Logs:

processor	: 0
vendor_id	: GenuineIntel
cpu family	: 6
model		: 106
model name	: Intel(R) Xeon(R) CPU @ 2.60GHz
stepping	: 6
microcode	: 0xffffffff
cpu MHz		: 2600.016
cache size	: 16384 KB
physical id	: 0
siblings	: 2
core id		: 0
cpu cores	: 2
apicid		: 0
initial apicid	: 0
fpu		: yes
fpu_exception	: yes
cpuid level	: 22
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap avx512ifma clflushopt clwb avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves arat avx512vbmi umip avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg avx512_vpopcntdq rdpid fsrm md_clear arch_capabilities
vmx flags	: vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest vapic_reg vid shadow_vmcs pml
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs eibrs_pbrsb
bogomips	: 5200.03
clflush size	: 64
cache_alignment	: 64
address sizes	: 46 bits physical, 48 bits virtual
power management:

processor	: 1
vendor_id	: GenuineIntel
cpu family	: 6
model		: 106
model name	: Intel(R) Xeon(R) CPU @ 2.60GHz
stepping	: 6
microcode	: 0xffffffff
cpu MHz		: 2600.016
cache size	: 16384 KB
physical id	: 0
siblings	: 2
core id		: 1
cpu cores	: 2
apicid		: 1
initial apicid	: 1
fpu		: yes
fpu_exception	: yes
cpuid level	: 22
wp		: yes
flags		: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush mmx fxsr sse sse2 ss ht syscall nx pdpe1gb rdtscp lm constant_tsc rep_good nopl xtopology cpuid tsc_known_freq pni pclmulqdq vmx ssse3 fma cx16 pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand hypervisor lahf_lm abm 3dnowprefetch cpuid_fault invpcid_single ssbd ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid ept_ad fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm avx512f avx512dq rdseed adx smap avx512ifma clflushopt clwb avx512cd sha_ni avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves arat avx512vbmi umip avx512_vbmi2 gfni vaes vpclmulqdq avx512_vnni avx512_bitalg avx512_vpopcntdq rdpid fsrm md_clear arch_capabilities
vmx flags	: vnmi preemption_timer invvpid ept_x_only ept_ad ept_1gb flexpriority tsc_offset vtpr mtf vapic ept vpid unrestricted_guest vapic_reg vid shadow_vmcs pml
bugs		: spectre_v1 spectre_v2 spec_store_bypass swapgs eibrs_pbrsb
bogomips	: 5200.03
clflush size	: 64
cache_alignment	: 64
address sizes	: 46 bits physical, 48 bits virtual
power management:

parent pid: 174
xattrs 0/120000
xattrs 10000/120000
xattrs 20000/120000
xattrs 30000/120000
xattrs 40000/120000
xattrs 50000/120000
xattrs 60000/120000
xattrs 70000/120000
xattrs 80000/120000
xattrs 90000/120000
xattrs 100000/120000
xattrs 110000/120000
delay: 31 attempt: 1
[    8.080007] ==================================================================
[    8.082617] BUG: KASAN: use-after-free in _copy_to_iter+0x394/0x870
[    8.084807] Read of size 10 at addr ffff88800650200d by task exp/192
[    8.087134] 
[    8.087750] CPU: 1 PID: 192 Comm: exp Not tainted 6.1.78+ #130
[    8.089815] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    8.093113] Call Trace:
[    8.094007]  <TASK>
[    8.094788]  dump_stack_lvl+0x49/0x60
[    8.096077]  print_report+0x181/0x495
[    8.097408]  ? __virt_addr_valid+0xef/0x190
[    8.098858]  ? _copy_to_iter+0x394/0x870
[    8.100244]  kasan_report+0xaf/0xe0
[    8.101541]  ? _copy_to_iter+0x394/0x870
[    8.102932]  kasan_check_range+0x103/0x1c0
[    8.104387]  _copy_to_iter+0x394/0x870
[    8.105735]  ? _copy_from_iter_nocache+0x700/0x700
[    8.107428]  ? tls_strp_msg_hold+0x218/0x250
[    8.108946]  ? preempt_count_add+0x6e/0xc0
[    8.110429]  ? preempt_count_sub+0x14/0xc0
[    8.111866]  ? __virt_addr_valid+0xef/0x190
[    8.113371]  ? __check_object_size+0x227/0x330
[    8.114922]  __skb_datagram_iter+0x296/0x3f0
[    8.116450]  ? skb_free_datagram+0x10/0x10
[    8.117875]  skb_copy_datagram_iter+0x4a/0xe0
[    8.119413]  process_rx_list+0x1d3/0x320
[    8.120821]  tls_sw_recvmsg+0xbfe/0xda0
[    8.122173]  ? decrypt_skb+0xb0/0xb0
[    8.123447]  ? update_load_avg+0x115/0xb40
[    8.124956]  ? aa_sk_perm+0x169/0x390
[    8.126269]  inet_recvmsg+0x22f/0x240
[    8.127576]  ? inet_sendpage+0xc0/0xc0
[    8.128918]  ? security_socket_recvmsg+0x2e/0x80
[    8.130535]  __sys_recvfrom+0x1c4/0x230
[    8.131915]  ? __ia32_sys_send+0x70/0x70
[    8.133354]  ? __x64_sys_timerfd_settime+0xe2/0x160
[    8.135042]  ? __rcu_read_unlock+0x48/0x70
[    8.136474]  ? cap_safe_nice+0x8e/0xd0
[    8.137792]  ? sched_setaffinity+0x89/0x210
[    8.139320]  __x64_sys_recvfrom+0x72/0x90
[    8.140774]  do_syscall_64+0x61/0x90
[    8.142049]  ? syscall_exit_to_user_mode+0x38/0x50
[    8.143745]  ? do_syscall_64+0x70/0x90
[    8.145087]  ? exit_to_user_mode_prepare+0x1a/0x150
[    8.146818]  ? syscall_exit_to_user_mode+0x38/0x50
[    8.148538]  ? do_syscall_64+0x70/0x90
[    8.149866]  entry_SYSCALL_64_after_hwframe+0x64/0xce
[    8.151641] RIP: 0033:0x40507c
[    8.152765] Code: 89 02 b8 ff ff ff ff eb b8 0f 1f 44 00 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 19 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 64 c3 0f 1f 00 55 48 83 ec 20 48 89 54 24 10
[    8.159158] RSP: 002b:0000799564782ea8 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[    8.161769] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000040507c
[    8.164237] RDX: 000000000000000a RSI: 0000799564782ec0 RDI: 0000000000000c1c
[    8.166708] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[    8.169183] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000406570
[    8.171642] R13: 0000000000000000 R14: 00000000004bc018 R15: 0000000000400488
[    8.174117]  </TASK>
[    8.174922] 
[    8.175533] The buggy address belongs to the physical page:
[    8.177489] page:000000006ae0864a refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x6502
[    8.180639] flags: 0x100000000000000(node=0|zone=1)
[    8.182340] raw: 0100000000000000 ffffea00001940c8 ffff888151147758 0000000000000000
[    8.185008] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
[    8.187700] page dumped because: kasan: bad access detected
[    8.189645] 
[    8.190232] Memory state around the buggy address:
[    8.191944]  ffff888006501f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    8.194455]  ffff888006501f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[    8.196968] >ffff888006502000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[    8.199452]                       ^
[    8.200697]  ffff888006502080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[    8.203366]  ffff888006502100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[    8.205907] ==================================================================
[    8.208532] Kernel panic - not syncing: kasan.fault=panic set ...
[    8.210727] CPU: 1 PID: 192 Comm: exp Not tainted 6.1.78+ #130
[    8.212818] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[    8.216130] Call Trace:
[    8.217039]  <TASK>
[    8.217846]  dump_stack_lvl+0x49/0x60
[    8.219273]  panic+0x197/0x366
[    8.220470]  ? panic_print_sys_info.part.0+0x52/0x52
[    8.222229]  ? _copy_to_iter+0x394/0x870
[    8.223654]  ? check_panic_on_warn+0x2f/0x60
[    8.225207]  ? _copy_to_iter+0x394/0x870
[    8.226632]  end_report.cold+0x47/0x5c
[    8.227993]  kasan_report+0xbc/0xe0
[    8.229282]  ? _copy_to_iter+0x394/0x870
[    8.230689]  kasan_check_range+0x103/0x1c0
[    8.232176]  _copy_to_iter+0x394/0x870
[    8.233542]  ? _copy_from_iter_nocache+0x700/0x700
[    8.235238]  ? tls_strp_msg_hold+0x218/0x250
[    8.236785]  ? preempt_count_add+0x6e/0xc0
[    8.238239]  ? preempt_count_sub+0x14/0xc0
[    8.239701]  ? __virt_addr_valid+0xef/0x190
[    8.241186]  ? __check_object_size+0x227/0x330
[    8.242763]  __skb_datagram_iter+0x296/0x3f0
[    8.244304]  ? skb_free_datagram+0x10/0x10
[    8.245764]  skb_copy_datagram_iter+0x4a/0xe0
[    8.247340]  process_rx_list+0x1d3/0x320
[    8.248750]  tls_sw_recvmsg+0xbfe/0xda0
[    8.250137]  ? decrypt_skb+0xb0/0xb0
[    8.251422]  ? update_load_avg+0x115/0xb40
[    8.252866]  ? aa_sk_perm+0x169/0x390
[    8.254208]  inet_recvmsg+0x22f/0x240
[    8.255508]  ? inet_sendpage+0xc0/0xc0
[    8.256853]  ? security_socket_recvmsg+0x2e/0x80
[    8.258529]  __sys_recvfrom+0x1c4/0x230
[    8.259890]  ? __ia32_sys_send+0x70/0x70
[    8.261312]  ? __x64_sys_timerfd_settime+0xe2/0x160
[    8.263018]  ? __rcu_read_unlock+0x48/0x70
[    8.264487]  ? cap_safe_nice+0x8e/0xd0
[    8.265819]  ? sched_setaffinity+0x89/0x210
[    8.267291]  __x64_sys_recvfrom+0x72/0x90
[    8.268739]  do_syscall_64+0x61/0x90
[    8.270014]  ? syscall_exit_to_user_mode+0x38/0x50
[    8.271715]  ? do_syscall_64+0x70/0x90
[    8.273043]  ? exit_to_user_mode_prepare+0x1a/0x150
[    8.274837]  ? syscall_exit_to_user_mode+0x38/0x50
[    8.276574]  ? do_syscall_64+0x70/0x90
[    8.277908]  entry_SYSCALL_64_after_hwframe+0x64/0xce
[    8.279673] RIP: 0033:0x40507c
[    8.280803] Code: 89 02 b8 ff ff ff ff eb b8 0f 1f 44 00 00 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 19 45 31 c9 45 31 c0 b8 2d 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 64 c3 0f 1f 00 55 48 83 ec 20 48 89 54 24 10
[    8.287193] RSP: 002b:0000799564782ea8 EFLAGS: 00000246 ORIG_RAX: 000000000000002d
[    8.289800] RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000040507c
[    8.292319] RDX: 000000000000000a RSI: 0000799564782ec0 RDI: 0000000000000c1c
[    8.294801] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
[    8.297308] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000406570
[    8.299759] R13: 0000000000000000 R14: 00000000004bc018 R15: 0000000000400488
[    8.302249]  </TASK>
[    8.303794] Kernel Offset: disabled

[lambdasprocket]

Hey!

If I compile the stable version of the patch commit (https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7a3ca06d04d589deec81f56229a9a9d62352ce01) with KASAN and run the exploit, it still crashes the kernel.

Can you help us understand why is that? Is this the right patch commit?

Hi!

I suspect that this exploit unintentionally triggers another vulnerability (CVE-2024-26582) because of the partial read (100 bytes sent, but only 10 received).

You can try making a following change to the exploit:

--- exploit.c	2026-01-22 13:35:33.279269890 +0100
+++ n.c	2026-01-22 13:35:31.103227419 +0100
@@ -445,7 +445,7 @@ int sender(void *a)
 
         char buf[256];
         memset(buf, 'B', sizeof(buf));
-        int ret = send(g_sender_sock, buf, 100, 0);
+        int ret = send(g_sender_sock, buf, 10, 0);
         sleep(10000);
         exit(0);
 }

This will get rid of the partial read (number of bytes sent/received do not affect the vulnerability targeted here) and should help avoid extra KASAN reports.

[koczkatamas]

Hmmm I made that change, but now the exploit does not repro in any environment: it shows a lot of delay / attempt message until it times out. (With the original buflen 100, it immediately crashes after the first attempt, just not at the right place.)

Do you have any idea why?

I will verify the exploit manually, but it would be good to understand why this is happening.

[artmetla]

Hey @lambdasprocket. Just a ping on the comment from @koczkatamas above. Could you have a look please?

[lambdasprocket]

Hmmm I made that change, but now the exploit does not repro in any environment: it shows a lot of delay / attempt message until it times out. (With the original buflen 100, it immediately crashes after the first attempt, just not at the right place.)

Do you have any idea why?

I will verify the exploit manually, but it would be good to understand why this is happening.

The change in the sender() function I suggested stops the exploit from triggering the wrong vulnerability - it doesn't change anything regarding the correct one, the exploit still works for me after the change on the LTS 6.1.74 image that was the original target.

I suspect that the reason you can't trigger this is KASAN - it slows execution a lot and this vulnerability is a race condition with a pretty tiny window.
The delay used in the exploit would need to be orders of magnitude higher, exact value depending on the CPU used.