Skip to content

kernelCTF: add CVE-2023-5197_lts_cos_2 #275

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kungfulon wants to merge 2 commits into
base: master
Choose a base branch
from
Open

kernelCTF: add CVE-2023-5197_lts_cos_2 #275

kungfulon wants to merge 2 commits into from

Conversation

@kungfulon
Copy link
Contributor

@kungfulon kungfulon commented Nov 11, 2025

No description provided.

@koczkatamas
Copy link
Collaborator

koczkatamas commented Nov 17, 2025
edited
Loading

Hey! This exp100 is a vulnerability dupe of exp99 and based on the kernelCTF rules it's ineligible for reward.

Only the first submission for a vulnerability is eligible for a reward (per target). The COS instances are considered to be one target so there are 3 targets in total (LTS, mitigation, COS).

They both exploit the vulnerability with patch commit netfilter: nf_tables: disallow rule removal from chain binding but exp99 was submitted earlier (2023-09-06) than your exp100 (2023-09-13).

Let us know if there was some misunderstanding and this submission should be eligible.

See our public spreadsheet for the submission details.

@kungfulon
Copy link
Contributor Author

kungfulon commented Nov 17, 2025
edited
Loading

Hi @koczkatamas, per an email discussion we made before,

So exp97 was a 0-day LTS and exp99 extended that submission with a COS exploit, which we'd like to allow to the 0-day researchers in the future, but based on the current rules, exp99 was a COS slot dupe, and your exp100 submission took a free COS slot for CVE-2023-5197 (as exp101 was a minute late).

To be as fair as we can be, we are planning to pay the COS reward both for you and the 0-day finder researcher.

So I believe this should be eligible for a COS reward. I have emailed you as a reply to that email thread.

Sorry for submitting this so late and caused confusions.

artmetla
artmetla reviewed Dec 5, 2025
View reviewed changes
pocs/linux/kernelctf/CVE-2023-5197_lts_cos_2/docs/exploit.md
- Create a new table, a victim chain, a spray chain, and a primitive chain.
- Add one rule to the primitive chain whose immediate expression jumps to the victim chain. This holds a reference to the victim.
- `vuln_trigger`:
- Create an “effect” chain with a rule that jumps to the victim; delete that rule in the same transaction; then create another chain with a rule referencing the effect chain and delete that, triggering deactivation traversal again.
Copy link
Collaborator

@artmetla artmetla Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the "another" chain called "attacker" chain in the code? Is it deleted in separate transaction or in the same with previous rule? Could elaborate on this more.

artmetla
artmetla reviewed Dec 5, 2025
View reviewed changes
pocs/linux/kernelctf/CVE-2023-5197_lts_cos_2/docs/exploit.md

- The exploit abuses `nf_tables` transaction semantics and chain/rule deactivation to cause a UAF on an `nft_chain`:
- A chain (“victim chain”) is referenced by an `immediate1 jump expression in a rule of another chain (“primitive chain”), which increments its use count.
- Through a crafted sequence of creating and deleting rules/chains in the same transaction, the PoC causes deactivation to run against a chain twice in a way that decrements the victim chain’s use count back to zero while a stale reference still exists in the primitive chain.
Copy link
Collaborator

@artmetla artmetla Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you elaborate which functions in kernel code are triggered by this? Could you show which code parts (before patch) allowed this behaviour which resulted in vulnerability?

artmetla
artmetla reviewed Dec 5, 2025
View reviewed changes
pocs/linux/kernelctf/CVE-2023-5197_lts_cos_2/docs/exploit.md

Conceptually, it is a refcount/lifetime bug: insufficient synchronization between rule list traversal during deactivation and the generation/use-count model for chains across a transaction.

Note: For LTS instance running on 6.1 kernel, `nf_tables` objects are allocated with `GFP_KERNEL_ACCOUNT`, so they will use `kmalloc-cg-*` caches instead.
Copy link
Collaborator

@artmetla artmetla Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about COS? Is it the same?

artmetla
artmetla reviewed Dec 5, 2025
View reviewed changes
pocs/linux/kernelctf/CVE-2023-5197_lts_cos_2/docs/exploit.md
## CVE-2023-5197

- The exploit abuses `nf_tables` transaction semantics and chain/rule deactivation to cause a UAF on an `nft_chain`:
- A chain (“victim chain”) is referenced by an `immediate1 jump expression in a rule of another chain (“primitive chain”), which increments its use count.
Copy link
Collaborator

@artmetla artmetla Dec 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add the details on which ref count you're targeting, which kernel structure contains it?

artmetla
artmetla reviewed Dec 5, 2025
View reviewed changes
pocs/linux/kernelctf/CVE-2023-5197_lts_cos_2/docs/exploit.md
1) Establish the UAF primitive
- `vuln_setup(..., victim="c_free", primitive_is_base_chain=false)`:
- Create a new table, a victim chain, a spray chain, and a primitive chain.
- Add one rule to the primitive chain whose immediate expression jumps to the victim chain. This holds a reference to the victim.
Copy link
Collaborator

@artmetla artmetla Dec 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this an immediate expression with verdict to jump? Could you elaborate a bit more on structure of this object.

artmetla
artmetla reviewed Dec 5, 2025
View reviewed changes
pocs/linux/kernelctf/CVE-2023-5197_lts_cos_2/docs/exploit.md
- This sequence decrements victim->use back to zero.
- Then delete the victim chain in a follow-up batch. The primitive chain still has a rule that jumps to the now-freed victim chain, creating the UAF.

2) Spray `kmalloc-128` with `nft_rule` objects
Copy link
Collaborator

@artmetla artmetla Dec 5, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the "chain" object fits into `kmalloc-128? What is the size of the chain objects you create?

artmetla
artmetla requested changes Dec 5, 2025
View reviewed changes
Copy link
Collaborator

@artmetla artmetla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @kungfulon,

Please review my comments and add necessary information to the exploit description

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artmetla artmetla artmetla requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kungfulon @koczkatamas @artmetla