Skip to content

kernelCTF: add CVE-2026-23273_cos#373

Open
4ab48b3f1ded2472 wants to merge 8 commits into
google:masterfrom
4ab48b3f1ded2472:CVE-2026-23273_cos
Open

kernelCTF: add CVE-2026-23273_cos#373
4ab48b3f1ded2472 wants to merge 8 commits into
google:masterfrom
4ab48b3f1ded2472:CVE-2026-23273_cos

Conversation

@4ab48b3f1ded2472

@4ab48b3f1ded2472 4ab48b3f1ded2472 commented Apr 29, 2026

Copy link
Copy Markdown
Contributor

No description provided.

@artmetla artmetla added the recheck Triggers kernelCTF PR verification again label May 17, 2026
@matrizzo

matrizzo commented May 21, 2026

Copy link
Copy Markdown
Collaborator

It looks like vuln-verify is failing because there is no objcopy in the repro environment, we can see if it can be added. In the meantime can you take a look at why the repro on COS is failing? It looks like the exploit is hanging the kernel

@matrizzo matrizzo self-assigned this May 21, 2026
@4ab48b3f1ded2472

4ab48b3f1ded2472 commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor Author

It looks like vuln-verify is failing because there is no objcopy in the repro environment, we can see if it can be added.

That's strange, objcopy is present in both v2 and v3 rootfs images.
Currently vuln-verify doesn't even run the exploit, so there are more issues with it.

In the meantime can you take a look at why the repro on COS is failing? It looks like the exploit is hanging the kernel

I made some changes to improve reliability.

@artmetla artmetla added recheck Triggers kernelCTF PR verification again kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification) and removed recheck Triggers kernelCTF PR verification again kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification) labels Jun 5, 2026
artmetla
artmetla reviewed Jun 7, 2026
View reviewed changes
Comment thread pocs/linux/kernelctf/CVE-2026-23273_cos/exploit/cos-113-18244.521.65/exploit.cpp
*rop++ = 0x100;
*rop++ = kaddr(POP_RDI);
*rop++ = dst & (~0xfffff);
*rop++ = kaddr_offset(target.GetSymbolOffset("set_memory_rw"));

@artmetla artmetla Jun 7, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you checked if this symbol is present in kernelXDK DB?

https://github.com/google/kernel-research/blob/2a88f7fd4107b0991834b42bdbff79675b8e83fd/kxdb_tool/config.py#L52

If not, it should be added in the way like here: https://xdk.dev/libxdk/sample_exploit.html

artmetla
artmetla reviewed Jun 7, 2026
View reviewed changes
Comment thread pocs/linux/kernelctf/CVE-2026-23273_cos/exploit/cos-113-18244.521.65/exploit.cpp
*rop++ = src;
*rop++ = len;
*rop++ = 0xdeadbeef;
*rop++ = kaddr_offset(target.GetSymbolOffset("memcpy"));

@artmetla artmetla Jun 7, 2026

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same situation as above

artmetla
artmetla requested changes Jun 7, 2026
View reviewed changes

@artmetla artmetla left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please have one more look at kernelXDK usage and fix or comment on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@artmetla artmetla artmetla requested changes

Assignees

@matrizzo matrizzo

Labels

recheck Triggers kernelCTF PR verification again

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@4ab48b3f1ded2472 @matrizzo @artmetla