Skip to content

Add kernelCTF CVE-2026-23274_cos#352

Open
pjwhatforlunch wants to merge 8 commits intogoogle:masterfrom
pjwhatforlunch:master
Open

Add kernelCTF CVE-2026-23274_cos#352
pjwhatforlunch wants to merge 8 commits intogoogle:masterfrom
pjwhatforlunch:master

Conversation

@pjwhatforlunch
Copy link
Copy Markdown

@pjwhatforlunch pjwhatforlunch commented Mar 22, 2026

No description provided.

@google-cla
Copy link
Copy Markdown

google-cla bot commented Mar 22, 2026

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@koczkatamas
Copy link
Copy Markdown
Collaborator

koczkatamas commented Apr 1, 2026

Hey! You are probably aware but the submission does not repro on GHA, please fix that, so we can proceed with the verification to pay out the first half of the reward.

@pjwhatforlunch
Copy link
Copy Markdown
Author

pjwhatforlunch commented Apr 2, 2026

Hey! You are probably aware but the submission does not repro on GHA, please fix that, so we can proceed with the verification to pay out the first half of the reward.

Thanks for reminder! We shall fix the KASLR issue later. However, we have one issue related to vuln_verfiy that we can not address:
As CVE-2026-23274 is a UBI bug and KASAN is not able to detect that. And KASAN also makes it hard to reclaim freed slot to init the UBI data. If the data is uninitialized, the UBI will have no observable effects.
Thus, we currently have no idea how to satisfy vuln_verfiy part.

In fact we cannot bypass KASLR in CI rn as well, but I think that is solvable eventually

@koczkatamas
Copy link
Copy Markdown
Collaborator

koczkatamas commented Apr 2, 2026

If the vulnerability cannot be detected by KASAN, then you don't have to satisfy vuln-verify, we will manually review the submission.

For the KASLR leak, we implemented it in kernelXDK, maybe that works better?

@pjwhatforlunch
Copy link
Copy Markdown
Author

pjwhatforlunch commented Apr 3, 2026

If the vulnerability cannot be detected by KASAN, then you don't have to satisfy vuln-verify, we will manually review the submission.

For the KASLR leak, we implemented it in kernelXDK, maybe that works better?

Hi KT,

Thanks a lot. We have left vuln-verify for manual verification.

As the KASLR leak from kernelXDK has not yet been put into a release, we added the git clone to the Makefile to use the latest kernelXDK, and it indeed works perfectly on my local Intel CPU and also on Google CI's AMD CPU. It is truly impressive!

However, our success rate on CI is only ~10% (for kctf and the local environment, we believe our success rate is around 20%~40%). Please let us know if we have to increase the success rate. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pjwhatforlunch @koczkatamas