Add kernelCTF CVE-2025-40214_mitigation

pocs/linux/kernelctf/CVE-2025-40214_mitigation/docs/exploit.md

@@ -0,0 +1,21 @@
+# CVE-2025-40214
+
+Exploit documentation for `CVE-2025-40214` against `mitigation-v4-6.12`.
+
+As stated in `vulnerability.md`, the bug behind `CVE-2025-40214` causes
+a UAF on `struct sk_buff` (skb) by making the Unix Sockets GC incorrectly
+collect sockets that are still reachable from userspace.
+
+## Overview
+
+The exploit proceeds in four main stages:
+
+1. Build a GC cycle with a controlled `scc_index` spray to trigger the UAF on skb.
+2. Race `scm_fp_dup()` against `unix_detach_fds()` to convert the skb UAF into a
+   UAF on `struct file`.
+3. Convert the `struct file` UAF into a UAF on `pipe_inode_info->bufs` (pipe buffers).
+4. Use `F_SETPIPE_SZ` to allocate enough pipe buffers so that the
+   `pipe_inode_info->bufs` array exceeds 2 pages in size, forcing the
+   allocation outside the slab to bypass slab mitigations, then overwrite
+   `core_pattern` for privilege escalation.
+

pocs/linux/kernelctf/CVE-2025-40214_mitigation/docs/vulnerability.md

@@ -0,0 +1,52 @@
+# CVE-2025-40214
+
+- Requirements:
+    - Capabilities: not required
+    - Kernel configuration: `CONFIG_UNIX=y`
+    - User namespaces: not required
+- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ad081928a8b0f57f269df999a28087fce6f2b6ce (af_unix: Avoid Tarjan's algorithm if unnecessary.)
+- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=60e6489f8e3b086bd1130ad4450a2c112e863791 (af_unix: Initialise scc_index in unix_add_edge().)
+- Affected Versions: 6.10 - 6.17
+- Affected subsystem: net/unix (Unix Sockets)
+- Cause: Uninitialized memory leading to UAF
+- URL: https://www.cve.org/CVERecord?id=CVE-2025-40214
+
+## Description
+
+In the Linux kernel there was an uninitialized memory issue in the Unix
+Sockets Garbage Collector (`net/unix/garbage.c`).
+
+The GC uses the Tarjan algorithm on an internal graph to determine Strongly
+Connected Components (SCC) in this graph to find cycles not accessible from a user process.
+
+When a vertex for a newly sent socket is created in `unix_add_edge()`, the
+internal `scc_index` vertex field is not initialized:
+
+```c
+static void unix_add_edge(struct scm_fp_list *fpl, struct unix_edge *edge)
+{
+    struct unix_vertex *vertex = edge->predecessor->sk_vertex;
+
+    if (!vertex) {
+        vertex = list_first_entry(&fpl->vertices, typeof(*vertex), entry);
+        vertex->index = unix_vertex_unvisited_index;
+        /* BUG: vertex->scc_index is not initialized here */
+        vertex->out_degree = 0;
+        INIT_LIST_HEAD(&vertex->edges);
+        INIT_LIST_HEAD(&vertex->scc_entry);
+    }
+    /* ... */
+}
+```
+
+Therefore it is possible to spray the heap with controlled data and force the
+GC decision algorithm to see two vertices from different SCCs as a single SCC.
+
+In this case the GC can make an incorrect decision and purge receive queues of
+all sockets inside this SCC while the user process can still receive a
+descriptor to one of the sockets, resulting in a UAF on the socket's skb.
+
+## Syscall blocking
+
+Blocking `AF_UNIX` socket creation (`socket(AF_UNIX, ...)`) or disabling
+`CONFIG_UNIX` would prevent triggering this vulnerability.

pocs/linux/kernelctf/CVE-2025-40214_mitigation/exploit/mitigation-v4-6.12/Makefile

@@ -0,0 +1,10 @@
+exploit:
+	g++ -static -std=c++17 -Ofast exploit.cc -o exploit -lpthread -lkernelXDK
+
+exploit_debug:
+	g++ -static -std=c++17 -Ofast exploit.cc -o exploit_debug -lpthread -lkernelXDK
+
+prerequisites:
+
+run:
+	./exploit