kernelCTF: add CVE-2024-26923_lts_cos

[lambdasprocket]

No description provided.

[artmetla]

Suggested change

	2. Close the victim socket
	2. Close the victim socket, so that its standard file reference count drops to zero, leaving only the garbage collector's internal references.

[artmetla]

Suggested change

	3. Trigger garbage collection and run unix_gc() until the start of window 2.
	3. Trigger garbage collection and run `unix_gc()` until the start of window 2, by closing an unrelated socket, which forces `unix_gc()` to wake up and scan the inflight list.

[artmetla]

Suggested change

	1. Send the victim socket through this connecting socket.
	1. Send the victim socket through this connecting socket, using SCM_RIGHTS to make it an 'inflight' socket, which forces the garbage collector to track it.
	> Note: SCM_RIGHTS is a special message type that allows Unix sockets to send open file descriptors to each other. When a socket is sent this way but hasn't been read out of the queue yet, it is considered "inflight." The garbage collector specifically tracks inflight sockets to prevent cyclic memory leaks.

[artmetla]

Suggested change

	This function is triggered by executing connect on CPU 0. This CPU will do nothing else until the race conditions part of the exploit is over.
	This function is triggered by executing connect on CPU 0. To win the race, the exploit intentionally stalls this thread right inside Window 1. This CPU will do nothing else until the race conditions part of the exploit is over, leaving the newly created "embryo" socket (newsk) allocated but not yet linked to the receive queue.

[artmetla]

Please check all of my assumptions in form of "suggestions". If you have an idea how to explain it better, please do.

[artmetla]

Suggested change

	We have to use the other CPU available to perform 2 operations during this window:
	We have to use the other CPU available to perform 3 operations during this window:

[artmetla]

Suggested change

This causes a decrement/increment mismatch and the resulting use-after-free.

This causes a decrement/increment mismatch and the resulting use-after-free. Because the garbage collector does not expect an embryo to be enqueued mid-scan, it misses the embryo during the first pass (failing to decrement the victim's `u->inflight` counter). When the stalled thread unfreezes, the embryo is enqueued. The GC sees it during the second pass and increments the victim's count. The victim's `unix_sock` reference count is now artificially, leaving a dangling pointer in the gc_inflight_list when the socket is closed.

[artmetla]

Could you elaborate on the setup needed for the triggering race?

From what I see, the exploit sets up a listening server socket, a client socket to connect to it, and a separate "victim" socket that will eventually be corrupted. During the client's connect() call, the kernel dynamically allocates a new socket (the "embryo") to represent the server's side.

[artmetla]

Suggested change

	of epoll watches to this timerfd to make the time needed to handle the interrupt longer.
	of epoll watches to this timerfd. When the timer fires, the kernel is forced to slowly iterate over hundreds of these watchers inside the interrupt handler, artificially stretching the race window from nanoseconds to milliseconds.

[artmetla]

Suggested change

	At this point our victim socket is inflight, linked in the gc_inflight_list and has a inflight reference value of 2.
	At this point our victim socket is inflight, linked in the gc_inflight_list and has a inflight reference value of 2 (stored inside the struct unix_sock).

[artmetla]

Suggested change

	Next step is to receive this socket and close it. This will cause its struct sock object to be freed, but it will stay referenced in the gc_inflight_list.
	Next step is to receive this socket and close it. Receiving it drops the inflight count from 2 down to 1, and closing it drops its standard file descriptor reference count to 0. This will cause its struct sock object to be freed, but it will stay referenced in the gc_inflight_list.