Skip to content

add kernelCTF CVE-2025-40019_lts_cos_mitigation#305

Merged
matrizzo merged 3 commits intogoogle:masterfrom
star-sg:CVE-2025-40019_lts_cos_mitigation
Mar 9, 2026
Merged

add kernelCTF CVE-2025-40019_lts_cos_mitigation#305
matrizzo merged 3 commits intogoogle:masterfrom
star-sg:CVE-2025-40019_lts_cos_mitigation

Conversation

@d4em0n
Copy link
Copy Markdown
Contributor

@d4em0n d4em0n commented Dec 15, 2025

No description provided.

@koczkatamas koczkatamas added the kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification) label Jan 16, 2026
@koczkatamas
Copy link
Copy Markdown
Collaborator

koczkatamas commented Jan 16, 2026

Hey! The reward payout for this submission is blocked on not having a bughunters.google.com submission. Please create a new report there and then ping us so we can pay. Thanks!

@koczkatamas koczkatamas changed the title add CVE-2025-40019_lts_cos_mitigation add kernelCTF CVE-2025-40019_lts_cos_mitigation Jan 16, 2026
@d4em0n
Copy link
Copy Markdown
Contributor Author

d4em0n commented Jan 27, 2026

Hi, we have just made a submission to bughunters.google.com

@koczkatamas
Copy link
Copy Markdown
Collaborator

koczkatamas commented Jan 27, 2026

Thanks! I've issued the (first half of the) payment.

matrizzo
matrizzo requested changes Feb 24, 2026
View reviewed changes
@d4em0n
Improve exploit.md and exploit.c documentation for CVE-2025-40019
c72e36f 
- Rewrite exploit.md with detailed vulnerability description, chained SGL
  technique (first_rsgl → second_rsgl → tsgl), outlen=0 trick, ctl_buf
  spray mechanism, and scatterwalk_ffwd traversal explanation
- Document 0x9c000 (trampoline_pgd) first-pass PTE with link to
  CVE-2023-6560 exploit documentation for reference
- Update exploit.c comments across all targets to match documentation
- Remove unused SO_RCVBUF setsockopt on authenc socket
@matrizzo matrizzo self-assigned this Feb 26, 2026
matrizzo
matrizzo requested changes Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@matrizzo matrizzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, thanks for your submission. In general it looks good but there are a few small style issues. Please take a look.

@d4em0n
Address PR google#305 style guide review comments
d733148 
- Add PAGE_SIZE, SCATTERLIST_OFFS_*, PHYS_ADDR_ALIGN_MASK defines
- Extract create_aead_tfmfd() helper to deduplicate AEAD socket setup
- Make data_buf, unix_sockfd, authenc_opfd local instead of global
- Use named constants instead of magic numbers throughout
- Add clarifying comments for volatile, root_payload, slab ordering
- Remove dead code after while(1) sleep(1)
matrizzo
matrizzo approved these changes Mar 9, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@matrizzo matrizzo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

@matrizzo matrizzo merged commit 4a3a573 into google:master Mar 9, 2026
12 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@matrizzo matrizzo matrizzo approved these changes

Assignees

@matrizzo matrizzo

Labels

kCTF: vuln OK The submission exploits the claims vulnerability (passed manual verification)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@d4em0n @koczkatamas @matrizzo