Add kernelCTF CVE-2025-38617_mitigation_cos

pocs/linux/kernelctf/CVE-2025-38617_mitigation_cos/docs/vulnerability.md

@@ -0,0 +1,24 @@
+# Vulnerability
+
+A race between packet_set_ring() and packet_notifier() allow the packet socket to hook to network interface and receive packet sent to that network interface while the ring buffer is configured. The received packet might found the old ring buffer that already be freed.
+
+## Requirements to trigger the vulnerability:
+- Capabilities: To trigger the vulnerability, `CAP_NET_RAW` capabilities are required.
+- Kernel configuration: `CONFIG_PACKET` is required to trigger this vulnerability.
+- Are user namespaces needed?: Yes. As this vulnerability requires `CAP_NET_RAW`, which are not usually given to the normal user, we used the unprivileged user namespace to achieve this capability.
+
+## Commit which introduced the vulnerability
+- This vulnerability was introduced in Linux-2.6.12-rc2, with commit [ce06b03e60fc1](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ce06b03e60fc1)
+- This commit add head drop fifo queue to the kernel.
+
+## Commit which fixed the vulnerability
+- This vulnerability was fixed with commit [01d3c8417b9c1b884a8a981a3b886da556512f36](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=01d3c8417b9c1b884a8a981a3b886da556512f36)
+
+## Affected kernel versions
+- Linux version 2.6.12 - 6.16 affects to this vulnerability
+
+## Affected component, subsystem
+- Packet socket
+
+## Cause (UAF, BoF, race condition, double free, refcount overflow, etc)
+- UAF

pocs/linux/kernelctf/CVE-2025-38617_mitigation_cos/exploit/cos-109-17800.519.41/Makefile

@@ -0,0 +1,32 @@
+# taken from: https://github.com/google/security-research/blob/1bb2f8c8d95a34cafe7861bc890cfba5d85ec141/pocs/linux/kernelctf/CVE-2024-0193_lts/exploit/lts-6.1.67/Makefile
+
+LIBMNL_DIR = $(realpath ./)/libmnl_build
+LIBNFTNL_DIR = $(realpath ./)/libnftnl_build
+
+LIBS = -L$(LIBMNL_DIR)/install/lib -lmnl
+INCLUDES = -I$(LIBMNL_DIR)/libmnl-1.0.5/include
+CFLAGS = -static -Ofast
+
+exploit: exploit.c
+	gcc -o exploit exploit.c $(LIBS) $(INCLUDES) $(CFLAGS)
+
+
+prerequisites: libmnl-build
+
+libmnl-build : libmnl-download
+	tar -C $(LIBMNL_DIR) -xvf $(LIBMNL_DIR)/libmnl-1.0.5.tar.bz2
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make -j`nproc`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make install
+
+
+libmnl-download :
+	mkdir $(LIBMNL_DIR)
+	wget -P $(LIBMNL_DIR) https://netfilter.org/projects/libmnl/files/libmnl-1.0.5.tar.bz2
+
+run:
+	./exploit
+
+clean:
+	rm -f exploit
+	rm -rf $(LIBMNL_DIR)