kernelCTF: enable bpf_jit_harden in repro

koczkatamas · koczkatamas · commit 24880bbeba48 · 2025-09-27T10:34:03.000Z
diff --git a/kernelctf/check-submission.py b/kernelctf/check-submission.py
@@ -94,6 +94,18 @@
 submissionIds = list(set(submissionIds).intersection(publicSheet.keys()))
 submissionIds.sort()
 
+# Regular expression to handle kernelCTF flag without signature
+flagRegex = r"kernelCTF\{(?:[^:]+:)?(?:v1:([^:]+)|v2:([^:]+):([^:]*)):\d+\}"
+def flagTarget(flag):
+    match = checkRegex(flag, flagRegex, f"The flag (`{flag}`) is invalid")
+    if match.group(1):
+        # v1 flag
+        return match.group(1)
+
+    # v2 flag
+    return match.group(2)
+
+targetFlagTimes = {}
 flags = []
 for submissionId in submissionIds:
     publicData = publicSheet[submissionId]
@@ -116,22 +128,13 @@
             else:
                 print(f"[+] The hash of the file `{archiveFn}` matches the expected `{exploitHash}` value.")
 
-    flags.extend(publicData["Flags"].strip().split('\n'))
+    for flag in publicData["Flags"].strip().split('\n'):
+        flags.append(flag)
+        targetFlagTimes[flagTarget(flag)] = publicData["Flag submission time"]
 
     if cve != publicData["CVE"]:
         error(f"The CVE on the public spreadsheet for submission `{submissionId}` is `{publicData['CVE']}` but the PR is for `{cve}`.")
 
-# Regular expression to handle kernelCTF flag without signature
-flagRegex = r"kernelCTF\{(?:[^:]+:)?(?:v1:([^:]+)|v2:([^:]+):([^:]*)):\d+\}"
-def flagTarget(flag):
-    match = checkRegex(flag, flagRegex, f"The flag (`{flag}`) is invalid")
-    if match.group(1):
-        # v1 flag
-        return match.group(1)
-
-    # v2 flag
-    return match.group(2)
-
 flagTargets = set([flagTarget(flag) for flag in flags])
 if "mitigation-6.1-v2" in flagTargets:
     flagTargets = flagTargets - {"mitigation-6.1-v2"} | {"mitigation-6.1"}
@@ -160,6 +163,7 @@ def summary(success, text):
         exploit_info = metadata["exploits"].get(target)
         if not exploit_info: continue
         exploits_info[target] = { key: exploit_info[key] for key in ["uses", "requires_separate_kaslr_leak"] if key in exploit_info }
+        exploits_info[target]["flag_time"] = targetFlagTimes[target]
 ghSet("OUTPUT", f"exploits_info={json.dumps(exploits_info)}")
 ghSet("OUTPUT", f"artifact_backup_dir={'_'.join(submissionIds)}")
 
diff --git a/kernelctf/repro/repro.sh b/kernelctf/repro/repro.sh
@@ -25,6 +25,8 @@ fi
 
 if [[ "$RELEASE_ID" == "mitigation-"* ]]; then
   CMDLINE="$CMDLINE sysctl.kernel.dmesg_restrict=1 sysctl.kernel.kptr_restrict=2 sysctl.kernel.unprivileged_bpf_disabled=2 sysctl.net.core.bpf_jit_harden=1 sysctl.kernel.yama.ptrace_scope=1 slab_virtual=1 slab_virtual_guards=1";
+elif [[ "$(echo $EXPLOIT_INFO | jq -re '.flag_time')" > "2025-02-28" ]]; then
+  CMDLINE="$CMDLINE sysctl.net.core.bpf_jit_harden=2"
 fi
 
 # Keep this as the last check as it contains "--", everything comes after this is not passed to the kernel
