Copy Fail What You Need to Know About the Most Severe Linux ...

src/SUMMARY.md

@@ -914,6 +914,7 @@
   - [Virtualbox Slirp Nat Packet Heap Exploitation](binary-exploitation/libc-heap/virtualbox-slirp-nat-packet-heap-exploitation.md)
 - [Common Exploiting Problems](binary-exploitation/common-exploiting-problems.md)
 - [Adreno A7xx Sds Rb Priv Bypass Gpu Smmu Kernel Rw](binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md)
+- [Af Alg Aead Page Cache Overwrite](binary-exploitation/linux-kernel-exploitation/af-alg-aead-page-cache-overwrite.md)
 - [Af Unix Msg Oob Uaf Skb Primitives](binary-exploitation/linux-kernel-exploitation/af-unix-msg-oob-uaf-skb-primitives.md)
 - [Arm64 Static Linear Map Kaslr Bypass](binary-exploitation/linux-kernel-exploitation/arm64-static-linear-map-kaslr-bypass.md)
 - [Ksmbd Streams Xattr Oob Write Cve 2025 37947](binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md)

src/binary-exploitation/linux-kernel-exploitation/af-alg-aead-page-cache-overwrite.md

@@ -0,0 +1,80 @@
+# AF_ALG AEAD Page-Cache Overwrite via authencesn
+
+{{#include ../../banners/hacktricks-training.md}}
+
+This technique abuses the Linux userspace crypto API (`AF_ALG`) when an AEAD request is built in-place and file-backed pages introduced with `splice()` become reachable through a writable destination scatterlist. The public "Copy Fail" bug (CVE-2026-31431) is a good example, but the interesting HackTricks primitive is more general: **turn a scratch write inside a crypto algorithm into a write to the page cache of a readable file**.
+
+- Reachable component: `algif_aead`
+- Interesting algorithm: `authencesn`
+- Primitive: controlled 4-byte page-cache overwrite
+- Common targets: readable `setuid-root` binaries such as `/usr/bin/su`, `sudo`, or `passwd`
+
+## Vulnerable pattern
+
+Look for this combination:
+
+1. A user reachable zero-copy path such as `AF_ALG` accepts file-backed pages via `splice()`.
+2. An "in-place" optimization makes `req->src` and `req->dst` share a combined scatterlist.
+3. The destination scatterlist becomes writable even though some pages originally came from a read-only file mapping or page cache.
+4. The algorithm uses the destination buffer as temporary scratch space or performs a small out-of-bounds write.
+
+In that situation, a short overwrite can cross the scatterlist boundary and land in cached file data instead of in a harmless heap buffer.
+
+## Why `authencesn` matters
+
+`authencesn` handles IPsec extended sequence number (ESN) data and uses the destination buffer as scratch space while rearranging AAD. In the vulnerable `algif_aead` path, this becomes dangerous because the algorithm writes **4 attacker-controlled bytes** past the legitimate output region and does not restore them.
+
+If the writable destination chain contains page-cache pages pulled in through `splice()`, those 4 bytes become a controlled write into the cached contents of the spliced file.
+
+## What the attacker controls
+
+- **Overwrite value:** AAD bytes `4-7` (`seqno_lo`) passed in `sendmsg()`
+- **Overwrite position:** `splice()` offset, `splice()` length, and `assoclen`
+
+This is enough to steer a deterministic 4-byte overwrite into the cached `.text` of a readable privileged executable.
+
+## Exploitation flow
+
+1. Open an `AF_ALG` AEAD socket using an algorithm that hits the vulnerable scratch-write path.
+2. `splice()` page-cache pages from a readable target binary into the crypto TX scatterlist.
+3. Send AAD where bytes `4-7` contain the wanted 4-byte patch.
+4. Tune `assoclen` plus the spliced offset and length so the overflow crosses from the legitimate output into the target cached page.
+5. Execute the modified cached binary before page-cache eviction or reboot.
+
+The disk file stays unchanged. Only the in-memory page cache is patched, so the binary runs attacker-influenced code with its normal privilege bits.
+
+## Why page-cache targets are useful
+
+- No on-disk write permission is needed.
+- World-readable `setuid-root` binaries are often enough.
+- File integrity monitoring may miss the compromise because the file on disk is clean.
+- The primitive can cross container boundaries because page cache and kernel crypto live at the host kernel layer.
+
+## Audit ideas
+
+When reviewing similar attack surfaces, prioritize:
+
+- zero-copy interfaces that can import `splice()` pages from readable files
+- optimizations that merge source and destination SG lists for "in-place" operation
+- algorithms that reuse destination buffers as scratch memory
+- tiny linear OOB writes that look harmless until page-cache pages appear in the writable path
+
+## Hardening and hunting
+
+- Patch to a version that restores out-of-place operation for the affected path.
+- If you do not need AEAD via `AF_ALG`, disabling `algif_aead` removes the reachable surface:
+
+```bash
+echo "install algif_aead /bin/false" > /etc/modprobe.d/disable-algif.conf
+rmmod algif_aead
+```
+
+- Do not rely only on on-disk file integrity checks. Hunt for the side effects of a patched cached helper, such as unexpected non-root launches of `su` or similar privileged helpers after suspicious local activity.
+
+## References
+
+- [Copy Fail: What You Need to Know About the Most Severe Linux Threat in Years](https://unit42.paloaltonetworks.com/cve-2026-31431-copy-fail/)
+- [Copy Fail: 732 Bytes to Root on Every Major Linux Distribution.](https://xint.io/blog/copy-fail-linux-distributions)
+- [crypto: algif_aead - Revert to operating out-of-place](https://github.com/torvalds/linux/commit/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5)
+
+{{#include ../../banners/hacktricks-training.md}}

src/linux-hardening/privilege-escalation/README.md

@@ -65,6 +65,9 @@ Additional kernel exploitation techniques:
 {{#ref}}
 ../../binary-exploitation/linux-kernel-exploitation/arm64-static-linear-map-kaslr-bypass.md
 {{#endref}}
+{{#ref}}
+../../binary-exploitation/linux-kernel-exploitation/af-alg-aead-page-cache-overwrite.md
+{{#endref}}
 
 ### CVE-2016-5195 (DirtyCow)