Skip to content

feat(ingest): kernel crash validator — KASAN/UBSAN/oops ingest + oracle#138

Merged
peaktwilight merged 1 commit intomainfrom
feat/kernel-crash-validator
Apr 12, 2026
Merged

feat(ingest): kernel crash validator — KASAN/UBSAN/oops ingest + oracle#138
peaktwilight merged 1 commit intomainfrom
feat/kernel-crash-validator

Conversation

@peaktwilight
Copy link
Copy Markdown
Collaborator

@peaktwilight peaktwilight commented Apr 12, 2026

Summary

  • Kernel crash ingest pipeline: parsers for KASAN (OOB, stack-OOB, UAF, double-free, null, wild), UBSAN, oops, panic, GP faults, RCU stalls, lockdep
  • Kernel oracle: QEMU-based crash reproduction + static analysis fallback with crash signature matching and consistency validation
  • 8 new AttackCategory values for memory corruption, kernel_oracle triage layer, 8 kernel-specific PoV judges
  • CLI: pwnkit ingest <path> command
  • Validated against 10 real syzbot crashes: 100% parse rate, 100% correct category classification, 0.89 avg consistency score

Closes #122, #123, #124.

Syzbot benchmark (10 real crashes)

Bug Crash Type Category Subsystem Correct
p9_req_put UAF kasan-uaf use-after-free p9
xfs_buf_rele UAF kasan-uaf use-after-free xfs
copy_to_urb OOB write kasan-oob heap-overflow usb
io_uring null-deref kasan-null null-pointer-deref io
scarlett2 GP fault gp null-pointer-deref usb
snd_pcm_stop UAF kasan-uaf use-after-free sound
l2cap stack-OOB kasan-stack-oob stack-buffer-overflow bluetooth
xfrm_state UAF kasan-uaf use-after-free net/ip
hci_conn UAF write kasan-uaf use-after-free bluetooth
hci_req double-free kasan-double-free double-free bluetooth

Test plan

  • 477 unit tests pass (43 new for kernel crash modules)
  • 10 real syzbot crash reports parsed correctly
  • CLI pwnkit ingest tested with file + directory input
  • Existing test suite unaffected

none

@peaktwilight
fix(ingest): correct stack-OOB and double-free classification + deepe…
ae77749 
…r subsystem inference

Validated against 10 real syzbot crash reports — 100% category accuracy.

Fixes:
- kasanSubType now distinguishes stack-out-of-bounds → kasan-stack-oob
  (was lumped with heap kasan-oob)
- kasanSubType now recognizes double-free/invalid-free → kasan-double-free
  (was falling through to default kasan-oob)
- Added CrashType values: kasan-stack-oob, kasan-double-free
- crashTypeToCategory maps new types correctly
- Subsystem inference now scans all stack frames (not just top 10) and
  skips infrastructure functions (kasan, lock, rhashtable, slab, etc.)
  before falling back to prefix heuristic. Fixes xfs_buf_rele being
  classified as "rhashtable" instead of "xfs".

Syzbot benchmark (10 crashes):
  parse rate: 100%, category accuracy: 100%
  avg consistency score: 0.89

none
@peaktwilight peaktwilight merged commit e32f26d into main Apr 12, 2026
1 check passed
@peaktwilight peaktwilight deleted the feat/kernel-crash-validator branch April 12, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[feat] Kernel crash ingest adapter — parse KASAN/UBSAN/syzkaller into Finding

1 participant

@peaktwilight