Linux内核AF_PACKET权限提升漏洞(CVE-2020-14386)分析报告<\/h1>

漏洞概述<\/h2>
CVE-2020-14386是Linux内核中AF_PACKET套接字实现的一个权限提升漏洞，存在于`tpacket_rcv<\/code>函数中。该漏洞允许本地攻击者通过构造特殊的网络包导致内核内存越界写入，可能实现权限提升。漏洞影响范围广泛，需要CAP_NET_RAW权限才能利用。<\/p>`

环境搭建<\/h2>
调试环境准备<\/h3>

下载调试镜像<\/strong>：<\/li>
<\/ol>
sudo apt-get install debootstrap
<\/span><\/span>wget https:\/\/raw.githubusercontent.com\/google\/syzkaller\/master\/tools\/create-image.sh -O create-image.sh
<\/span><\/span>chmod +x create-image.sh
<\/span><\/span>.\/create-image.sh
<\/span><\/span><\/code><\/pre>

编译内核<\/strong>：

参考：快速搭建一个Linux内核调试环境<\/a><\/p>
<\/li>

编译PoC<\/strong>：<\/p>
<\/li>
<\/ol>
wget https:\/\/raw.githubusercontent.com\/cgwalters\/cve-2020-14386\/master\/cve-cap-net-raw.c
<\/span><\/span>gcc cve-cap-net-raw.c -o poc -static
<\/span><\/span><\/code><\/pre>
设置CAP_NET_RAW权限<\/strong>：<\/li>
<\/ol>
# 设置cap_net_raw权限<\/span>
<\/span><\/span>setcap cap_net_raw+ep .\/poc
<\/span><\/span># 查看程序的cap权限<\/span>
<\/span><\/span>getcap .\/poc
<\/span><\/span># 删除cap_net_raw权限<\/span>
<\/span><\/span>setcap cap_net_raw-ep .\/poc
<\/span><\/span>
<\/span><\/span># 仅做调试使用可以直接运行：<\/span>
<\/span><\/span>sudo .\/poc skip-unshare
<\/span><\/span><\/code><\/pre>
调试设置<\/strong>：

设置断点：b tpacket_rcv<\/code><\/li>
<\/ol>
基础知识<\/h2>
Linux内核内存布局<\/h3>
0xffffffffffffffff  ---+-----------+-----------------------------------------------+-------------+
                       |           |                                               |+++++++++++++|
    8M                 |           | unused hole                                   |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffffff7ff000  ---|-----------+------------| FIXADDR_TOP |--------------------|+++++++++++++|
    1M                 |           |                                               |+++++++++++++|
0xffffffffff600000  ---+-----------+------------| VSYSCALL_ADDR |------------------|+++++++++++++|
    548K               |           | vsyscalls                                     |+++++++++++++|
0xffffffffff577000  ---+-----------+------------| FIXADDR_START |------------------|+++++++++++++|
    5M                 |           | hole                                          |+++++++++++++|
0xffffffffff000000  ---+-----------+------------| MODULES_END |--------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    1520M              |           | module mapping space (MODULES_LEN)            |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffffa0000000  ---+-----------+------------| MODULES_VADDR |------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    512M               |           | kernel text mapping, from phys 0              |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffffffff80000000  ---+-----------+------------| __START_KERNEL_map |-------------|+++++++++++++|
    2G                 |           | hole                                          |+++++++++++++|
0xffffffff00000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    64G                |           | EFI region mapping space                      |+++++++++++++|
0xffffffef00000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    444G               |           | hole                                          |+++++++++++++|
0xffffff8000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    16T                |           | %esp fixup stacks                             |+++++++++++++|
0xffffff0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    3T                 |           | hole                                          |+++++++++++++|
0xfffffc0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    16T                |           | kasan shadow memory (16TB)                    |+++++++++++++|
0xffffec0000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffeb0000000000  ---+-----------+-----------------------------------------------| kernel space|
    1T                 |           | virtual memory map for all of struct pages    |+++++++++++++|
0xffffea0000000000  ---+-----------+------------| VMEMMAP_START |------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffe90000000000  ---+-----------+------------| VMALLOC_END   |------------------|+++++++++++++|
    32T                |           | vmalloc\/ioremap (1 << VMALLOC_SIZE_TB)        |+++++++++++++|
0xffffc90000000000  ---+-----------+------------| VMALLOC_START |------------------|+++++++++++++|
    1T                 |           | hole                                          |+++++++++++++|
0xffffc80000000000  ---+-----------+-----------------------------------------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
    64T                |           | direct mapping of all phys. memory            |+++++++++++++|
                       |           | (1 << MAX_PHYSMEM_BITS)                       |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffff880000000000 ----+-----------+-----------| __PAGE_OFFSET_BASE | -------------|+++++++++++++|
                       |           |                                               |+++++++++++++|
    8T                 |           | guard hole, reserved for hypervisor           |+++++++++++++|
                       |           |                                               |+++++++++++++|
0xffff800000000000 ----+-----------+-----------------------------------------------+-------------+
                       |-----------|                                               |-------------|
                       |-----------| hole caused by [48:63] sign extension         |-------------|
                       |-----------|                                               |-------------|
0x0000800000000000 ----+-----------+-----------------------------------------------+-------------+
    PAGE_SIZE          |           | guard page                                    |xxxxxxxxxxxxx|
0x00007ffffffff000 ----+-----------+--------------| TASK_SIZE_MAX | ---------------|xxxxxxxxxxxxx|
                       |           |                                               |  user space |
<\/code><\/pre>
PACKET_MMAP机制<\/h3>
PACKET_MMAP是Linux内核中PF_PACKET套接口的一种高效数据包处理机制，允许用户空间通过mmap直接访问内核中的网络数据包缓冲区。<\/p>
TPACKET_HEADER版本<\/strong>：<\/p>
enum<\/span> tpacket_versions {
<\/span><\/span>    TPACKET_V1,
<\/span><\/span>    TPACKET_V2,
<\/span><\/span>    TPACKET_V3
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>环形缓冲区配置结构<\/strong>：<\/p>
struct<\/span> tpacket_req {
<\/span><\/span>    unsigned<\/span> int<\/span>    tp_block_size;  \/* 连续块的最小大小 *\/<\/span>
<\/span><\/span>    unsigned<\/span> int<\/span>    tp_block_nr;    \/* 块数量 *\/<\/span>
<\/span><\/span>    unsigned<\/span> int<\/span>    tp_frame_size;  \/* 帧大小 *\/<\/span>
<\/span><\/span>    unsigned<\/span> int<\/span>    tp_frame_nr;    \/* 帧总数 *\/<\/span>
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>缓冲区结构示例：<\/p>

tp_block_size= 4096<\/li>
tp_frame_size= 2048<\/li>
tp_block_nr = 4<\/li>
tp_frame_nr = 8<\/li>
<\/ul>
内存布局：<\/p>
block #1                 block #2         
+---------+---------+    +---------+---------+    
| frame 1 | frame 2 |    | frame 3 | frame 4 |    
+---------+---------+    +---------+---------+    

        block #3                 block #4
+---------+---------+    +---------+---------+
| frame 5 | frame 6 |    | frame 7 | frame 8 |
+---------+---------+    +---------+---------+
<\/code><\/pre>
漏洞分析<\/h2>
漏洞位于tpacket_rcv<\/code>函数中：<\/p>
static<\/span> int<\/span> tpacket_rcv<\/span>(struct<\/span> sk_buff *<\/span>skb, struct<\/span> net_device *<\/span>dev,
<\/span><\/span>               struct<\/span> packet_type *<\/span>pt, struct<\/span> net_device *<\/span>orig_dev)
<\/span><\/span>{
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    if<\/span> (sk-><\/span>sk_type ==<\/span> SOCK_DGRAM) {
<\/span><\/span>        macoff =<\/span> netoff =<\/span> TPACKET_ALIGN(po-><\/span>tp_hdrlen) +<\/span> 16<\/span> +<\/span>
<\/span><\/span>                  po-><\/span>tp_reserve;
<\/span><\/span>    } else<\/span> {
<\/span><\/span>        unsigned<\/span> int<\/span> maclen =<\/span> skb_network_offset(skb);
<\/span><\/span>        \/\/ tp_reserve是unsigned int，netoff是unsigned short。加法可能使netoff溢出
<\/span><\/span><\/span><\/span>        netoff =<\/span> TPACKET_ALIGN(po-><\/span>tp_hdrlen +<\/span>
<\/span><\/span>                       (maclen <<\/span> 16<\/span> ?<\/span> 16<\/span> :<\/span> maclen)) +<\/span>
<\/span><\/span>                       po-><\/span>tp_reserve; \/\/ [1]
<\/span><\/span><\/span><\/span>        if<\/span> (po-><\/span>has_vnet_hdr) {
<\/span><\/span>            netoff +=<\/span> sizeof<\/span>(struct<\/span> virtio_net_hdr);
<\/span><\/span>            do_vnet =<\/span> true;
<\/span><\/span>        }
<\/span><\/span>        \/\/ 攻击者可以控制netoff，使macoff小于sizeof(struct virtio_net_hdr)
<\/span><\/span><\/span><\/span>        macoff =<\/span> netoff -<\/span> maclen; \/\/ [2]
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    \/\/ "macoff - sizeof(struct virtio_net_hdr)"可能为负数，导致指针指向h.raw之前
<\/span><\/span><\/span><\/span>    if<\/span> (do_vnet &&<\/span>
<\/span><\/span>        virtio_net_hdr_from_skb(skb, h.raw +<\/span> macoff -<\/span>
<\/span><\/span>                    sizeof<\/span>(struct<\/span> virtio_net_hdr),
<\/span><\/span>                    vio_le(), true, 0<\/span>)) {  \/\/ [3]
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/code><\/pre>漏洞成因<\/h3>


[1]处<\/strong>：netoff<\/code>是unsigned short<\/code>类型(范围[0, 0xffff])，而po->tp_reserve<\/code>是unsigned int<\/code>类型(范围[0, 0xffffffff])。在赋值过程中进行类型转换，导致高两个字节被截断。<\/p>
<\/li>

[2]处<\/strong>：攻击者可以控制netoff<\/code>，使得计算得到的macoff<\/code>小于sizeof(struct virtio_net_hdr)<\/code>。<\/p>
<\/li>

[3]处<\/strong>：macoff - sizeof(struct virtio_net_hdr)<\/code>可能为负值，相当于往&h.raw<\/code>地址前面写入数据，造成向上越界写漏洞。<\/p>
<\/li>
<\/ol>
漏洞限制<\/h3>

需要CAP_NET_RAW权限<\/li>
只能向上越界写1~10个字节<\/li>
因为virtio_net_hdr<\/code>结构大小为0xa，所以最多能覆盖前10个字节<\/li>
<\/ol>
漏洞利用<\/h2>
利用思路<\/h3>
作者提出的利用方法是在ring buffer前放置一个包含refcount的结构，通过上溢减少refcount的值。由于packet_socket_send<\/code>中的memset会赋零，refcount减少可能导致对象被错误地认为已释放，从而造成UAF漏洞。<\/p>
目标结构<\/strong>：<\/p>
struct<\/span> sctp_shared_key {
<\/span><\/span>    struct<\/span> list_head key_list;
<\/span><\/span>    struct<\/span> sctp_auth_bytes *<\/span>key;
<\/span><\/span>    refcount_t refcnt;
<\/span><\/span>    __u16 key_id;
<\/span><\/span>    __u8 deactivated;
<\/span><\/span>};
<\/span><\/span><\/code><\/pre>利用步骤：<\/p>

在ring buffer前分配sctp_shared_key<\/code>结构(通过kmalloc-32)<\/li>
利用漏洞覆盖refcount字段<\/li>
由于refcount减少，对象被提前释放<\/li>
利用UAF条件实现权限提升<\/li>
<\/ol>
利用限制<\/h3>

由于结构对齐，key_id<\/code>和deactivated<\/code>字段各占4字节<\/li>
最多只能上溢refcount的1~2个字节<\/li>
需要精确的内存布局控制<\/li>
<\/ol>
补丁分析<\/h2>
补丁将netoff<\/code>类型改为unsigned int<\/code>，确保赋值两边类型相同，避免整数溢出。同时增加了对netoff<\/code>大小的检查：<\/p>
netoff =<\/span> TPACKET_ALIGN(po-><\/span>tp_hdrlen +<\/span> (maclen <<\/span> 16<\/span> ?<\/span> 16<\/span> :<\/span> maclen)) +<\/span> po-><\/span>tp_reserve;
<\/span><\/span>+<\/span>       if<\/span> (netoff ><\/span> USHRT_MAX) {
<\/span><\/span>+<\/span>               atomic_inc(&<\/span>po-><\/span>tp_drops);
<\/span><\/span>+<\/span>               goto<\/span> drop_n_restore;
<\/span><\/span>+<\/span>       }
<\/span><\/span><\/code><\/pre>参考链接<\/h2>

Containing a Real Vulnerability<\/a><\/li>
OSS-Security邮件列表讨论<\/a><\/li>
360 CERT公告<\/a><\/li>
PACKET_MMAP官方文档<\/a><\/li>
补丁提交<\/a><\/li>
Palo Alto Networks分析<\/a><\/li>
<\/ol>
Linux内核AF_PACKET权限提升漏洞(CVE-2020-14386)分析报告<\/h1>

基础知识<\/h2>

漏洞利用<\/h2>

参考链接<\/h2> Containing a Real Vulnerability<\/a><\/li> OSS-Security邮件列表讨论<\/a><\/li> 360 CERT公告<\/a><\/li> PACKET_MMAP官方文档<\/a><\/li> 补丁提交<\/a><\/li> Palo Alto Networks分析<\/a><\/li> <\/ol>

参考链接<\/h2>

Containing a Real Vulnerability<\/a><\/li>
OSS-Security邮件列表讨论<\/a><\/li>
360 CERT公告<\/a><\/li>
PACKET_MMAP官方文档<\/a><\/li>
补丁提交<\/a><\/li>
Palo Alto Networks分析<\/a><\/li> <\/ol>
