Shulou(Shulou.com)06/01 Report--

This article mainly explains "linux kernel user space 0 virtual address mapping vulnerability how to fix", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn "linux kernel user space 0 virtual address mapping vulnerability how to fix it"!

Principle of 0x00 vulnerability

Some time ago, project zero's jann horn disclosed a linux kernel user space 0 virtual address mapping vulnerability, which can bypass the limitation of mmap_min_addr, and it is theoretically possible to raise rights in conjunction with a null pointer dereference vulnerability in the kernel. This loophole is very interesting, so let me share my analysis here.

POC is very short, so let's take a look at POC:

The point that triggered the vulnerability is that LD_DEBUG=help su 1 > &% d wrote data to / proc/self/mem. In fact, LD_DEBUG=help su is not important, it is important to call the write function through it. Let's analyze the process from this line of code to the leak point step by step.

The common structure of the linux kernel for the file system is that the code in file_operations,fs/proc/base.c provides operations related to / proc.

LD_DEBUG=help su 1 > & d calls the write function, which in this case is the mem_write function. The mem_write function is the encapsulation of the mem_rw function.

In the while loop, the buf of the content to be written is first copied to the assigned page through the copy_from_user function, and then the access_remote_vm function is called to write to the remote process. Reading is the opposite.

The access_remote_vm function is an encapsulation of the _ _ access_remote_vm function (notice here that you analyze the code in mmap.c, where the code in nommu.c is used on CPU without MMU).

The get_user_pages_remote function is called in the while loop of the _ _ access_remote_vm function. Both the get_user_pages_remote function and the get_user_pages function encapsulate _ _ get_user_pages_locked to find and pin a given range of virtual addresses to page. Then the page is mapped to the permanent memory mapping area through the kmap function. If it is a write operation, the copy_to_user_page function is called, and then the set_page_dirty_lock function is called to set the page to dirty, and the read operation is called the copy_from_user_page function. The kunmap function is then called to unmap.

The difference between the get_user_pages_remote function and the get_user_pages function lies in whether it is cross-process. The FOLL_REMOTE flag distinction is set when the get_user_pages_remote function calls the _ _ get_user_pages_locked function.

The _ _ get_user_pages_locked function first calls the _ _ get_user_pages function in the for loop to fix the nr_pages pages starting with start to pages, and returns the number of pages that have been successfully fixed.

The _ _ get_user_pages function first looks up vma, calls the follow_page_mask function to query the page table to get the physical page corresponding to the virtual address, and calls the faultin_page function if null is returned. After getting the pointer to page, it is stored in the pages array.

If the value returned by the _ _ get_user_pages function is greater than 0, the call is successful. If you decrease nr_pages and increase pages_done,nr_pages to 0, you will exit the loop.

Fix another page, normally you should return 0 to exit the loop, if there is no exit loop nr_pages minus 1 pagesdone plus 1 PAGE_SIZE start address and start fixed again.

The _ _ get_user_pages function finds vma by calling the find_extend_vma function, and if the vma- > vm_start &% d command performs the write operation, of course it is another process.

Complete call chain: mem_write-> mem_rw-> access_remote_vm-> _ _ access_remote_vm-> get_user_pages_remote-> _ _ get_user_pages_locked-> _ _ get_user_pages-> find_extend_vma-> expand_stack-> expand_downwards-> security_mmap_addr-> cap_mmap_addr

The execution effect of POC is as follows.

0x01 patch status

The patch is also provided by jann horn, and the expand_downwards function no longer calls the security_mmap_addr function, but compares it directly with mmap_min_addr.

At this point, I believe that everyone on the "linux kernel user space 0 virtual address mapping vulnerability how to fix" have a deeper understanding, might as well to actual operation it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.