Shulou(Shulou.com)11/24 Report--

This article comes from the official account of Wechat: programming Technology Universe (ID:xuanyuancoding), author: Xuanyuan Wind

This story is adapted according to the real vulnerability of Linux kernel.

As the night of the imperial crisis fell, the noise faded, and the busy Linux empire gradually calmed down. No one thought that a storm that would change the fate of the empire was coming quietly.

"knock, knock!" A knock at the office of the Imperial Minister of Security broke the stillness of the night.

"Minister, I just found that a thread is modifying the passwd file." it turned out to be a visit from Xiao Hei of the file system department.

"what's all the fuss about? as long as you have root permission, it's allowed!" The Minister of Security did not look up and continued to look at the daily system log.

"Minister, the point is that this thread does not enter the kernel from the system call, but from the interrupt entry."

The Minister of Security was stupefied for a moment. After about 0.2ms, he put down his log and stood up.

"you mean he came in through the interrupt descriptor table (IDT)?"

Blackie nodded.

"Xiao Wang, hurry up and go to IDT with him and report to me as soon as the investigation is clear," the minister said to his assistant on the side.

Xiao Wang nodded, ready to go. As soon as he got to the door, he was stopped by the minister again.

"wait! it's a big deal. I'd better go there myself."

The security minister of the IDT revised riddle immediately set out and came to the place where IDT was located, where everything was the same and there was nothing different.

The minister pointed to the wall and asked, "which door did he come in from?"

"No. 4," replied the white-haired old man guarding the IDT gate when he heard the news.

"it's strange that the function entries in the IDT table are all arranged by the empire, so no one will modify the passwd file in reason," the minister said to himself, looking at the items.

"Minister, I have to report to you that before the boy came in, he changed the entry address of item 4 from 32 digits high to 0x00000000, and it was only after he came in that he was restored to 0xFFFFFFFF." the old man said, took out the structure diagram of the IDT entry and unfolded it:

After listening to this, the minister raised his head abruptly, "the high 32 bits have become 0x00000000, so doesn't the whole function entry address point to the user state address space?"

Neither Blackie nor Wang dared to speak. Everyone knew how serious the consequences were. God knows what code that guy used kernel privileges to execute in user space.

"No, how can a user space thread change the content of IDT before he comes in? he doesn't have permission to access it. I don't believe it!"

"I do know that it was time for him to change, and I paid special attention to his call stack, not in user space, but from the kernel space function-- perf_swevent_init," the old man said.

The tragedy of integer + 1 didn't say a word, and then took everyone straight to the perf_swevent_init function.

"Old man, do you remember exactly where it is?" The minister asked.

"it came from the static_key_slow_inc function on line 19."

"Let me have a look." Xiao Wang squeezed to the front, trying to show off in front of the minister.

"well, what this static_key_slow_inc does is perform the atom + 1 operation on an integer. But it operates on the perf_swevent_enabled array, and it can't be hit with the IDT eight, so how can it be modified to IDT?" Xiao Wang touched his head and took two steps back. He didn't see anything wrong.

"not really!" The minister still frowned and said, "you see, it accesses the array elements through the number event_id as the subscript. If this event_id misses the limit and points to IDT, it is not impossible!"

Xiao Wang quickly glanced at event_id and then showed a look of disappointment. "No, there is a check on line 9. You see, after 8, you will fail the check."

The clue is cut off here, and I was hoping to find the mystery that IDT was modified here in the perf_swevent_init function, but it seems to be coming back in vain.

Unwittingly, it was already very late, and the minister and his party decided to go back first and then take a long-term view.

The minister took a few steps and saw that Xiao Wang did not keep up, so he turned around and called him.

"Minister, please stay. I don't think something is right." Xiao Wang frowned at the moment.

"what did you find?" Oh, the minister and Xiao Hei, they walked back.

"Minister, if you look at line 3, this event_id is an int variable, which means it's a signed number." Xiao Wang said.

"what's wrong with signed numbers?" Xiao Hei couldn't help asking.

"if"

"if event_id becomes a negative number, it will be able to cross the bounds to access the array and pass the size check on line 9!" Before Xiao Wang finished, the minister revealed the mystery!

Once again, everyone focused their attention on the event_id, intending to see the origin of the event- > attr.config assigned to it in the third line.

The first is the attr member variable in perf_event:

Struct perf_event {/ / struct perf_event_attr attr; / /}, followed by the config member variable in perf_event_attr:

Struct perf_event_attr {/ / _ U64 config; / /}; at last, both the minister and Xiao Wang gasped. The config turned out to be a 64-bit unsigned integer. It would be strange to assign it to an int variable.

Seeing that everyone was silent, Xiao Hei scratched his head and asked weakly, "what's the matter? why don't you talk? is there a problem?"

Xiao Wang pulled Xiao Hei aside. "the problem is big. What do you think I will become if I assign a config with a value of 0xFFFFFFFF to event_id,event_id?"

"negative, negative, negative 1?"

"Yes, the highest bit with a symbol is used to mark the positive and negative. If the highest bit of the config is 1, the following bit is carefully designed to not only deceive the verification of line 9 there, but also perform an atomic + 1 operation on the number of a certain position." Xiao Wang continued.

"not bad, Xiao Wang, there is progress!" I don't know when the minister came over, and Xiao Wang was a little embarrassed when he was praised by the minister.

"after listening for a long time, I just crossed the line and added 1 to the number of a certain place. What's the big deal?" Xiao Hei has a look of disdain.

Upon hearing this, Xiao Wang shook his head again and again. "Don't underestimate this plus one behavior. If you add it to some sensitive places, it will be a big deal!"

Blackie wondered, "like what?"

"for example, the IDT that records interrupts and exceptions, or the sys_call_table that records system calls, the function addresses in these tables are all located in the imperial kernel space. If this plus 1 is added to no one else, but to the function addresses in these tables, it will be troublesome." Xiao Wang went on to say.

"I understand, but even if you add one, it shouldn't be a big problem, is it?"

Xiao Wang sighed. "it seems that you still don't understand. Let me take the modified IDT table as an example to show you the entry in the table-- the format of the interrupt descriptor."

"the address of the interrupt / exception handler in IDT is not a complete 64-bit, but is divided into several parts, of which the high 32 bits are marked in red. In the 64-bit Linux empire, the high 32-bit addresses in the kernel space are all 0xFFFFFFFF.

"if you use the previous subscript of the event_id array to cross the bounds and make this place atom + 1, then it becomes 0. Is that right?" Oh, Blackie finally got it.

The truth has become known to all

The minister of security applauded Xiao Wang's wonderful analysis. "Yes, everyone is very smart! up to now, let's review it!"

The first step: carefully design a config value and pass it into the kernel space perf_swevent_init function from the application layer

Step 2: take advantage of the vulnerability in the Imperial kernel to assign a 64-bit unsigned number to an int variable, causing the variable to overflow to a negative number.

The third step: use the overflow event_id to cross the boundary to access perf_swevent_enabled, point to the table item of IDT, and add atom + 1 to the high 32 bits of the fourth interrupt handler function.

Step 4: the modified interrupt handling function points to the user space and arranges malicious code here in advance.

Step 5: the application layer executes the int 4 assembly instruction, triggering the No. 4 interrupt, and the thread will enter the kernel space, so as to execute malicious code scheduled in advance with high privileges.

The matter finally came out, and when the Minister of Security went back, he reported it to the Imperial headquarters, fixed the loophole and modified the type of event_id from int to U64.

Even so, the minister's mood is not much relaxed, unknown enemies have broken into the empire, who are they? What did you do? Where are you hiding now? One question after another is still flashing in my mind.

Not finished to be continued

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.