Linux eBPF JITȨÏÞÌáÉý·ì϶£¨CVE-2020-27194£©·ÖÎöÓëÑéÖ¤

°ä²¼¹¦·ò 2020-11-03

·ì϶²¼¾°


½üÈÕ £¬¹ú±í°²È«×êÑÐÈËÔ±Åû¶һ¸öLinux eBPF verifier×é¼þÃýÎóÑéÖ¤·ì϶ £¬´Ë·ì϶ԴÓÚbpfÑé֤ϵͳÔÚLinuxÄÚºËÖÐûÓÐÕýÈ·ÍÆËãijЩ²Ù×÷µÄ¼Ä·ÅÆ÷Ììǵ¸ú×Ù £¬µ¼Ö±¾µØ¹¥»÷ÕßÄܹ»ÀûÓôËȱµã½øÐÐÄÚºËÐÅϢй¶»òÌØÈ¨ÌáÉý £¬¸Ã·ì϶±àºÅΪCVE-2020-27194¡£


Ó°ÏìÁìÓòÓë·À»¤´ëÊ©


1¡¢Ó°ÏìÁìÓò
  • Linux-5.7 ~ Linux-5.8.14

  • Ubuntu 20.10

2¡¢·À»¤´ëÊ©

  • ʵʱ¸üÐÂÉý¼¶Äںˣ»

  • ½«kernel.unprivileged_bpf_disabled.sysctlÉèÖÃΪ1 £¬Ò»Ê±ÏÞ¶Èͨ³£Óû§È¨ÏÞ¡£

·ì϶µÀÀíÓëµ÷ÊÔ·ÖÎö


1¡¢·ì϶µÀÀí


¸Ã·ì϶ºÍPwn2own2020½ÇÖðÖÐʹÓõÄCVE-2020-8835·ì϶µÀÀíÒ»Ö £¬¾ùÊÇÃýÎóÍÆËãÁË¼Ä·ÅÆ÷Ììǵ¸ú×Ù £¬µ¼ÖÂÄܹ»ÈƹýÑéÖ¤Æ÷²é³­´ïµ½Ô½½ç¶Áд¡£È±µã´úÂë³Ê´Ë¿Ìkernel/bpf/verifier.cµÄscalar32_min_max_or()º¯ÊýÖÐ £¬¸Ãº¯ÊýÊÇÔÚcommit_id£º3f50f132d840ÖÐÒýÈëµÄ £¬¸ÃÖ°ÄÜʵÏÖÁËÏÔʽµÄALU32(32Î»ÍÆËãÀà²Ù×÷)¼Ä·ÅÆ÷Ììǵ¸ú×Ù £¬´¦ÖÃORÔËËãʱ £¬Å²ÓÃscalar32_min_max_or()º¯Êý½øÐÐ32λ¼Ä·ÅÆ÷Ììǵ¸ú×Ù £¬¸Ãº¯ÊýʵÏÖÈçÏ£º


640?wx_fmt=png


ÐÐ5365ºÍÐÐ5366 £¬Ö±½Ó½«dst_reg¼Ä·ÅÆ÷ÖеÄ64λÎÞ·ûºÅÖµ¸³Öµ¸ø32λÓзûºÅÖµ £¬ÕâÏÔÖøÊÇÃýÎóµÄ¡£ÀýÈçÉèÖÃdst_reg->umin_value=1 £¬dst_reg->umax_value=0x600000001 £¬µ±½øÐÐÈçÉϲÙ×÷ºó £¬dst_reg->s32_min_valueΪ1 £¬µ«ÊÇdst_reg->s32_max_valueÒ²½«ÊÇ1 £¬ÓÉÓÚ0x600000001µÄ¸ß뽫±»½Ø¶Ï £¬Õâʱdst_reg¼Ä·ÅÆ÷µÄÁìÓò´Ó[1,0x600000001]Ôì³ÉÁË[1,1] £¬Õâ»á±»ÑéÖ¤Æ÷¼ø±ðΪ³£Êý1 £¬½ø¶øÈƹýÑéÖ¤Æ÷²é³­¡£·ì϶²¹¶¡ÖÐ £¬½øÐÐÁËÕýÈ·µÄ32λÓзûºÅÖµ¸³Öµ²Ù×÷ £¬ÈçÏÂËùʾ£º


640?wx_fmt=png 


2¡¢µ÷ÊÔ·ÖÎö


Ê×ÏȽ«¼Ä·ÅÆ÷µÄumin_valueÉèÖÃΪ0x1 £¬Äܹ»Í¨¹ýÈçÏÂBPFÖ¸ÁîʵÏÖ£º


640?wx_fmt=png


´Ëʱ £¬¼Ä·ÅÆ÷µÄ״̬ÈçÏÂËùʾ£º


640?wx_fmt=png


ÉèÖÃÍêumin_valueºó £¬ÉèÖÃumax_valueΪ0x600000001 £¬Äܹ»Í¨¹ýÈçÏÂBPFÖ¸ÁîʵÏÖ£º


640?wx_fmt=png


¶ÏµãÉäÖÐºó £¬Å²ÓÃÕ»ÈçÏÂËùʾ£º


640?wx_fmt=png


Ö´ÐÐÍêBPF_JMP_REG(BPF_JLT,BPF_REG_6,BPF_REG_5,1)Ö¸Áîºó £¬½«R6¼Ä·ÅÆ÷ÁìÓòÉèÖÃΪ0x1µ½0x600000001Ö®¼ä¡£R6¼Ä·ÅÆ÷״̬ÈçÏÂËùʾ£º


640?wx_fmt=png


½Ó×Å £¬ÉèÖÃR6¼Ä·ÅÆ÷ÖÐ32λµÄÎÞ·ûºÅ×îÓ×ÖµºÍ×î´óÖµ £¬


640?wx_fmt=png


ÉèÖÃÍêÖ®ºó £¬R6¼Ä·ÅÆ÷״̬ÈçÏÂËùʾ£º


640?wx_fmt=png


ºì¿òÖÐÉèÖõÄÖµÊDZرØÒª±£Õ쵀 £¬±ØÒªÌáǰ½øÐÐÉèÖà £¬·½±ãºóÃæÈÆ¹ýifÅжϽøÈëȱµã´úÂë¿éÖС£½Ó×ÅÉèÖÃR6¼Ä·ÅÆ÷32λÓзûºÅ×îÓ×ÖµºÍ×î´óÖµ £¬´úÂëÈçÏÂËùʾ£º


640?wx_fmt=png


ÐÐ5355 £¬ifÓï¾äÅжϲ»³ÉÁ¢ £¬»á×ßµ½ÐÐ5362·ÖÖ§ÖÐ £¬µ÷ÊÔÇé¿öÈçÏÂËùʾ£º


640?wx_fmt=png


´¥·¢·ì϶ºó £¬R6¼Ä·ÅÆ÷״̬ÈçÏ£º


640?wx_fmt=png


´Ëʱs32_min_valueºÍs32_max_value¶¼Îª0x1 £¬ÔÚÑéÖ¤Æ÷ÖÐ £¬R6¼Ä·ÅÆ÷µÄ32λÓзûºÅȡֵΪ³£Êý1¡£µ«R6¼Ä·ÅÆ÷µÄȡֵÏÖʵÊÇÓÐÁìÓòµÄ¡£½Ó׎«R6¼Ä·ÅÆ÷½øÐÐ32λMOVµ½R7¼Ä·ÅÆ÷ÖÐ £¬Ö´Ðе½ÈçÏ´úÂëËùʾ£º


640?wx_fmt=png


´Ëʱ £¬src_reg¼Ä·ÅÆ÷ÈçÏÂËùʾ£º


640?wx_fmt=png


Ö´ÐÐMOV²Ù×÷֮ǰ £¬R7¼Ä·ÅÆ÷״̬ÈçÏÂËùʾ£º


640?wx_fmt=png


Ö´ÐÐMOV²Ù×÷ºó £¬R7¼Ä·ÅÆ÷״̬ÈçÏÂËùʾ£º

640?wx_fmt=png


R7¼Ä·ÅÆ÷Ϊ³£Á¿1 £¬ÏÖʵÔËÐÐÇé¿öÏÂÊÇÓÐÁìÓòµÄ £¬Äܹ»ÉèÖÃΪ2¡£Ö´ÐÐBPF_ALU64_IMM(BPF_RSH,BPF_REG_7,1)ºó £¬¼´R7 >>= 1 £¬R7¼Ä·ÅÆ÷ÈçÏÂËùʾ£º


640?wx_fmt=png


´Ëʱumin_valueºÍumax_valueΪ0 £¬¼´ÎªR7¼Ä·ÅÆ÷½øÐÐÓÒÒÆ²Ù×÷ºó £¬ÔÚÑéÖ¤Æ÷Öб»¼ø±ðΪ³£Êý0 £¬´ËʱR7¼Ä·ÅÆ÷½øÐмӼõÔËËã¶¼²»»á²úÉúÔ½½ç £¬ÈƹýÁËÑéÖ¤Æ÷µÄÌìǵ²é³­¡£µ«ÊÇÈôÊÇR7¼Ä·ÅÆ÷ÏÖʵÉèÖÃΪ2 £¬2>>1Ϊ1 £¬R7¼Ä·ÅÆ÷Ϊ1 £¬´ËʱºÍR7¼Ä·ÅÆ÷½øÐмӼõÔËËã £¬´ïµ½Ô½½ç¶Áд¡£


·ì϶¸´ÏÖ


ÔÚLinux-5.7.7°æ±¾ÖнøÐзì϶ÀûÓà £¬³É¹¦ÌáȨ¡£


640?wx_fmt=png


²Î¿¼Á´½Ó£º


[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27194

[2] https://github.com/torvalds/linux/commit/5b9fbeb75b6a98955f628e205ac26689bcb1383e

[3] https://github.com/torvalds/linux/commit/3f50f132d8400e129fc9eb68b5020167ef80a244

[4] https://scannell.me/fuzzing-for-ebpf-jit-bugs-in-the-linux-kernel/


mansion88Ã÷Éý»ý¼«·ÀÓù³¢ÊÔÊÒ£¨ADLab£©


ADLab³ÉÁ¢ÓÚ1999Äê £¬ÊÇÖйú°²È«ÐÐÒµ×îÔç³ÉÁ¢µÄ¹¥·À¼¼Êõ×êÑг¢ÊÔÊÒÖ®Ò» £¬Î¢ÈíMAPP´òËãÖ÷Ìâ³ÉÔ± £¬¡°ºÚȸ¹¥»÷¡±¸ÅÏëÊ×ÍÆÕß¡£½ØÖ¹Ä¿Ç° £¬ADLabÒÑͨ¹ýCVEÀۼư䲼°²È«·ì϶½ü1100¸ö £¬Í¨¹ý CNVD/CNNVDÀۼư䲼°²È«·ì϶900Óà¸ö £¬³ÖÐøÎ¬³Ö¹ú¼ÊÍøÂ簲ȫÁìÓòÒ»Á÷Ë®×¼¡£³¢ÊÔÊÒ×êÑз½Ïòº­¸Ç²Ù×÷ϵͳÓëÀûÓÃϵͳ°²È«×êÑÓ×¢ÒÆ¶¯ÖÇÄÜÖն˰²È«×êÑÓ×¢ÎïÁªÍøÖÇÄÜÉ豸°²È«×êÑÓ×¢Web°²È«×êÑÓ×¢¹¤¿ØÏµÍ³°²È«×êÑÓ×¢ÔÆ°²È«×êÑС£×êÑгɾÍÀûÓÃÓÚ²úÆ·Ö÷Ìâ¼¼Êõ×êÑÓ×¢¹ú¶È³Áµã¿Æ¼¼ÏîÄ¿¹¥¹Ø¡¢×¨Òµ°²È«·þÎñµÈ¡£


1.jpg