//Weibo:@少仲
0x0 漏洞信息
影響所有Nexus手機和部分Android手機的漏洞,Google於2016/03/18發佈了公告修復,具體請看鏈接.
http://www.cvedetails.com/cve-details.php?t=1&cve_id=cve-2015-1805X
http://source.android.com/security/advisory/2016-03-18.html
0x1 漏洞描述
在linux 內核3.16版本之前的fs/pipe.c當中,由於pipe_read和pipe_write沒有考慮到拷貝過程中數據沒有同步的一些臨界情況,造成了拷貝越界的問題,因此有可能導致系統crash以及系統權限提升.這種漏洞又稱之爲” I/O vector array overrun”
0x2 代碼分析
//摘自fs/pipe.c:
static ssize_t
pipe_read(struct kiocb *iocb, const struct iovec *_iov,
unsigned long nr_segs, loff_t pos)
{
struct file *filp = iocb->ki_filp;
struct pipe_inode_info *pipe = filp->private_data;
int do_wakeup;
ssize_t ret;
struct iovec *iov = (struct iovec *)_iov;
size_t total_len;
total_len = iov_length(iov, nr_segs);
/* Null read succeeds. */
if (unlikely(total_len == 0))
return 0;
do_wakeup = 0;
ret = 0;
__pipe_lock(pipe);
for (;;) {
int bufs = pipe->nrbufs;
if (bufs) {
int curbuf = pipe->curbuf;
struct pipe_buffer *buf = pipe->bufs + curbuf;
const struct pipe_buf_operations *ops = buf->ops;
void *addr;
size_t chars = buf->len;
int error, atomic;
if (chars > total_len)
chars = total_len;
error = ops->confirm(pipe, buf);
if (error) {
if (!ret)
ret = error;
break;
}
//(1)
atomic = !iov_fault_in_pages_write(iov, chars);
redo:
addr = ops->map(pipe, buf, atomic);
//(2)
error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
ops->unmap(pipe, buf, addr);
if (unlikely(error)) {
/*
* Just retry with the slow path if we failed.
*/
//(3)
if (atomic) {
atomic = 0;
goto redo;
}
if (!ret)
ret = error;
break;
}
ret += chars;
buf->offset += chars;
buf->len -= chars;
/* Was it a packet buffer? Clean up and exit */
if (buf->flags & PIPE_BUF_FLAG_PACKET) {
total_len = chars;
buf->len = 0;
}
if (!buf->len) {
buf->ops = NULL;
ops->release(pipe, buf);
curbuf = (curbuf + 1) & (pipe->buffers - 1);
pipe->curbuf = curbuf;
pipe->nrbufs = --bufs;
do_wakeup = 1;
}
(5)//在這裏更新total_len
total_len -= chars;
if (!total_len)
break; /* common path: read succeeded */
}
if (bufs) /* More to do? */
continue;
if (!pipe->writers)
break;
if (!pipe->waiting_writers) {
/* syscall merging: Usually we must not sleep
* if O_NONBLOCK is set, or if we got some data.
* But if a writer sleeps in kernel space, then
* we can wait for that data without violating POSIX.
*/
if (ret)
break;
if (filp->f_flags & O_NONBLOCK) {
ret = -EAGAIN;
break;
}
}
if (signal_pending(current)) {
if (!ret)
ret = -ERESTARTSYS;
break;
}
if (do_wakeup) {
wake_up_interruptible_sync_poll(&pipe->wait, POLLOUT | POLLWRNORM);
kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
}
pipe_wait(pipe);
}
__pipe_unlock(pipe);
/* Signal writers asynchronously that there is more room. */
if (do_wakeup) {
wake_up_interruptible_sync_poll(&pipe->wait, POLLOUT | POLLWRNORM);
kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
}
if (ret > 0)
file_accessed(filp);
return ret;
}
(1).首先pipe_read()函數會先循環讀取iovec結構,並且通過iov_fault_in_pages_write()函數判斷iov->len是否大於0,且iov->base指向的地址是否可寫且處於用戶態,之後返回atomic.
(2)如果atomic=1,則pipe_iov_copy_to_user ->__copy_to_user_inatomic ->
__copy_to_user_nocheck;如果atomic=0,則pipe_iov_copy_to_user -> copy_to_user -> access_ok.
(3).如果atomic爲1,pipe_iov_copy_to_user拷貝出現錯誤,會進入redo的邏輯,將再次調用pipe_iov_copy_to_user函數進行拷貝,且將atomic置爲0.但是pipe_iov_copy_to_user的第三個參數chars並沒有更新,還是會拷貝total_len大小的數據
static int
pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
int atomic)
{
unsigned long copy;
while (len > 0)
{
while (!iov->iov_len)
iov++;
copy = min_t(unsigned long, len, iov->iov_len);
if (atomic)
{
if (__copy_to_user_inatomic(iov->iov_base, from, copy))
//(4)
return -EFAULT;
}
else
{
if (copy_to_user(iov->iov_base, from, copy))
//(4)
return -EFAULT;
}
from += copy;
len -= copy;
iov->iov_base += copy;
//每次對iov->iov_len進行更新
iov->iov_len -= copy;
}
return 0;
}
4. 如果copy到某種情況出錯返回,已經copy成功的iov->len會被減去但總長度total_len並不會同步減去.也就是說如果total_len是0x100,第一次消耗掉了x;再次進入redo邏輯後還是0x100,然而實際已經被消耗掉了x.
0x3 具體探究
假設有一個iov結構,total_len爲0x40,len爲0x20.
iov[0]:iov_base = 0xdead0000 iov_len = 0x10
iov[1]:iov_base = 0xdead1000 iov_len = 0x10
iov[2]:iov_base = 0xdead2000 iov_len = 0x10
iov[3]:iov_base = 0xdead3000 iov_len = 0x10
如果iov[1].iov_base的地址被設置成不可寫入.那麼第一次pipe_iov_copy_to_user()會返回失敗.而iov->iov_base += copy,iov->iov_len -= copy.
iov[0]:iov_base = 0xdead0010 iov_len = 0
iov[1]:iov_base = 0xdead1000 iov_len = 0x10
iov[2]:iov_base = 0xdead2000 iov_len = 0x10
iov[3]:iov_base = 0xdead3000 iov_len = 0x10
現在,redo的邏輯發生在0xdead0010,它以某種方式被設置成可寫,並且len仍未0x20.那麼iov[1]和iov[2]都將被用掉.
iov[0]:iov_base = 0xdead0010 iov_len = 0
iov[1]:iov_base = 0xdead1010 iov_len = 0
iov[2]:iov_base = 0xdead2010 iov_len = 0
iov[3]:iov_base = 0xdead3000 iov_len = 0x10
在註釋(5)中,根據total_len -= chars;那麼total_len的大小就被設置爲0x20(0x40-0x20).如果total_len變爲了0x20,可我們iov[3]的大小隻有0x10.這就會導致pipe_iov_copy_to_user()函數有可能讀取到一個未知的iov[4].具體來查看下代碼
static int iov_fault_in_pages_write(struct iovec *iov, unsigned long len)
{
//(6)
while (!iov->iov_len)
iov++;
while (len > 0) {
unsigned long this_len;
this_len = min_t(unsigned long, len, iov->iov_len);
if (fault_in_pages_writeable(iov->iov_base, this_len))
break;
len -= this_len;
iov++;
}
return len;
}
static inline int fault_in_pages_writeable(char __user *uaddr, int size)
{
int ret;
if (unlikely(size == 0))
return 0;
/*
* Writing zeroes into userspace here is OK, because we know that if
* the zero gets there, we'll be overwriting it.
*/
ret = __put_user(0, uaddr);
if (ret == 0) {
char __user *end = uaddr + size - 1;
/*
* If the page was already mapped, this will get a cache miss
* for sure, so try to avoid doing it.
*/
if (((unsigned long)uaddr & PAGE_MASK) !=
((unsigned long)end & PAGE_MASK))
ret = __put_user(0, end);
}
return ret;
}
在iov_fault_in_pages_write()函數中的註釋(6),也就意味着iov[0],iov[1],iov[2]都會被跳過,iov[3]被用掉.之後len -= this_len;len被設置爲0x10.iov的指針將指向一塊未知的內存區域.iov[4].iov_base將被__put_user使用.
0x4 如何利用
核心的思路就是想辦法觸發redo的邏輯,之後精心構造一個readv()調用.把payload結構定義在已經被校驗過的iov數組後,讓它成爲__put_user()等函數調用的目標地址.如果我們再以某種方式讓構造的slab結構在iov數組後包含一個函數指針,讓它指向要寫的內核地址.
1. 第一次循環要保證pipe_iov_copy_to_user()函數失敗,這樣會進入redo邏輯
2. 第二次要保證pipe_iov_copy_to_user()成功,但是不能在這裏overrun,否則會走向copy_to_user,要校驗地址,所以還是無法寫內核地址
3. 當iov->len走完之後,total_len還有剩餘,所以第三次循環的時候,atomic=1.可以overrun觸發
4. 第一次要保證失敗,也就是說需要把iov_base的地址設置成不可寫,第二次要成功,就要保證iov_base的地址有效.所以這裏可以通過創建競爭關係的線程,調用mmap/munmap等函數來實現.
0x5 POC
我測試的Nexus 6p 6.0.1系統會crash掉.
Talk is cheap,show me the code…
Github:
https://github.com/panyu6325/CVE-2015-1805.git