文章来源: SecTr安全团队
概述
漏洞详情
static int io_grab_files(struct io_kiocb *req)
{
// ...
rcu_read_lock();
spin_lock_irq(&ctx->inflight_lock);spin_lock_irq(&ctx->inflight_lock);
if (fcheck(ctx->ring_fd) == ctx->ring_file) {
list_add(&req->inflight_entry, &ctx->inflight_list);
req->flags |= REQ_F_INFLIGHT;
req->work.files = current->files; // <-- (1)
ret = 0;
}
spin_unlock_irq(&ctx->inflight_lock);
rcu_read_unlock();
return ret;
}
漏洞利用(Exp)
static int map_lookup_elem(union bpf_attr *attr)
{
void __user *ukey = u64_to_user_ptr(attr->key);
int ufd = attr->map_fd;
// ...
f = fdget(ufd); // <-- (2)
map = __bpf_map_get(f);
// ...
key = __bpf_copy_key(ukey, map->key_size); key = __bpf_copy_key(ukey, map->key_size); // <-- (3)
if (IS_ERR(key)) {
err = PTR_ERR(key);
goto err_put;
}
value_size = bpf_map_value_size(map); // <-- (4)
err = -ENOMEM;
value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);
if (!value)
goto free_key;
err = bpf_map_copy_value(map, key, value, attr->flags); // <-- (5)
if (err)
goto free_value;
err = -EFAULT;
if (copy_to_user(uvalue, value, value_size) != 0) // <-- (6)
goto free_value;
// ...
}
如侵权请私聊公众号删文