Linux sock_sendpage空指针漏洞分析

转载:http://hi.baidu.com/wzt85/blog/item/a11e013e3384f2f3838b13e6.html

2009-08-19 12:00

Linux sock_sendpage空指针漏洞分析 >> linux-2.6.18/net/socket.c static ssize_t sock_sendpage(struct file *file, struct page *page, int offset, size_t size, loff_t *ppos, int more) { struct socket *sock; int flags; sock = file->private_data; flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT; if (more) flags |= MSG_MORE; return sock->ops->sendpage(sock, page, offset, size, flags); } sock_sendpage函数没有判断sock->ops->sendpage函数指针是否为空，就进行了引用。空指针的存在是由于某些协议的驱动程序 没有正确的初始化函数指针造成的。 exp作者给出的协议驱动程序包括pppox, bluetooth, appletalk, ipx, sctp等。下面以ipx协议 为例， 说明这个漏洞是如何形成的以及如何来触发. exp代码： const int domains[][3] = { { PF_APPLETALK, SOCK_DGRAM, 0 }, {PF_IPX, SOCK_DGRAM, 0 }, { PF_IRDA, SOCK_DGRAM, 0 }, {PF_X25, SOCK_DGRAM, 0 }, { PF_AX25, SOCK_DGRAM, 0 }, {PF_BLUETOOTH, SOCK_DGRAM, 0 }, { PF_IUCV, SOCK_STREAM, 0 }, {PF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP }, {PF_PPPOX, SOCK_DGRAM, 0 }, {PF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP }, {DOMAINS_STOP, 0, 0 } }; for (; domains[d][0] != DOMAINS_STOP; d++) { if ((out = socket(domains[d][0], domains[d][1], domains[d][2])) >= 0) break; } 替换成ipx协议就是： out = socket(PF_IPX,  SOCK_DGRAM, 0); 建立以个PF_IPX协议的套接字接口。 看下这个在内核中是如何实现的： socket的中断服务程序是sys_socketcall， 在linux-2.6.18/net/socket.c中: >> sys_socketcall将会调用sys_socket asmlinkage long sys_socketcall(int call, unsigned long __user *args) { ... switch(call) { case SYS_SOCKET: err = sys_socket(a0,a1,a[2]); break; ... } >> sys_socket调用sock_create进行初始化， 然后调用sock_map_fd与sockfs文件系统进行挂接。 asmlinkage long sys_socket(int family, int type, int protocol) { int retval; struct socket *sock; retval = sock_create(family, type, protocol, &sock); if (retval < 0) goto out; retval = sock_map_fd(sock); if (retval < 0) goto out_release; out: /* It may be already another descriptor 8) Not kernel problem. */ return retval; out_release: sock_release(sock); return retval; } >> sock_create int sock_create(int family, int type, int protocol, struct socket **res) { return __sock_create(family, type, protocol, res, 0); } >> __sock_create static int __sock_create(int family, int type, int protocol, struct socket **res, int kern) { // 分配sock结构并进行填充 if (!(sock = sock_alloc())) { if (net_ratelimit()) printk(KERN_WARNING "socket: no more sockets\n"); err = -ENFILE;          /* Not exactly a match, but its the closest posix thing */ goto out; } ... // 这里进行具体协议的初始化操作， 执行ipx驱动的create函数， 这个指针是在ipx驱动加载到 内核时初始化的 if ((err = net_families[family]->create(sock, protocol)) < 0) { sock->ops = NULL; goto out_module_put; } ... } 继续跟踪ipx驱动的初始化过程， /linux-2.6.18/net/ipx/af_ipx.c： static int __init ipx_init(void) { // 注册ipx协议 int rc = proto_register(&ipx_proto, 1); if (rc != 0) goto out; // 注册协议的操作函数， bug由此开始生成 sock_register(&ipx_family_ops); ... } >> sock_register int sock_register(struct net_proto_family *ops) { ... net_family_write_lock(); err = -EEXIST; if (net_families[ops->family] == NULL) { 将ops指针赋值给net_families[ops->family] net_families[ops->family]=ops; err = 0; } } // 从这里可以看出__sock_create中的net_families[family]->create函数是在这里进行初始化的。 static struct net_proto_family ipx_family_ops = { .family         = PF_IPX, .create         = ipx_create, .owner          = THIS_MODULE, }; 继续跟踪ipx_create函数： static int ipx_create(struct socket *sock, int protocol) { ... 这个对sock的ops结构进行赋值 sock->ops = &ipx_dgram_ops; ... } static const struct proto_ops SOCKOPS_WRAPPED(ipx_dgram_ops) = { .family         = PF_IPX, .owner          = THIS_MODULE, .release        = ipx_release, .bind           = ipx_bind, .connect        = ipx_connect, .socketpair     = sock_no_socketpair, .accept         = sock_no_accept, .getname        = ipx_getname, .poll           = datagram_poll, .ioctl          = ipx_ioctl, #ifdef CONFIG_COMPAT .compat_ioctl   = ipx_compat_ioctl, #endif .listen         = sock_no_listen, .shutdown       = sock_no_shutdown, /* FIXME: support shutdown */ .setsockopt     = ipx_setsockopt, .getsockopt     = ipx_getsockopt, .sendmsg        = ipx_sendmsg, .recvmsg        = ipx_recvmsg, .mmap           = sock_no_mmap, .sendpage       = sock_no_sendpage, }; 我们在这里看到.sendpage结构本以为是被sock_no_sendpage给赋值了， 但是SOCKOPS_WRAPPED这个宏出现了个严重的bug， 实际上是没有对.sendpage进行初始化的， 直接导致了sendpage没被赋值， 这个漏洞由此生成。 #define SOCKOPS_WRAP(name, fam)                                 \ SOCKCALL_WRAP(name, release, (struct socket *sock), (sock))     \ SOCKCALL_WRAP(name, bind, (struct socket *sock, struct sockaddr *uaddr, int addr_len), \ (sock, uaddr, addr_len))                          \ SOCKCALL_WRAP(name, connect, (struct socket *sock, struct sockaddr * uaddr, \ int addr_len, int flags),         \ (sock, uaddr, addr_len, flags))                   \ SOCKCALL_WRAP(name, socketpair, (struct socket *sock1, struct socket *sock2), \ (sock1, sock2))                                   \ SOCKCALL_WRAP(name, accept, (struct socket *sock, struct socket *newsock, \ int flags), (sock, newsock, flags)) \ SOCKCALL_WRAP(name, getname, (struct socket *sock, struct sockaddr *uaddr, \ int *addr_len, int peer), (sock, uaddr, addr_len, peer)) \ SOCKCALL_UWRAP(name, poll, (struct file *file, struct socket *sock, struct poll_table_struct *wait), \ (file, sock, wait)) \ SOCKCALL_WRAP(name, ioctl, (struct socket *sock, unsigned int cmd, \ unsigned long arg), (sock, cmd, arg)) \ SOCKCALL_WRAP(name, compat_ioctl, (struct socket *sock, unsigned int cmd, \ unsigned long arg), (sock, cmd, arg)) \ SOCKCALL_WRAP(name, listen, (struct socket *sock, int len), (sock, len)) \ SOCKCALL_WRAP(name, shutdown, (struct socket *sock, int flags), (sock, flags)) \ SOCKCALL_WRAP(name, setsockopt, (struct socket *sock, int level, int optname, \ char __user *optval, int optlen), (sock, level, optname, optval, optlen)) \ SOCKCALL_WRAP(name, getsockopt, (struct socket *sock, int level, int optname, \ char __user *optval, int __user *optlen), (sock, level, optname, optval, optlen)) \ SOCKCALL_WRAP(name, sendmsg, (struct kiocb *iocb, struct socket *sock, struct msghdr *m, size_t len), \ (iocb, sock, m, len)) \ SOCKCALL_WRAP(name, recvmsg, (struct kiocb *iocb, struct socket *sock, struct msghdr *m, size_t len, int flags), \ (iocb, sock, m, len, flags)) \ SOCKCALL_WRAP(name, mmap, (struct file *file, struct socket *sock, struct vm_area_struct *vma), \ (file, sock, vma)) \ \ static const struct proto_ops name##_ops = {                    \ .family         = fam,                          \ .owner          = THIS_MODULE,                  \ .release        = __lock_##name##_release,      \ .bind           = __lock_##name##_bind,         \ .connect        = __lock_##name##_connect,      \ .socketpair     = __lock_##name##_socketpair,   \ .accept         = __lock_##name##_accept,       \ .getname        = __lock_##name##_getname,      \ .poll           = __lock_##name##_poll,         \ .ioctl          = __lock_##name##_ioctl,        \ .compat_ioctl   = __lock_##name##_compat_ioctl, \ .listen         = __lock_##name##_listen,       \ .shutdown       = __lock_##name##_shutdown,     \ .setsockopt     = __lock_##name##_setsockopt,   \ .getsockopt     = __lock_##name##_getsockopt,   \ .sendmsg        = __lock_##name##_sendmsg,      \ .recvmsg        = __lock_##name##_recvmsg,      \ .mmap           = __lock_##name##_mmap,         \ }; 下面继续跟踪这个bug是怎么被触发的： 回到sys_socket中, 看看前面分配的socket结构是否挂接到sockfs文件系统上的： int sock_map_fd(struct socket *sock) { struct file *newfile; // 分配一个没用的fd和file结构 int fd = sock_alloc_fd(&newfile); if (likely(fd >= 0)) { // sock与newfile挂接 int err = sock_attach_fd(sock, newfile); if (unlikely(err < 0)) { put_filp(newfile); put_unused_fd(fd); return err; } fd_install(fd, newfile); } return fd; } >> sock_attach_fd static int sock_attach_fd(struct socket *sock, struct file *file) { struct qstr this; char name[32]; this.len = sprintf(name, "[%lu]", SOCK_INODE(sock)->i_ino); this.name = name; this.hash = SOCK_INODE(sock)->i_ino; file->f_dentry = d_alloc(sock_mnt->mnt_sb->s_root, &this); if (unlikely(!file->f_dentry)) return -ENOMEM; file->f_dentry->d_op = &sockfs_dentry_operations; d_add(file->f_dentry, SOCK_INODE(sock)); file->f_vfsmnt = mntget(sock_mnt); file->f_mapping = file->f_dentry->d_inode->i_mapping; sock->file = file; // 将file的函数操作指针被socket_file_ops赋值。 file->f_op = SOCK_INODE(sock)->i_fop = &socket_file_ops; file->f_mode = FMODE_READ | FMODE_WRITE; file->f_flags = O_RDWR; file->f_pos = 0; // private_data域存放的就是socket结构， 一会会在sys_sendfile中看到。 file->private_data = sock; return 0; } static struct file_operations socket_file_ops = { .owner =        THIS_MODULE, .llseek =       no_llseek, .aio_read =     sock_aio_read, .aio_write =    sock_aio_write, .poll =         sock_poll, .unlocked_ioctl = sock_ioctl, #ifdef CONFIG_COMPAT .compat_ioctl = compat_sock_ioctl, #endif .mmap =         sock_mmap, .open =         sock_no_open,   /* special open code to disallow open via /proc */ .release =      sock_close, .fasync =       sock_fasync, .readv =        sock_readv, .writev =       sock_writev, .sendpage =     sock_sendpage,  // 将sock_sendpage函数赋值给了.sendpage, sock_sendpage实际上是没有检查空指针， 导致sys_senfile被执行的时候引发了漏洞 .splice_write = generic_splice_sendpage, }; 看exp中，是如何触发漏洞的： sendfile(fdout, fdin, NULL, PAGE_SIZE); sendfile->sys_sendfile, linux-2.6.18/fs/read_write.c: asmlinkage ssize_t sys_sendfile(int out_fd, int in_fd, off_t __user *offset, size_t count) { ... return do_sendfile(out_fd, in_fd, NULL, count, 0); } static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, size_t count, loff_t max) { ... retval = in_file->f_op->sendfile(in_file, ppos, count, file_send_actor, out_file); ... } 漏洞由此触发。