转载:http://hi.baidu.com/wzt85/blog/item/a11e013e3384f2f3838b13e6.html
2009-08-19 12:00
Linux sock_sendpage空指针漏洞分析
>> linux-2.6.18/net/socket.c static ssize_t sock_sendpage(struct file *file, struct page *page, int offset, size_t size, loff_t *ppos, int more) { struct socket *sock; int flags; sock = file->private_data; flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT; if (more) flags |= MSG_MORE; return sock->ops->sendpage(sock, page, offset, size, flags); } sock_sendpage函数没有判断sock->ops->sendpage函数指针是否为空,就进行了引用。空指针的存在是由于某些协议的驱动程序 没有正确的初始化函数指针造成的。 exp作者给出的协议驱动程序包括pppox, bluetooth, appletalk, ipx, sctp等。下面以ipx协议 为例, 说明这个漏洞是如何形成的以及如何来触发. exp代码: const int domains[][3] = { { PF_APPLETALK, SOCK_DGRAM, 0 }, {PF_IPX, SOCK_DGRAM, 0 }, { PF_IRDA, SOCK_DGRAM, 0 }, {PF_X25, SOCK_DGRAM, 0 }, { PF_AX25, SOCK_DGRAM, 0 }, {PF_BLUETOOTH, SOCK_DGRAM, 0 }, { PF_IUCV, SOCK_STREAM, 0 }, {PF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP }, {PF_PPPOX, SOCK_DGRAM, 0 }, {PF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP }, {DOMAINS_STOP, 0, 0 } }; for (; domains[d][0] != DOMAINS_STOP; d++) { if ((out = socket(domains[d][0], domains[d][1], domains[d][2])) >= 0) break; } 替换成ipx协议就是: out = socket(PF_IPX, SOCK_DGRAM, 0); 建立以个PF_IPX协议的套接字接口。 看下这个在内核中是如何实现的: socket的中断服务程序是sys_socketcall, 在linux-2.6.18/net/socket.c中: >> sys_socketcall将会调用sys_socket asmlinkage long sys_socketcall(int call, unsigned long __user *args) { ... switch(call) { case SYS_SOCKET: err = sys_socket(a0,a1,a[2]); break; ... } >> sys_socket调用sock_create进行初始化, 然后调用sock_map_fd与sockfs文件系统进行挂接。 asmlinkage long sys_socket(int family, int type, int protocol) { int retval; struct socket *sock; retval = sock_create(family, type, protocol, &sock); if (retval < 0) goto out; retval = sock_map_fd(sock); if (retval < 0) goto out_release; out: /* It may be already another descriptor 8) Not kernel problem. */ return retval; out_release: sock_release(sock); return retval; } >> sock_create int sock_create(int family, int type, int protocol, struct socket **res) { return __sock_create(family, type, protocol, res, 0); } >> __sock_create static int __sock_create(int family, int type, int protocol, struct socket **res, int kern) { // 分配sock结构并进行填充 if (!(sock = sock_alloc())) { if (net_ratelimit()) printk(KERN_WARNING "socket: no more sockets\n"); err = -ENFILE; /* Not exactly a match, but its the closest posix thing */ goto out; } ... // 这里进行具体协议的初始化操作, 执行ipx驱动的create函数, 这个指针是在ipx驱动加载到 内核时初始化的 if ((err = net_families[family]->create(sock, protocol)) < 0) { sock->ops = NULL; goto out_module_put; } ... } 继续跟踪ipx驱动的初始化过程, /linux-2.6.18/net/ipx/af_ipx.c: static int __init ipx_init(void) { // 注册ipx协议 int rc = proto_register(&ipx_proto, 1); if (rc != 0) goto out; // 注册协议的操作函数, bug由此开始生成 sock_register(&ipx_family_ops); ... } >> sock_register int sock_register(struct net_proto_family *ops) { ... net_family_write_lock(); err = -EEXIST; if (net_families[ops->family] == NULL) { 将ops指针赋值给net_families[ops->family] net_families[ops->family]=ops; err = 0; } } // 从这里可以看出__sock_create中的net_families[family]->create函数是在这里进行初始化的。 static struct net_proto_family ipx_family_ops = { .family = PF_IPX, .create = ipx_create, .owner = THIS_MODULE, }; 继续跟踪ipx_create函数: static int ipx_create(struct socket *sock, int protocol) { ... 这个对sock的ops结构进行赋值 sock->ops = &ipx_dgram_ops; ... } static const struct proto_ops SOCKOPS_WRAPPED(ipx_dgram_ops) = { .family = PF_IPX, .owner = THIS_MODULE, .release = ipx_release, .bind = ipx_bind, .connect = ipx_connect, .socketpair = sock_no_socketpair, .accept = sock_no_accept, .getname = ipx_getname, .poll = datagram_poll, .ioctl = ipx_ioctl, #ifdef CONFIG_COMPAT .compat_ioctl = ipx_compat_ioctl, #endif .listen = sock_no_listen, .shutdown = sock_no_shutdown, /* FIXME: support shutdown */ .setsockopt = ipx_setsockopt, .getsockopt = ipx_getsockopt, .sendmsg = ipx_sendmsg, .recvmsg = ipx_recvmsg, .mmap = sock_no_mmap, .sendpage = sock_no_sendpage, }; 我们在这里看到.sendpage结构本以为是被sock_no_sendpage给赋值了, 但是SOCKOPS_WRAPPED这个宏出现了个严重的bug, 实际上是没有对.sendpage进行初始化的, 直接导致了sendpage没被赋值, 这个漏洞由此生成。 #define SOCKOPS_WRAP(name, fam) \ SOCKCALL_WRAP(name, release, (struct socket *sock), (sock)) \ SOCKCALL_WRAP(name, bind, (struct socket *sock, struct sockaddr *uaddr, int addr_len), \ (sock, uaddr, addr_len)) \ SOCKCALL_WRAP(name, connect, (struct socket *sock, struct sockaddr * uaddr, \ int addr_len, int flags), \ (sock, uaddr, addr_len, flags)) \ SOCKCALL_WRAP(name, socketpair, (struct socket *sock1, struct socket *sock2), \ (sock1, sock2)) \ SOCKCALL_WRAP(name, accept, (struct socket *sock, struct socket *newsock, \ int flags), (sock, newsock, flags)) \ SOCKCALL_WRAP(name, getname, (struct socket *sock, struct sockaddr *uaddr, \ int *addr_len, int peer), (sock, uaddr, addr_len, peer)) \ SOCKCALL_UWRAP(name, poll, (struct file *file, struct socket *sock, struct poll_table_struct *wait), \ (file, sock, wait)) \ SOCKCALL_WRAP(name, ioctl, (struct socket *sock, unsigned int cmd, \ unsigned long arg), (sock, cmd, arg)) \ SOCKCALL_WRAP(name, compat_ioctl, (struct socket *sock, unsigned int cmd, \ unsigned long arg), (sock, cmd, arg)) \ SOCKCALL_WRAP(name, listen, (struct socket *sock, int len), (sock, len)) \ SOCKCALL_WRAP(name, shutdown, (struct socket *sock, int flags), (sock, flags)) \ SOCKCALL_WRAP(name, setsockopt, (struct socket *sock, int level, int optname, \ char __user *optval, int optlen), (sock, level, optname, optval, optlen)) \ SOCKCALL_WRAP(name, getsockopt, (struct socket *sock, int level, int optname, \ char __user *optval, int __user *optlen), (sock, level, optname, optval, optlen)) \ SOCKCALL_WRAP(name, sendmsg, (struct kiocb *iocb, struct socket *sock, struct msghdr *m, size_t len), \ (iocb, sock, m, len)) \ SOCKCALL_WRAP(name, recvmsg, (struct kiocb *iocb, struct socket *sock, struct msghdr *m, size_t len, int flags), \ (iocb, sock, m, len, flags)) \ SOCKCALL_WRAP(name, mmap, (struct file *file, struct socket *sock, struct vm_area_struct *vma), \ (file, sock, vma)) \ \ static const struct proto_ops name##_ops = { \ .family = fam, \ .owner = THIS_MODULE, \ .release = __lock_##name##_release, \ .bind = __lock_##name##_bind, \ .connect = __lock_##name##_connect, \ .socketpair = __lock_##name##_socketpair, \ .accept = __lock_##name##_accept, \ .getname = __lock_##name##_getname, \ .poll = __lock_##name##_poll, \ .ioctl = __lock_##name##_ioctl, \ .compat_ioctl = __lock_##name##_compat_ioctl, \ .listen = __lock_##name##_listen, \ .shutdown = __lock_##name##_shutdown, \ .setsockopt = __lock_##name##_setsockopt, \ .getsockopt = __lock_##name##_getsockopt, \ .sendmsg = __lock_##name##_sendmsg, \ .recvmsg = __lock_##name##_recvmsg, \ .mmap = __lock_##name##_mmap, \ }; 下面继续跟踪这个bug是怎么被触发的: 回到sys_socket中, 看看前面分配的socket结构是否挂接到sockfs文件系统上的: int sock_map_fd(struct socket *sock) { struct file *newfile; // 分配一个没用的fd和file结构 int fd = sock_alloc_fd(&newfile); if (likely(fd >= 0)) { // sock与newfile挂接 int err = sock_attach_fd(sock, newfile); if (unlikely(err < 0)) { put_filp(newfile); put_unused_fd(fd); return err; } fd_install(fd, newfile); } return fd; } >> sock_attach_fd static int sock_attach_fd(struct socket *sock, struct file *file) { struct qstr this; char name[32]; this.len = sprintf(name, "[%lu]", SOCK_INODE(sock)->i_ino); this.name = name; this.hash = SOCK_INODE(sock)->i_ino; file->f_dentry = d_alloc(sock_mnt->mnt_sb->s_root, &this); if (unlikely(!file->f_dentry)) return -ENOMEM; file->f_dentry->d_op = &sockfs_dentry_operations; d_add(file->f_dentry, SOCK_INODE(sock)); file->f_vfsmnt = mntget(sock_mnt); file->f_mapping = file->f_dentry->d_inode->i_mapping; sock->file = file; // 将file的函数操作指针被socket_file_ops赋值。 file->f_op = SOCK_INODE(sock)->i_fop = &socket_file_ops; file->f_mode = FMODE_READ | FMODE_WRITE; file->f_flags = O_RDWR; file->f_pos = 0; // private_data域存放的就是socket结构, 一会会在sys_sendfile中看到。 file->private_data = sock; return 0; } static struct file_operations socket_file_ops = { .owner = THIS_MODULE, .llseek = no_llseek, .aio_read = sock_aio_read, .aio_write = sock_aio_write, .poll = sock_poll, .unlocked_ioctl = sock_ioctl, #ifdef CONFIG_COMPAT .compat_ioctl = compat_sock_ioctl, #endif .mmap = sock_mmap, .open = sock_no_open, /* special open code to disallow open via /proc */ .release = sock_close, .fasync = sock_fasync, .readv = sock_readv, .writev = sock_writev, .sendpage = sock_sendpage, // 将sock_sendpage函数赋值给了.sendpage, sock_sendpage实际上是没有检查空指针, 导致sys_senfile被执行的时候引发了漏洞 .splice_write = generic_splice_sendpage, }; 看exp中,是如何触发漏洞的: sendfile(fdout, fdin, NULL, PAGE_SIZE); sendfile->sys_sendfile, linux-2.6.18/fs/read_write.c: asmlinkage ssize_t sys_sendfile(int out_fd, int in_fd, off_t __user *offset, size_t count) { ... return do_sendfile(out_fd, in_fd, NULL, count, 0); } static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos, size_t count, loff_t max) { ... retval = in_file->f_op->sendfile(in_file, ppos, count, file_send_actor, out_file); ... } 漏洞由此触发。 |