“Phoenix Talon”in the Linux Kernel —lurking for over 11 years, the kernel vulnerability-vulnerability warning-the black bar safety net

! [](/Article/UploadPic/2017-6/201761725251949. png? www. myhack58. com)
About “Phoenix Talon”
2017 5 November 9, qimingxing e ADLab found that the Linux kernel there is a remote vulnerability“Phoenix Talon”the Phoenix claw fourth toe of Italy, and relates to CVE-2017-8890, CVE-2017-9075, CVE-2017-9076, CVE-2017-9077, can affect almost all Linux kernel 2.5.69 ~Linux kernel 4.11 kernel version, corresponding to the release version as well as the relevant domestic system. Can lead to a remote DOS, and in compliance with certain Use Conditions can lead to the RCE, including the transport layer of the TCP, DCCP, SCTP, and network layer IPv4 and IPv6 protocols are affected. In fact, the vulnerability in the Linux 4.11-rc8 version has been qimingxing e ADLab discovered, and later of the Linux 4.11 stable version also have this problem. The study of these vulnerabilities in the Linux kernel at least has been lurking for 11 years, the impact is extremely far-reaching.
Qimingxing e ADLab has been the first time the“Phoenix Talon”vulnerability feedback to the Linux kernel community, the vulnerabilities reported after the Linux community in the Linux 4.12-rc1 merge the fix the issue the patch.
These vulnerabilities to CVE-2017-8890 is the most serious to the Linux kernel vulnerability two scoring history the highest score, the CVSS V2 score achieved out of 10. 0, the CVSS V3 scoring history the highest score of 9. 8, The NVD on the search history involves Linux kernel vulnerabilities this rate the vulnerability of not more than 20, the following analysis to the vulnerability, for example, a reference to the official DESCRIPTION is as follows:
“The inet_csk_clone_lock function in net/ipv4/inet_connection_sock. c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging the use of the accept system call.”
The Vulnerability
CVE-2017-8890 itself is a double free problem, using the setsockopt()function in the MCAST_JOIN_GROUP option, and call the accept()function to trigger the vulnerability.
Then first take a look at a couple of multicast-related data structures:
! [](/Article/UploadPic/2017-6/201761725251355. png? www. myhack58. com)
The structure of the two members are respectively used to specify the multicast group IP address and have to join a group of local interface IP address.
ip_setsockopt()to achieve this function, by calling the ip_mc_join_group()the socket is added to the multicast group.
! [](/Article/UploadPic/2017-6/201761725251898. png? www. myhack58. com)
Where sk.__ sk_common. skc_rcv_saddr for multicast, receive only the address is sent to the multicast data, the unicast is concerned, only from the address represented the network card receiving data; mc_ttl for the multicast ttl; the mc_loop represents the multicast are sent to the loop; mc_index indicates multicast use the local device interface index; mc_addr represents a multicast source address; mc_list is a multicast list.
! [](/Article/UploadPic/2017-6/201761725251956. png? www. myhack58. com)
next_rcu points to the list of next nodes; multi indicates that the group information, i.e. in which one on the local interface, joined to which multicast group; sfmode is the filtering mode, the value of the MCAST_INCLUDE or MCAST_EXCLUDE, respectively, to receive only the sflist those listed the source of the multicast data packet and does not receive sflist those listed the source of multicast datagram; sflist is the source list.
The following are from the vulnerability of memory assigned to the key code and the second release of the key code analysis.
1, The Allocate
! [](/Article/UploadPic/2017-6/201761725251411. png? www. myhack58. com)
! [](/Article/UploadPic/2017-6/201761725251181. png? www. myhack58. com)
Entering the kernel calls SyS_setsockopt()function, the level set is not SOL_SOCKET, General settings for the SOL_IP, in 1798 at line is called. Immediately call sock_common_setsockopt()function.
net/ipv4/ip_sockglue. c
! [](/Article/UploadPic/2017-6/201761725251262. png? www. myhack58. com)
Then enter the ip_setsockopt()function, call the do_ip_setsockopt()function 1264 lines of code.
net/ipv4/ip_sockglue. c
! [](/Article/UploadPic/2017-6/201761725251214. png? www. myhack58. com)
Code 1019 to 1021 call copy_from_user()to the user state data is copied to the kernel state. Before you have the option set to MCAST_JOIN_GROUP, followed by calls ip_mc_join_group()function:
net/ipv4/igmp. c
! [](/Article/UploadPic/2017-6/201761725251967. png? www. myhack58. com)
Code 2128 line sock_kmalloc()for memory allocation.
2, The first free
The kernel inside all the time produce a soft interrupt, and the vulnerability relates to a soft interrupt is generated by the accept()system call caused due to the function itself acting on the process context, and will not produce a soft interrupt. But to call accept (), it will be in the kernel induced some kind of software interrupt generate the software interrupt will invoke rcu_process_callbacks()function:
kernel/rcu/tree. c
! [](/Article/UploadPic/2017-6/201761725252608. png? www. myhack58. com)
__rcu_process_callbacks call rcu_do_batch()function, as follows:
kernel/rcu/tree. c
! [](/Article/UploadPic/2017-6/201761725252909. png? www. myhack58. com)

[1] [2] next