"Phoenix Talon" in Linux Kernel (Phoenix Talon)

About “Phoenix Talon”

2017 5 November 9, qimingxing e ADLab found that the Linux kernel there is a remote vulnerability“Phoenix Talon”the Phoenix claw fourth toe of Italy, and relates to CVE-2017-8890, CVE-2017-9075, CVE-2017-9076, CVE-2017-9077, can affect almost all Linux kernel 2.5.69 ~Linux kernel 4.11 kernel version, corresponding to the release version as well as the relevant domestic system. Can lead to a remote DOS, and in compliance with certain Use Conditions can lead to the RCE, including the transport layer of the TCP, DCCP, SCTP, and network layer IPv4 and IPv6 protocols are affected. In fact, the vulnerability in the Linux 4.11-rc8 version has been qimingxing e ADLab discovered, and later of the Linux 4.11 stable version also have this problem. The study of these vulnerabilities in the Linux kernel at least has been lurking for 11 years, the impact is extremely far-reaching.

Qimingxing e ADLab has been the first time the“Phoenix Talon”vulnerability feedback to the Linux kernel community, the vulnerabilities reported after the Linux community in the Linux 4.12-rc1 merge the fix the issue the patch.

These vulnerabilities to CVE-2017-8890 is the most serious to the Linux kernel vulnerability two scoring history the highest score, the CVSS V2 score achieved out of 10. 0, the CVSS V3 scoring history the highest score of 9. 8, The NVD on the search history involves Linux kernel vulnerabilities this rate the vulnerability of not more than 20, the following analysis to the vulnerability, for example, a reference to the official DESCRIPTION is as follows: “The inet_csk_clone_lock function in net/ipv4/inet_connection_sock. c in the Linux kernel through 4.10.15 allows attackers to cause a denial of service (double free) or possibly have unspecified other impact by leveraging the use of the accept system call.”

The Vulnerability

CVE-2017-8890 itself is a double free problem, using the setsockopt()function in the MCAST_JOIN_GROUP option, and call the accept()function to trigger the vulnerability. Then first take a look at a couple of multicast-related data structures:

The structure of the two members are respectively used to specify the multicast group IP address and have to join a group of local interface IP address. ip_setsockopt()to achieve this function, by calling the ip_mc_join_group()the socket is added to the multicast group.

Where sk.__ sk_common. skc_rcv_saddr for multicast, receive only the address is sent to the multicast data, the unicast is concerned, only from the address represented the network card receiving data; mc_ttl for the multicast ttl; the mc_loop represents the multicast are sent to the loop; mc_index indicates multicast use the local device interface index; mc_addr represents a multicast source address; mc_list is a multicast list.

next_rcu points to the list of next nodes; multi indicates that the group information, i.e. in which one on the local interface, joined to which multicast group; sfmode is the filtering mode, the value of the MCAST_INCLUDE or MCAST_EXCLUDE, respectively, to receive only the sflist those listed the source of the multicast data packet and does not receive sflist those listed the source of multicast datagram; sflist is the source list. The following are from the vulnerability of memory assigned to the key code and the second release of the key code analysis.

1, The Allocate

Memory allocation call chain:

Use the setsockopt()function in the MCAST_JOIN_GROUP option. net/socket. c

Entering the kernel calls SyS_setsockopt()function, the level set is not SOL_SOCKET, General settings for the SOL_IP, in 1798 at line is called. Immediately call sock_common_setsockopt()function. net/ipv4/ip_sockglue. c

Then enter the ip_setsockopt()function, call the do_ip_setsockopt()function 1264 lines of code. net/ipv4/ip_sockglue. c

Code 1019 to 1021 call copy_from_user()to the user state data is copied to the kernel state. Before you have the option set to MCAST_JOIN_GROUP, followed by calls ip_mc_join_group()function: net/ipv4/igmp. c

Code 2128 line sock_kmalloc()for memory allocation.

2, The first free

The kernel inside all the time produce a soft interrupt, and the vulnerability relates to a soft interrupt is generated by the accept()system call caused due to the function itself acting on the process context, and will not produce a soft interrupt. But to call accept (), it will be in the kernel induced some kind of software interrupt generate the software interrupt will invoke rcu_process_callbacks()function: kernel/rcu/tree. c

__rcu_process_callbacks call rcu_do_batch()function, as follows: kernel/rcu/tree. c

Note that the code in the first 2879 rows, function to__rcu_reclaim()to achieve the following: kernel/rcu/rcu. h

In 113 row call kfree()for the first release.

3, The second free

When disconnecting the TCP connection, the kernel through the sock_close()function directly calls sock_release()to achieve the disconnect function, the function will empty the ops, update the global socket number, update the inode reference count. Then proceeds to inet_release()function call tcp_close()function to the end off the sock on. net/ipv4/af_inet. c

The user application disconnect the TCP connection, the kernel in use ip_mc_drop_socket()function is recovered. net/ipv4/igmp. c

Code 2612 line calls kfree_rcu()for the second release.

Affected

1, The affected kernel version

The study, in theory, the Linux kernel 2.5.69 ~ Linux kernel 4.11 all versions are affected by the“Phoenix Talon”effect, and the open source community verification“Phoenix Talon”vulnerability affects the Linux kernel version part of the list is as follows:

By qimingxing e ADLab test the Linux kernel 4.11 also affected.

2, The affected release version

The open source community verification section affected the release version is not the complete list as follows: _ Red Hat Enterprise MRG 2 _ Red Hat Enterprise Linux 7 _ Red Hat Enterprise Linux 6 _ Red Hat Enterprise Linux 5 _ SUSE Linux Enterprise Desktop 12 SP1 _ SUSE Linux Enterprise Desktop 12 SP2 _ SUSE Linux Enterprise Server 11 SP3 LTSS _ SUSE Linux Enterprise Server 11 SP4 _ SUSE Linux Enterprise Server 12 GA _ SUSE Linux Enterprise Server 12 SP1 _ SUSE Linux Enterprise Server 12 SP2 _ SUSE Linux Enterprise Server for SAP 11 SP3 _ SUSE Linux Enterprise Server for SAP 11 SP4 _ SUSE Linux Enterprise Server for SAP 12 GA _ SUSE Linux Enterprise Server for SAP 12 SP1 _ SUSE Linux Enterprise Server for SAP 12 SP2

In addition, qimingxing e ADLab on the following part of the release version to do the test, confirm that are subject to the“Phoenix Talon”vulnerability impact: _ Ubuntu 14.04 LTS (Trusty Tahr) _ Ubuntu 16.04 LTS (Xenial Xerus) _ Ubuntu 16.10(Yakkety Yak) _ Ubuntu 17.04(Zesty Zapus) * Ubuntu 17.10(Artful Aardvark)