文章来源： SecTr安全团队

概述

漏洞详情

static int io_grab_files(struct io_kiocb *req) { // ...      rcu_read_lock();     spin_lock_irq(&ctx->inflight_lock);spin_lock_irq(&ctx->inflight_lock);      if (fcheck(ctx->ring_fd) == ctx->ring_file) {         list_add(&req->inflight_entry, &ctx->inflight_list);         req->flags |= REQ_F_INFLIGHT;         req->work.files = current->files;  // <-- (1)         ret = 0;     }     spin_unlock_irq(&ctx->inflight_lock);     rcu_read_unlock();      return ret; }

漏洞利用(Exp)

static int map_lookup_elem(union bpf_attr *attr) {     void __user *ukey = u64_to_user_ptr(attr->key);     int ufd = attr->map_fd; // ...     f = fdget(ufd);          // <-- (2)     map = __bpf_map_get(f); // ...     key = __bpf_copy_key(ukey, map->key_size); key = __bpf_copy_key(ukey, map->key_size); // <-- (3)     if (IS_ERR(key)) {         err = PTR_ERR(key);         goto err_put;     }      value_size = bpf_map_value_size(map);  // <-- (4)      err = -ENOMEM;     value = kmalloc(value_size, GFP_USER | __GFP_NOWARN);     if (!value)         goto free_key;      err = bpf_map_copy_value(map, key, value, attr->flags); // <-- (5)     if (err)         goto free_value;      err = -EFAULT;     if (copy_to_user(uvalue, value, value_size) != 0) // <-- (6)         goto free_value; // ... }