关联漏洞
标题:
Linux kernel 缓冲区错误漏洞
(CVE-2023-6931)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在缓冲区错误漏洞,该漏洞源于Performance Events system组件中存在堆越界写入,perf_event 中的 read_size 可能会溢出,导致缓冲区溢出。
描述
CVE-2023-6931 kernel panic PoC
介绍
# CVE-2023-6931
Kernel Panic PoC for CVE-2023-6931
Description
---
CVE-2023-6931 is a vulnerability in `perf_event` that leads to a heap buffer overflow caused by an integer overflow in the `read_size` of a group.
### What is a Performance Event (perf event)?
`perf_events` is a performance monitoring and analysis framework provided by the Linux kernel. This framework enables the tracking of various performance-related data generated by both hardware and software components.
#### Main Uses
- Hardware Event Tracking
Tracks events such as CPU cycles, instruction execution counts, cache misses, and more.
- Software Event Tracking
Monitors events like switching, page faults, context switches, etc.
- Custom Event Tracking
Enables tracking of events specific to certain applications or the kernel.
#### Components of perf
- `perf_event_open` System call
An interface that allows user-space to configure and control performance events in the kernel.
It is used to create, group, control, or read data from events.
- Performance Counters
The actual data tracked by the CPU and kernel, such as the number of executed instructions or CPU utilization
- Event Groups
Allows multiple performance events to be grouped and managed together. A group leader event acts as the representative of the group, while sibling events represent the remaining events within the group
---
### Requirment
1. The value of `/proc/sys/kernel/perf_event_paranoid` must be 1 or lower
2. The number of the file descriptors that can be opened must be at least around 4100. This can be checked and modified using the `ulimit -n` command.
3. The kernel option `CONFIG_PERF_EVENTS` must be set.
---
### description
The Vulnerability arises due to an integer overflow in the `read_size` of a group. The function `perf_event_validate_size` performs validation on the `read_size`. However, the wat `read_size` is validated only checks the `read_size` of the current event.
The key point is that during each validation, only the current event is validated, while previous events are not. If `PERF_FORMAT_GROUP` is set for the gorup leader, simply adding a current event can increase the `read_size` of the group leader.
This ultimately causes as issue in `perf_read_group`. The calculation of `event->read_size` is based on the `read_format` of the group leader, multiplied by `nr_siblings`. Since the `read_size` variable is a 2-byte `u16`, the maximum value it can hold is `0xffff`.
To exploit this, the attacker first creates a group leader event with all possible `read_format` options set. Next, numerous sibling events are created. These siblings only set `PERF_FORMAT_TOTAL_TIME_RUNNING` in the `read_Format` to ensure no validation issues in `perf_event_validate_size`. As a result, the `nr_siblings` value becomes extremely large, but since each sibling event passes validation individually, there are no problems at this stage.
When `perf_read_group` is called in this state, the `read_size` of the group leader continues to increase because `PERF_FORMAT_GROUP` is set. Eventaully, this leads to an integer overflow, and `kzalloc` allocates a very small buffer. However, since the actual number of events is very large, a heap buffer overflow accurs, causing a kernel panic.
文件快照
[4.0K] /data/pocs/b90889ffd8aa2d4bd88f760b8c6fe7c8bf5821ed
├── [888K] PoC
├── [2.4K] PoC.c
└── [3.2K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。