搜索

[29083] 2021-07-24_【漏洞披露】[CVE-2020-27194]Linux内核:`or`二进制操作跟踪功能中的eBPF验

文档创建者:s7ckTeam
浏览次数:9
最后更新:2025-01-19
2021-07-24_【漏洞披露】[CVE-2020-27194]Linux内核:`or`二进制操作跟踪功能中的eBPF验 [ C V E - 2 0 2 0 - 2 7 1 9 4 ]   L i n u x   ` o r `     e B P F   O t s   2 0 2 1 - 0 7 - 2 4 O t s C V E - 2 0 2 0 - 2 7 1 9 4   e B P F     B P F   h t t p s : / / g i t h u b . c o m / t o r v a l d s / l i n u x / c o m m i t / 3 f 5 0 f 1 3 2 d 8 4 0 0 e 1 2 9 f c 9 e b 6 8 b 5 0 2 0 1 6 7 e f 8 0 a 2 4 4 h t t p s : / / g i t h u b . c o m / t o r v a l d s / l i n u x / c o m m i t / 5 b 9 f b e b 7 5 b 6 a 9 8 2 b c 9 8 c 9 5 b 6 a 9 8 2 b c 9 8 5 e 9 5 c 9 5 e 9 8 c 9 5 8 e 8 0 a 2 4 4   5 . 8   F e d o r a   3 3     L P E   使 5 . 8 1 0     2 2     U b u n t u   2 2 . 1 0   S i m o n   r e p o r t e d   a n   i s s u e   w i t h   t h e   c u r r e n t   s c a l a r 3 2 _ m i n _ m a x _ o r ( )   i m p l e m e n t a t i o n . T h a t   i s ,   c o m p a r e d   t o   t h e   o t h e r   3 2   b i t   s u b r e g   t r a c k i n g   f u n c t i o n s ,   t h e   c o d e   i n s c a l a r 3 2 _ m i n _ m a x _ o r ( )   s t a n d s   o u t   t h a t   i t ' s   u s i n g   t h e   6 4   b i t   r e g i s t e r s   i n s t e a d o f   3 2   b i t   o n e s .   T h i s   l e a d s   t o   b o u n d s   t r a c k i n g   i s s u e s ,   f o r   e x a m p l e :     [ . . . ]     8 :   R 0 = m a p _ v a l u e ( i d = 0 , o f f = 0 , k s = 4 , v s = 4 8 , i m m = 0 )   R 1 0 = f p 0   f p - 8 = m m m m m m m m     8 :   ( 7 9 )   r 1   =   * ( u 6 4   * ) ( r 0   + 0 ) R 0 = m a p _ v a l u e ( i d = 0 , o f f = 0 , k s = 4 , v s = 4 8 , i m m = 0 )   R 1 0 = f p 0   f p - 8 = m m m m m m m m     9 :   R 0 = m a p _ v a l u e ( i d = 0 , o f f = 0 , k s = 4 , v s = 4 8 , i m m = 0 )   R 1 _ w = i n v ( i d = 0 )   R 1 0 = f p 0   f p - 8 = m m m m m m m m     9 :   ( b 7 )   r 0   =   1     1 0 :   R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 )   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 0 :   ( 1 8 )   r 2   =   0 x 6 0 0 0 0 0 0 0 2     1 2 :   R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 2 :   ( a d )   i f   r 1   <   r 2   g o t o   p c + 1 R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 , u m i n _ v a l u e = 2 5 7 6 9 8 0 3 7 7 8 )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 3 :   R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 , u m i n _ v a l u e = 2 5 7 6 9 8 0 3 7 7 8 )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 3 :   ( 9 5 )   e x i t     1 4 :   R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 , u m a x _ v a l u e = 2 5 7 6 9 8 0 3 7 7 7 , v a r _ o f f = ( 0 x 0 ;   0 x 7 f f f f f f f f ) )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 4 :   ( 2 5 )   i f   r 1   >   0 x 0   g o t o   p c + 1 R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 , u m a x _ v a l u e = 0 , v a r _ o f f = ( 0 x 0 ;   0 x 7 f f f f f f f ) , u 3 2 _ m a x _ v a l u e = 2 1 4 7 4 8 3 6 4 7 )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 5 :   R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 , u m a x _ v a l u e = 0 , v a r _ o f f = ( 0 x 0 ;   0 x 7 f f f f f f f ) , u 3 2 _ m a x _ v a l u e = 2 1 4 7 4 8 3 6 4 7 )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 5 :   ( 9 5 )   e x i t     1 6 :   R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 , u m i n _ v a l u e = 1 , u m a x _ v a l u e = 2 5 7 6 9 8 0 3 7 7 7 , v a r _ o f f = ( 0 x 0 ;   0 x 7 7 f f f f f f f ) , u 3 2 _ m a x _ v a l u e = 2 1 4 7 4 8 3 6 4 7 )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     1 6 :   ( 4 7 )   r 1   | =   0     1 7 :   R 0 _ w = i n v 1   R 1 _ w = i n v ( i d = 0 , u m i n _ v a l u e = 1 , u m a x _ v a l u e = 3 2 2 1 2 2 5 4 7 1 9 , v a r _ o f f = ( 0 x 1 ;   0 x 7 0 0 0 0 0 0 0 0 ) , s 3 2 _ m a x _ v a l u e = 1 , u 3 2 _ m a x _ v a l u e = 1 )   R 2 _ w = i n v 2 5 7 6 9 8 0 3 7 7 8   R 1 0 = f p 0   f p - 8 = m m m m m m m m     [ . . . ] T h e   b o u n d   t e s t s   o n   t h e   m a p   v a l u e   f o r c e   t h e   u p p e r   u n s i g n e d   b o u n d   t o   b e   2 5 7 6 9 8 0 3 7 7 7 i n   6 4   b i t   ( 0 b 1 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 )   a n d   t h e n   l o w e r   o n e   t o   b e   1 .   B y u s i n g   O R   t h e y   a r e   t r u n c a t e d   a n d   t h u s   r e s u l t   i n   t h e   r a n g e   [ 1 , 1 ]   f o r   t h e   3 2   b i t   r e g t r a c k e r .   T h i s   i s   i n c o r r e c t   g i v e n   t h e   o n l y   t h i n g   w e   k n o w   i s   t h a t   t h e   v a l u e   m u s t   b e p o s i t i v e   a n d   t h u s   2 1 4 7 4 8 3 6 4 7   ( 0 b 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 )   a t   m a x   f o r   t h e s u b r e g s .   F i x   i t   b y   u s i n g   t h e   { u , s } 3 2 _ { m i n , m a x } _ v a l u e   v a r s   i n s t e a d

回复

举报

高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

使用Markdown编辑器编辑 使用富文本编辑器编辑

Archiver| 手机版| 小黑屋|
Powered by Discuz! X3.4 Copyright © 2001-2020, Tencent Cloud. 商业源码建议获取授权,如侵犯您的权益,请联系客服处理