linux kernel futex fun
play

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson - PowerPoint PPT Presentation

Mar 24, 2023 •529 likes •959 views

Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson Overview Futex system call Kernel implementation CVE-2014-3153 My approach to exploiting it Futexes Fast user-space mutexes 32-bit integer in shared

  1. Linux Kernel Futex Fun: Exploiting CVE-2014-3153 Dougall Johnson

  2. Overview • Futex system call • Kernel implementation • CVE-2014-3153 • My approach to exploiting it

  3. Futexes • “Fast user-space mutexes” • 32-bit integer in shared memory • Designed to be used entirely in user-space unless contended • When the lock is contended, the futex system call is used

  4. Futex Syscall int futex(int *uaddr, int op, int val, 
 const struct timespec *timeout, 
 int *uaddr2, int val3); • Action depends on the op argument • The arguments can be unused, or cast to different types • No glibc wrapper, need to use the syscall function to invoke it: syscall(SYS_futex, ...)

  5. FUTEX_WAIT and FUTEX_WAKE • When lock acquisition fails, the thread makes the futex(…, FUTEX_WAIT, …) system call, which sleeps the thread • When the lock is released, the owner will make the futex(…, FUTEX_WAKE, …) system call, which will wake up any waiters

  6. FUTEX_REQUEUE • Thundering herd problem: FUTEX_WAKE wakes up several processes, all of which attempt to acquire another futex • Instead, FUTEX_REQUEUE moves a number of waiters to another futex without waking them

  7. PI futexes • “Priority inheritance” futexes are semantically different, but similar • The user-space futex value is zero for unlocked, or holds the thread ID of the owner • The FUTEX_LOCK_PI and FUTEX_UNLOCK_PI calls are used instead of wait and wake • Unlocking a PI-futex wakes only the highest priority waiter

  8. FUTEX_CMP_REQUEUE_PI • Avoid “thundering herd” when moving from a non- PI futex to a PI-futex • Waiters call FUTEX_WAIT_REQUEUE_PI to sleep • Another thread calls FUTEX_CMP_REQUEUE_PI to “requeue” the waiters to the PI-futex • If the PI-futex is unlocked, one of the threads will lock it and wake

  9. Kernel Implementation • Kernel keeps track of waiters, but forgets about futexes with no waiters • A futex_q structure represents each waiting thread • An additional rt_mutex_waiter structure is used for each thread waiting on a PI futex

  10. 
 futex_q • Waiters on pi_futexes only in that they have a non-NULL struct futex_q { 
 pi_state and rt_waiter plist_node list; 
 • Waiters created by task_struct *task; 
 WAIT_REQUEUE_PI have a spinlock_t *lock_ptr; 
 futex_key key; 
 requeue_pi_key indicating the futex_pi_state *pi_state; 
 destination PI-futex rt_mutex_waiter *rt_waiter; 
 futex_key *requeue_pi_key; 
 • These structures are only u32 bitset; 
 needed while the waiter is }; waiting, so they are allocated on the thread’s kernel stack

  11. rt_mutex_waiter • These are kept in a priority-list on an rt_mutex struct rt_mutex_waiter { 
 plist_node list_entry; 
 • The waiter at the start of list plist_node pi_list_entry; 
 will be woken when the PI task_struct *task; 
 futex is unlocked rt_mutex *lock; 
 } • These are also allocated on the thread’s kernel stack

  12. 
 CVE-2014-3153 • Posted to oss-sec mailing list on June 5th • Explanations was somewhat cryptic: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) 
 If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition.

  13. Huh? • Requeueing from uaddr1 to uaddr2 doesn’t look possible • FUTEX_WAIT_REQUEUE_PI already verifies that uaddr1 != uaddr2 , and then sets requeue_pi_key to the key for uaddr2 • FUTEX_CMP_REQUEUE_PI fails unless uaddr2 matches the requeue_pi_key • Even if I could, it wouldn’t necessarily break things

  14. Triggering the Vulnerability • The requeue_pi_key field is never cleared, so I can requeue twice to the same destination • By setting the value to zero (unlocked) in memory, the thread will be resumed as though it had never joined the rt_mutex_waiter list Thread A: futex_wait_requeue_pi( &futex1, &futex2 ) 
 Thread B: futex_lock_pi( &futex2 ) 
 Thread B: futex_cmp_requeue_pi( &futex1, &futex2 ) 
 Thread B: futex2 = 0 
 Thread B: futex_cmp_requeue_pi( &futex2, &futex2 )

  15. Stack Use-After-Free • The thread wakes up, rt_mutex rt_waiter resuming execution • It doesn’t unlink the wait_list rt_mutex_waiter from the list • Whatever happens to be on the kernel stack will be kernel interpreted as an stack rt_mutex_waiter

  16. Kernel Stack Manipulation • Subsequent syscalls will use the same memory for stack frames rt_mutex frame • Many syscalls place data wait_list from user-space on the stack, or data which is frame otherwise predictable • By making some sequence of system calls, and performing futex operations, frame this can be exploited

  17. Exploitation • Technique that can work reliably without precise knowledge of the kernel stack • Turn this vulnerability into two useful primitives, to allow leaking and arbitrary memory corruption

  18. Getting Started • After triggering the vulnerability, all sorts of things cause crashes, even exiting the program • Kernel crashes can make development really painful • “I HAVE NO TOOLS BECAUSE I’VE DESTROYED MY TOOLS WITH MY TOOLS” • Finally managed to get crash dumps using a virtual serial port in VMware

  19. Preparing the List • In theory waiters can be added or removed from the corrupt list • In practice, rt_mutex_top_waiter verifies the first item in the list and crashes all the time: 
 BUG_ON(w->lock != lock) • Need to insert nodes before the invalid node so that the list head is valid • Use nice to order nodes, and FUTEX_LOCK_PI to add them to the rt_mutex_waiter list

  20. plist prio = 5 prio = 5 prio = ?? prio_list.next prio_list prio_list.next prio_list.prev prio_list prio_list.prev node_list.next node_list.next node_list.next node_list.prev node_list.prev node_list.prev struct plist_node { 
 int prio; 
 struct list_head prio_list; 
 struct list_head node_list; 
 };

  21. 32-bit Linux Memory Split • Kernel memory is 0xC0000000 and higher • User memory is 0xBFFFFFFF and lower • Kernel code can read and write user memory directly • (Well, not all 32-bit Linux, but generally)

  22. Manipulating the stack • The kernel stack can be manipulated with system calls, for example select stores user controlled data on the stack • Stack layout is unpredictable, unlike a use after free on the heap • Fill the stack with a repeated value to overwrite both • Use a value which is both a negative integer, and a user- space pointer (0x80000000 - 0xBFFFFFFF) • The prior will be negative, and the next pointer will go to a fake user-space node

  23. Manipulating the stack prio = 5 prio = 5 prio < 0 prio_list.next prio_list prio_list.next prio_list.prev prio_list prio_list node_list.next node_list.next node_list.next node_list.prev node_list.prev node_list. priority prio_list.next prio_list.prev node_list.next node_list.prev

  24. Node Insertion • Priority list insertion first walks the prio_list until a higher priority value is found • It then inserts the new node before that (using the prev pointers) • By inserting a low priority node, it will traverse the “freed” node and be inserted before the user- space node

  25. list_add_tail prio = 19 prio_list.next prio_list.prev node_list.next node_list.prev priority > 19 prio_list.next prio_list.prev node_list.next node_list.prev

  26. list_add_tail prio = 19 prio_list.next prio_list.prev node_list.next node_list.prev priority > 19 pointer 1 prio_list.next prio_list.prev pointer 2 node_list.next node_list.prev

  27. Information leak • Populate the stack with a pointer to a user-space node (that doubles as a negative number) • Insert a node ( FUTEX_LOCK_PI ) with a priority 19 so that it will be inserted adjacent to the user-space node • Pointers to a kernel stack are written into user- space memory

  28. Waking up the thread • The thread isn’t actually in the list, so it can’t be woken by unlocking the futex • It will wake up if I send it a signal, though • Register a handler for SIGUSR1 • Use pthread_kill to deliver the signal to the right thread • The node will be unlinked and execution will resume

  29. Corruption Primitive prio = 19 prio_list.next prio_list.prev node_list.next node_list.prev priority > 19 prio_list.next prio_list.prev node_list.next node_list.prev

  30. Corruption Primitive prio = 19 Corrupt Value prio_list.next prio_list.prev node_list.next node_list.prev priority > 19 prio_list.next prio_list.prev Pointer node_list.next node_list.prev

  31. Corruption Primitive Corrupt Value priority > 19 prio_list.next prio_list.prev Pointer node_list.next node_list.prev

  32. Finishing the Exploit • Use these primitives to bypass SMEP and PXN • Get root • Clean up kernel memory so the process doesn’t crash at exit

  33. SMEP / PXN • First tried jumping to user space code • Map the node as RWX and write the pointer over a return address on the stack • Nope :( • Supervisor Mode Execution Prevention stops user-space code from being executed on x86 • Privileged Execute Never is a funny name for exactly the same thing on ARM

Recommend

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many

Debugging the Linux Kernel with GDB Kieran Bingham Debugging the Linux Kernel with GDB Many of us need to debug the Linux kernel Proprietary tools like Trace32 and DS-5 are $$$ Open source debuggers like GDB lack kernel

884 views • 40 slides
Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module

Intro to Linux Kernel Programming Don Porter Lab 4 You will write a Linux kernel module Linux is written in C, but does not include all standard libraries And some other idiosyncrasies This lecture will give you a crash

1.35k views • 22 slides
1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel

1 Theres a kernel security researcher named Dan Rosenberg whose done a lot of linux kernel vulnerability research Thats unavoidable, but the linux kernel developers dont do very much to make the situation any better. -- Basically, the

625 views • 36 slides
Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for

Hacking on Xen in the Linux Kernel Lisa Nguyen, Linux Kernel Intern FOSS Outreach Program for Women LinuxCon North America 2013 Agenda Introduction What Got Me Interested in OPW Project Overview Xen Block Ring Protocol

922 views • 13 slides
Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules

Introduction to Linux Kernel Modules Luca Abeni luca.abeni@santannapisa.it Linux Kernel Modules Kernel module: code that can be dynamically loaded/unloaded into the kernel at runtime Change the kernel code without needing to reboot

545 views • 13 slides
GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The

GNU/Linux Why use it? What is Linux? Linux is a UNIX-like, GPL-licensed open-source kernel. The GNU userland consists of libc, the init system (SystemD) X11 GUI toolkits etc. Ask the audience Who has used

442 views • 22 slides
. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Kernel The Variability Model of the Linux Extra Conclusions Linux Study Introduction .

. Krzysztof Czarnecki, Andrzej Wsowski The Variability Model of the Linux Kernel . . January 26, 2010 IT University of Copenhagen University of Leipzig University of Waterloo Steven She, Rafael Lotufo, Thorsten Berger, . Kernel The

928 views • 39 slides
Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux

Linux Kernel Security &amp; Hardening Thomas Lamprecht January 17, 2019 Introduction The Linux Kernel Widespread Deployed on: powerful (high performance compute clusters) sensitive (bank, gov. systems, ..) safety critical

995 views • 29 slides
Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

3/1/20 COMP 790: OS Implementation COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Todays Lecture Linux Kernel Synchronization System Calls Synchronization in Kernel the kernel RCU File

647 views • 8 slides
Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019 http://d3s.mff.cuni.cz CHARLES UNIVERSITY IN PRAGUE faculty of mathematjcs and physics faculty of mathematjcs and physics Vlastimil Babka vbabka@suse.cz

1.6k views • 62 slides
Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D.

Normal and Exotic use cases of NUMA features in the Linux Kernel Christopher Lameter, Ph.D. cl@linux.com Collaboration Summit, Napa Valley, 2014 Non Uniform Memory access in the Linux Kernel Memory is segmented into nodes so that

518 views • 12 slides
Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January

Making C Less Dangerous in the Linux Kernel Kees Cook | @keescook LINUX.CONF.AU 21-25 January The Linux of Things | #LCA2019 | @linuxconfau 2019 Christchurch, NZ Making C Less Dangerous in the Linux Kernel Linux Conf AU January 25,

505 views • 29 slides
Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda

Linux Kernel Debugging Your kernel just oopsed - What do you do, hotshot? Muli Ben-Yehuda mulix@mulix.org IBM Haifa Research Lab Kernel Debugging, Haifux 2003 p.1/19 Kernel Debugging - Why? Why would we want to debug the kernel? after

308 views • 19 slides
service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem

Introduction to Cache Quality of service in Linux Kernel Vikas Shivappa (vikas.shivappa@linux.intel.com) 1 Agenda Problem definition Existing techniques Why use Kernel QOS framework Intel Cache qos support Kernel

1.5k views • 32 slides
Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2.

Linux Device Drivers Linux Device Drivers Kernel 2.6 1. Introduction Dr. Wolfgang Koch 2. Kernel Modules Friedrich Schiller University Jena 3. Char Drivers Department of Mathematics and 4. Advanced Char Drivers Computer Science 5.

531 views • 12 slides
CS 423 Operating System Design: Introduction to Linux Kernel Programming (MP1 Q&amp;A)

CS 423 Operating System Design: Introduction to Linux Kernel Programming (MP1 Q&amp;A)

CS 423 Operating System Design: Introduction to Linux Kernel Programming (MP1 Q&amp;A) Alberto Alvarez CS423: Operating Systems Design MP1 Goals Get yourself familiar with Linux kernel programming Learn to use the kernels linked

451 views • 32 slides
Memory Barriers in the Linux Kernel Semantics and Practices Embedded Linux Conference April

Memory Barriers in the Linux Kernel Semantics and Practices Embedded Linux Conference April

Memory Barriers in the Linux Kernel Semantics and Practices Embedded Linux Conference April 2016. San Diego, CA. Davidlohr Bueso &lt;dave@stgolabs.net&gt; SUSE Labs. Agenda 1. Introduction Reordering Examples Underlying need for

773 views • 54 slides
Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development

Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development

Assembly Programming on Linux Assembly Programming on Linux Necessity OS Kernel Development 80x86 Sparc Alpha Some device drivers SCSI Controller Video Card Network Card Others that has ROM on board .. Compiler/Interpreter/Cross

282 views • 11 slides
CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking

CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking

CS533 Concepts of Operating Systems Linux Kernel Locking Techniques Intro to kernel locking techniques (Linux) Why do we need locking in the kernel? o Which problems are we trying to solve? What implementation choices do we have? o Is

407 views • 30 slides
Coccinelle: 10 Years of Automated Evolution in the Linux Kernel Julia Lawall (Inria-Whisper team,

Coccinelle: 10 Years of Automated Evolution in the Linux Kernel Julia Lawall (Inria-Whisper team,

Coccinelle: 10 Years of Automated Evolution in the Linux Kernel Julia Lawall (Inria-Whisper team, Julia.Lawall@inria.fr) March 2, 2020 1 Our focus: The Linux kernel Open source OS kernel, developed by Linus Torvalds First released in

460 views • 44 slides
Introduction to Linux Kernel Some History . .

Introduction to Linux Kernel Some History . .

Introduction to Linux Kernel Some History . . Created by Linus Torvalds in 1991 Information Systems 21 year old Engineering Laboratory (ISEL) University of Helsinki,

572 views • 7 slides
Linux Kernel Evolution vs OpenAFS Marc Dionne Edinburgh - 2012 The stage Linux is widely

Linux Kernel Evolution vs OpenAFS Marc Dionne Edinburgh - 2012 The stage Linux is widely

Linux Kernel Evolution vs OpenAFS Marc Dionne Edinburgh - 2012 The stage Linux is widely deployed as an OpenAFS client platform Many large OpenAFS sites rely heavily on Linux on both servers and clients The OpenAFS Linux client

681 views • 30 slides
Exploring Linux Kernel Source Code with Eclipse and QTCreator Marcin Bis 2016.10.12 ELCE 2016,

Exploring Linux Kernel Source Code with Eclipse and QTCreator Marcin Bis 2016.10.12 ELCE 2016,

Exploring Linux Kernel Source Code with Eclipse and QTCreator Marcin Bis 2016.10.12 ELCE 2016, Berlin Marcin Bis marcin@bis-linux.com +48 607 075 848 Training ( http://bis-linux.com ): Embedded Linux Yocto Linux Device Drivers Development

770 views • 50 slides
SPINFER: Inferring Semantic Patches for the Linux Kernel Lucas Serrano , Van-Anh Nguyen , Ferdian

SPINFER: Inferring Semantic Patches for the Linux Kernel Lucas Serrano , Van-Anh Nguyen , Ferdian

SPINFER: Inferring Semantic Patches for the Linux Kernel Lucas Serrano , Van-Anh Nguyen , Ferdian Thung Lingxiao Jiang , David Lo , Julia Lawall , Gilles Muller 1 Maintenance of the Linux kernel Maintenance tasks are very common in all software

937 views • 51 slides

More recommend