kernel pwn 中,我们知道pipe_buffer占据的是kmalloc-1k。
但是很多时候,我们操作的是kmalloc-64,kmalloc-512,类似于这样,当然,可以提供msg_msg的next指针指向kmalloc-32,kmalloc-1k来泄露kbase,但是无法很好的提权。
这里展示修改pipe_buffer大小的方法。
struct pipe_buffer {struct page *page;unsigned int offset, len;const struct pipe_buf_operations *ops; unsigned int flags;unsigned long private;
};这是一个Pipe_buffer,大小为0x28。
SYSCALL-fcntl -> do_fcntl() -> pipe_fcntl() -> pipe_set_size() -> pipe_resize_ring()
具体修改pipe_buffer的调用链是这样的。
SYSCALL_DEFINE3(fcntl64, unsigned int, fd, unsigned int, cmd,unsigned long, arg)
{ void __user *argp = (void __user *)arg;struct fd f = fdget_raw(fd);struct flock64 flock;long err = -EBADF;if (!f.file)goto out;if (unlikely(f.file->f_mode & FMODE_PATH)) {if (!check_fcntl_cmd(cmd))goto out1;}err = security_file_fcntl(f.file, cmd, arg);if (err)goto out1;switch (cmd) {case F_GETLK64:case F_OFD_GETLK:err = -EFAULT;if (copy_from_user(&flock, argp, sizeof(flock)))break;err = fcntl_getlk64(f.file, cmd, &flock);if (!err && copy_to_user(argp, &flock, sizeof(flock)))err = -EFAULT;break;case F_SETLK64:case F_SETLKW64:case F_OFD_SETLK:case F_OFD_SETLKW:err = -EFAULT;if (copy_from_user(&flock, argp, sizeof(flock)))break;err = fcntl_setlk64(fd, f.file, cmd, &flock);break;default:err = do_fcntl(fd, cmd, arg, f.file);break;}
out1:fdput(f);
out:return err;
}static long pipe_set_size(struct pipe_inode_info *pipe, unsigned long arg)
{unsigned long user_bufs;unsigned int nr_slots, size;long ret = 0;#ifdef CONFIG_WATCH_QUEUEif (pipe->watch_queue)return -EBUSY;
#endifsize = round_pipe_size(arg);nr_slots = size >> PAGE_SHIFT;if (!nr_slots)return -EINVAL;/** If trying to increase the pipe capacity, check that an* unprivileged user is not trying to exceed various limits* (soft limit check here, hard limit check just below).* Decreasing the pipe capacity is always permitted, even* if the user is currently over a limit.*/if (nr_slots > pipe->max_usage &&size > pipe_max_size && !capable(CAP_SYS_RESOURCE))return -EPERM;user_bufs = account_pipe_buffers(pipe->user, pipe->nr_accounted, nr_slots);if (nr_slots > pipe->max_usage &&(too_many_pipe_buffers_hard(user_bufs) ||too_many_pipe_buffers_soft(user_bufs)) &&pipe_is_unprivileged_user()) {ret = -EPERM;goto out_revert_acct;}ret = pipe_resize_ring(pipe, nr_slots);if (ret < 0)goto out_revert_acct;pipe->max_usage = nr_slots;pipe->nr_accounted = nr_slots;return pipe->max_usage * PAGE_SIZE;out_revert_acct:(void) account_pipe_buffers(pipe->user, nr_slots, pipe->nr_accounted);return ret;
}其中nr_slots就是一个object包含pipe_buffer的数量。
PAGE_SHIFT表示页大小的偏移量,就是12,所以就相当于nr_slots=size/x01000。
int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
{struct pipe_buffer *bufs;unsigned int head, tail, mask, n;/** We can shrink the pipe, if arg is greater than the ring occupancy.* Since we don't expect a lot of shrink+grow operations, just free and* allocate again like we would do for growing. If the pipe currently* contains more buffers than arg, then return busy.*/mask = pipe->ring_size - 1;head = pipe->head;tail = pipe->tail;n = pipe_occupancy(pipe->head, pipe->tail);if (nr_slots < n)return -EBUSY;bufs = kcalloc(nr_slots, sizeof(*bufs),GFP_KERNEL_ACCOUNT | __GFP_NOWARN);if (unlikely(!bufs))return -ENOMEM;/** The pipe array wraps around, so just start the new one at zero* and adjust the indices.*/if (n > 0) {unsigned int h = head & mask;unsigned int t = tail & mask;if (h > t) {memcpy(bufs, pipe->bufs + t,n * sizeof(struct pipe_buffer));} else {unsigned int tsize = pipe->ring_size - t;if (h > 0)memcpy(bufs + tsize, pipe->bufs,h * sizeof(struct pipe_buffer));memcpy(bufs, pipe->bufs + t,tsize * sizeof(struct pipe_buffer));}}head = n;tail = 0;kfree(pipe->bufs);pipe->bufs = bufs;pipe->ring_size = nr_slots;if (pipe->max_usage > nr_slots)pipe->max_usage = nr_slots;pipe->tail = tail;pipe->head = head;/* This might have made more room for writers */wake_up_interruptible(&pipe->wr_wait);return 0;
}这里可以看到,resize的时候,会先分配新的buf,然后释放原来的buf。
fcntl(pipes[i][1], F_SETPIPE_SZ, 0x8000);具体调用可以像这样,分配到的大小就是8*0x28==kmalloc-512。
