понедельник, 11 октября 2021 г.

BPF iterators

Sure I could not get past the hype topic of BPF (overvalued mechanism to allow you just run your buggy code in kernel with low performance and lots of overhead). For access of some kernel data they add so called iterators - and maybe you even can write your own and register it with bpf_iter_reg_target (spoiler: you can`t, bcs this function is not exported. Welcome to wonderful world of open-source with unexplained and unreasonable restrictions). I was curious what BPF iterators are in the system - they stored iterators in list targets synchronized with mutex targets_mutex. It would seem what could go wrong? 

grep " targets" System.map-5.11.0-37-generic
ffffffff820ff8e0 r targets
ffffffff826e1240 d targets_mutex
ffffffff826e1260 d targets
ffffffff8277a5c0 d targets
ffffffff8286b2e8 d targets_supported

In this case, we are dealing with another mechanism for hiding information in linux kernel - using of non-unique names. I was not even lazy and wrote a script to count such names - 998 names. Top 5:

_acpi_module_name: 155
cpumask_weight.constprop.0: 47
kzalloc.constprop.0: 39
get_order: 32
kmalloc_array.constprop.0: 28

As usual the disassembler rushes to the rescue
We can make simple two-state FSM
  1. wait for mutex_lock call
  2. access to memory in .data gives us right address
Results:

sudo ./lkmem -d -c -t ~/krnl/curr ~/krnl/System.map-5.11.0-37-generic
bpf_iter_reg at 0xffffffff859be700: 11
 [0] feature 0 at 0xffffffff85af86e0 - kernel!bpf_sk_storage_map_reg_info
   attach_target: 0xffffffff84c2a430 - kernel!bpf_iter_attach_map
   detach_target: 0xffffffff84c2a410 - kernel!bpf_iter_detach_map
   show_fdinfo: 0xffffffff8440dee0 - kernel!bpf_iter_map_show_fdinfo
   fill_link_info: 0xffffffff8440dec0 - kernel!bpf_iter_map_fill_link_info
 [1] feature 0 at 0xffffffff85af7620 - kernel!sock_map_iter_reg
   attach_target: 0xffffffff84c14fc0 - kernel!sock_map_iter_attach_target
   detach_target: 0xffffffff84c14fa0 - kernel!sock_map_iter_detach_target
   show_fdinfo: 0xffffffff8440dee0 - kernel!bpf_iter_map_show_fdinfo
   fill_link_info: 0xffffffff8440dec0 - kernel!bpf_iter_map_fill_link_info
 [2] feature 0 at 0xffffffff859be840 - kernel!bpf_prog_reg_info
 [3] feature 1 at 0xffffffff859be780 - kernel!task_file_reg_info
 [4] feature 1 at 0xffffffff859be7e0 - kernel!task_reg_info
 [5] feature 0 at 0xffffffff85236420 - kernel!bpf_map_elem_reg_info
   attach_target: 0xffffffff8440e060 - kernel!bpf_iter_attach_map
   detach_target: 0xffffffff8440df10 - kernel!bpf_iter_detach_map
   show_fdinfo: 0xffffffff8440dee0 - kernel!bpf_iter_map_show_fdinfo
   fill_link_info: 0xffffffff8440dec0 - kernel!bpf_iter_map_fill_link_info
 [6] feature 0 at 0xffffffff859be720 - kernel!bpf_map_reg_info
 [7] feature 0 at 0xffffffff85afe7e0 - kernel!ipv6_route_reg_info
 [8] feature 0 at 0xffffffff85afa300 - kernel!udp_reg_info
 [9] feature 0 at 0xffffffff85af9cc0 - kernel!tcp_reg_info
 [10] feature 0 at 0xffffffff85af8bc0 - kernel!netlink_reg_info

Комментариев нет:

Отправить комментарий