LinuxÄÚºËÀ¶ÑÀºÍ̸ջ·ì϶£¨BleedingTooth£©ÀûÓ÷ÖÎöÓ븴ÏÖ

°ä²¼¹¦·ò 2021-04-16

·ì϶¸ÅÊö


2020Äê10Ô  £¬¹È¸è°²È«×êÑÐÈËÔ±Åû¶ÁËÈý¸öLinuxÄÚºËÀ¶ÑÀºÍ̸ջ·ì϶  £¬¿Éµ¼ÖÂÔ¶³Ì´úÂëÖ´ÐÐ  £¬±»³ÆÎªBleedingTooth¡£ÕâÈý¸ö·ì϶ÖÐ  £¬Ò»¸öÊǶÑÒç³ö  £¬±àºÅΪCVE-2020-24490£»ÁíÒ»¸öÊÇÀàÐÍ»ìºÏ  £¬±àºÅΪCVE-2020-12351  £¬×îºóÒ»¸öÊÇÐÅϢй¶  £¬±àºÅΪCVE-2020-12352¡£½üÈÕ  £¬¹È¸è°²È«×êÑÐÈËÔ±ÓÖÅû¶ÁËBleedingToothÖÐCVE-2020-12351ºÍCVE-2020-12352×éºÏµÄ·ì϶ÀûÓü°Ï¸½Ú  £¬²¢ÔÚÀ¶ÑÀ4.0Ï  £¬ÊµÏÖÁËÁãµã»÷Ô¶³Ì´úÂëÖ´ÐС£


·ì϶·ÖÎö


CVE-2020-12351


¸Ã·ì϶³Ê´Ë¿Ìnet/bluetooth/l2cap_core.cÖС£l2cap_recv_frame()ÊǽâÎöºÍ´¦ÖÃl2capºÍ̸Êý¾Ý°üµÄº¯Êý¡£´úÂëʵÏÖÈçÏÂËùʾ£º


1.png


»ñȡͨ·cidºÍl2capÊý¾Ý°ü³¤¶Èlen¡£´úÂëʵÏÖÈçÏÂËùʾ£º


2.png


ƾ¾Ý·ÖÆçµÄͨ·cid  £¬½øÈë·ÖÆçµÄ×Ó¹ý³Ì½øÐд¦Öà  £¬½øÈël2cap_data_channel()º¯Êý¡£´úÂëʵÏÖÈçÏÂËùʾ£º


3.png


Ê×ÏÈ  £¬Í¨¹ýcidÕÒµ½Í¨Â·chan£»ÈôÊÇûÓÐÕÒµ½  £¬ÅжÏcidÊÇ·ñΪL2CAP_CID_A2MP£»ÈôÊÇÊÇ  £¬Å²ÓÃa2mp_channel_create()´´½¨Ò»¸öеÄͨ·chan¡£a2mp_channel_create()º¯ÊýʵÏÖÈçÏÂËùʾ£º


4.png


ŲÓÃamp_mgr_create()´´½¨mgr  £¬ÔÚamp_mgr_create()º¯ÊýÖÐ  £¬´úÂëʵÏÖÈçÏÂËùʾ£º


5.png


ŲÓÃa2mp_chan_open()´´½¨Í¨Â·chan  £¬¸Ãº¯Êý½«³õʼ»¯Ò»²¿ÃÅÊý¾Ý  £¬´úÂëʵÏÖÈçÏÂËùʾ£º


6.png


È罫chan->mode³õʼ»¯ÎªL2CAP_MODE_ERTM¡£chan->data¸³ÖµÎªmgr  £¬ÀàÐÍΪstruct amp_mgr¡£³É¹¦´´½¨a2mpͨ··µ»Øµ½l2cap_data_channel()ÖÐ  £¬´úÂëʵÏÖÈçÏÂËùʾ£º


7.png


ƾ¾Ýchan->modeµÄ·ÖÆç  £¬½øÈë·ÖÆçµÄdata´¦ÖÃ×Ó¹ý³Ì  £¬µ±modeΪL2CAP_MODE_ERTMºÍL2CAP_MODE_STREAMINGʱ  £¬½øÈël2cap_data_rcv()º¯ÊýÖÐ  £¬´úÂëʵÏÖÈçÏÂËùʾ£º


8.png


¸ÃifǰÌáÖÐ  £¬»áŲÓÃsk_filter()º¯Êý  £¬´Ëʱchan->dataΪ²ÎÊý¡£¶øsk_filter()º¯Êý½ç˵ÈçÏÂËùʾ£º


9.png


µÚÒ»¸ö²ÎÊýÀàÐÍΪstruct sock  £¬¶øchan->dataÀàÐÍΪstruct amp_mgr  £¬²úÉúÀàÐÍ»ìºÏ¡£


CVE-2020-12352


¸Ã·ì϶Êdzʴ˿Ìa2mpºÍ̸ÖÐ  £¬·ì϶´úÂëλÓÚnet/bluetooth/a2mp.c  £¬¶à¸öº¯ÊýʹÓÃδ³õʼ»¯µÄ½á¹¹Ìå  £¬½«Êý¾Ý·µ»Øµ½Óû§²ã  £¬µ¼ÖÂÐÅϢй¶  £¬¿Éй¶ÄÚºËÕ»ÉϵÄÄÚ´æÊý¾Ý¡£·ì϶µÀÀí½ÏΪµ¥Ò»  £¬ÒÔa2mp_getinfo_req()º¯ÊýΪÀý  £¬¸Ãº¯ÊýÊÇÏìÓ¦getinfoÒªÇóʱŲÓõÄ  £¬´úÂëʵÏÖÈçÏÂËùʾ£º


10.png


ÐÐ304  £¬Í¨¹ýreq->id»ñÈ¡hdev  £¬ÈôÊDz»´æÔÚhdev»òhdev->type²»ÊÇHCI_AMP  £¬½øÈëifÓï¾äÖÐ  £¬½ç˵struct a2mp_info_rspÀàÐ굀 rsp  £¬¸Ã½á¹¹Ìå½ç˵ÈçÏÂËùʾ£º


11.png


ÆäֻʹÓÃÁËrsp.idºÍrsp.status  £¬ÆäËûµÄÊý¾ÝÓòδʹÓÃҲδ³õʼ»¯  £¬Äܹ»Ð¹Â¶16×Ö½ÚÊý¾Ý  £¬¶øºóŲÓÃa2mp_send()º¯Êý½«ÏìÓ¦°ü·¢Ë͵½Óû§²ã  £¬Ð¹Â¶ÄÚ´æÊý¾Ý¡£


CVE-2020-24490


¸Ã·ì϶ֻÄÜÔÚbluetooth 5.0Ï´¥·¢  £¬ÔÚbluetooth 5.0֮ǰ  £¬HCI½øÐй㲥µÄ×î´óÊý¾Ý³¤¶ÈΪ0x1F  £¬0x20-0xFF±£Áô¡£ÈçÏÂËùʾ£º


12.png


ÔÚbluetooth 5.0ÖÐ  £¬¸Ãlength×î´óÀ©´óµ½229×Ö½Ú¡£ÈçÏÂËùʾ£º


13.png


¸Ã·ì϶´úÂëλÓÚnet/bluetooth/hci_event.cÖÐ  £¬ÔÚ´¦ÖÃHCI_LE_Extended_Advertising_ReportÊÂÎñÖÐ  £¬Î´ÅжϹ㲥Êý¾Ý³¤¶È×î´óÖµ  £¬ºóÐø¿½±´¹ã²¥Dataµ¼ÖÂÒç³ö¡£Å²Óùý³ÌÈçÏÂËùʾ£º


14.png


process_adv_report()º¯Êý´¦Öù㲥Êý¾Ý  £¬½«¹ã²¥Êý¾Ý¿½±´µ½·¢ÏÖµÄÉ豸ÖÐ  £¬´úÂëʵÏÖÈçÏÂËùʾ£º


15.png


ŲÓÃstore_pending_adv_report()º¯Êý  £¬¸Ãº¯ÊýʵÏֹ㲥Êý¾Ý¿½±´  £¬´úÂëʵÏÖÈçÏÂËùʾ£º


16.png


ÆäÖÐ  £¬discovery_state½á¹¹Ìå½ç˵ÈçÏÂËùʾ£º


17.png


last_adv_dataÊý¾Ý´óÓ×ΪHCI_MAX_AD_LENGTH  £¬¹²31×Ö½Ú  £¬µ±Ö´ÐÐmemcpyʱ²úÉúÒç³ö¡£


ÀûÓ÷ÖÎöÓ븴ÏÖ


½ÚÔì´úÂëÖ´ÐÐÁ÷³Ì


ǰÎÄ·ÖÎöµ½CVE-2020-12351ÀàÐÍ»ìºÏÊÇÔÚsk_filter()º¯ÊýÖвúÉúµÄ  £¬sk_filter()º¯ÊýŲÓÃsk_filter_trim_cap()º¯Êý  £¬¸Ãº¯Êý´úÂëʵÏÖÈçÏ£º


18.png


¸Ãº¯ÊýµÚÒ»¸ö²ÎÊýΪsk  £¬²ÎÊýÀàÐÍΪsock½á¹¹Ìå  £¬ÕⲿÃÅ´úÂëÖжÔskºÍskbµÄ²é³­ÈÝÒ×ÈÆ¹ý¡£½ÓÏÂÀ´¹Ø¼ü´úÂëÈçÏÂËùʾ£º


19.png


ÐÐ113  £¬¶Ôsk->sk_filter½øÐнâÒýÓà  £¬ÈôÊdzɹ¦»ñÈ¡filterÖ¸Õë  £¬½øÈëÐÐ115¡£ÐÐ119  £¬Å²ÓÃbpf_prog_run_save_cb()º¯Êý  £¬²ÎÊý±ðÀëΪfilter->progºÍskb  £¬¸Ãº¯Êý´úÂëʵÏÖÈçÏÂËùʾ£º


20.png


¶øºó  £¬ÐÐ676  £¬Å²ÓÃ__bpf_prog_run_save_cb()º¯Êý  £¬¸Ãº¯ÊýʵÏÖ´úÂëÈçÏ£º


21.png


½Ó×Å  £¬ÐÐ662  £¬Å²ÓÃBPF_PROG_RUN(prog,skb)  £¬¸Ãº¯Êý½ç˵Ϊһ¸öºê  £¬ÊµÏÖ´úÂëÈçÏÂËùʾ£º


22.png


һ·ŲÓÃÏÂÀ´  £¬×îÖÕ»áŲÓõ½ºì¿òÖеĴúÂë  £¬¼ò»¯Ò»ÏÂŲÓùý³ÌΪ£º

sk->sk_filter->prog->bpf_func(skb, sk->sk_filter->prog->insnsi)¡£Òò¶ø  £¬Ö»ÓнÚÔìsk->sk_filter¾ÍÄܹ»½ÚÔìÖ´ÐÐÁ÷³Ì¡£


¶ÑÅçռλ


º¯Êýsk_filter()µÄµÚÒ»¸ö²ÎÊýÀàÐÍΪstruct sock  £¬¶øÏÖʵ´«ÈëµÄ²ÎÊýÀàÐÍΪstruct amp_mgr  £¬Äܹ»Ñ¡È¡¶ÑÅç128´óÓ×µÄÄÚ´æ¿é½øÐÐռλ  £¬Î±Ôìamp_mgr ¶ÔÏó¡£ÕâÀïÓиöÎÊÌâ  £¬sk->sk_filterÔÚsockÖÐµÄÆ«ÒÆÎª0x110  £¬¶øamp_mgr½á¹¹Ìå´óÓ×Ϊ0x70  £¬Æ«ÒÆÒѾ­³¬³öÁËÁìÓò¡£Òª½â¾öÕâ¸öÎÊÌâ  £¬ÕâÀïÄܹ»Ñ¡È¡ÈçÏÂÆæÃîµÄ¶ÑÅç²¼¾Ö£º


23.png


½á¹¹Ìåamp_mgrÔÚkmalloc-128ÀàÐ͵ÄslubÖб»·ÖÅä  £¬´ÓµÚÈý¸ö¿éÆðÍ·  £¬amp_mgr½á¹¹ÌåÆ«ÒÆ0x10´¦  £¬Äܹ»±»Î±Ôì³Ésk_filter  £¬±ãÄܹ»Âú×ãsk¶Ôsk_filterÓòµÄ½âÒýÓà  £¬²¢Çҿɿء£


²¼¾ÖÔØºÉ


ͨ¹ý¶ÑÅçռλ½ÚÔì´úÂëÖ´ÐÐÁ÷³Ìºó  £¬½ÓÏÂÀ´¾ÍÊDz¼¾Ö¹¥»÷ÔØºÉ¡ £Äܹ»Ñ¡È¡¶ÑÅç1024´óÓ×µÄÄÚ´æ¿éȥαÔìl2cap_chan¶ÔÏó  £¬ÓÉÓڽṹÌå´óÓ×Ϊ792  £¬ÕýºÃÂäÔÚkmalloc-1024 slub¿éÖÐ  £¬²¢ÇÒa2mpͨ·ҲÊôÓÚl2capͨ·ÖÐ  £¬¿ªÊÍa2mpͨ·ʱ  £¬l2capͨ·Ҳ½«±»¿ªÊÍ  £¬²Ù¿ØÆðÀ´½ÏΪ½Ã½Ý  £¬×îÖÕ²¼¾ÖÈçÏÂËùʾ£º


24.png


й¶l2cap_chan¶ÔÏóµØÖ·


ͨ¹ý¶ÑÅç²¼¾ÖºÍ´´½¨¿ªÊÍl2cap_chanͨ·µÈһϵÁвÙ×÷ºó  £¬¿ÉÄÜ´æÔÚÒ»¸öÖ¸Ïòkmalloc-1024ÄÚ´æ¿éµØÖ·µÄl2cap_chan¶ÔÏó  £¬Äܹ»Í¨¹ýCVE-2020-12352·ì϶й¶һ¸öÄÚºËÕ»ÉÏÃæµÄÄں˵ØÖ·  £¬ÈçÏÂͼÖкì¿òËùʾ£º


25.png


ͨ¹ý¸ÃÄڵصØÖ·¼õÈ¥Ò»¸ö0x110Æ«ÒÆ±ãÄܹ»ÕÒµ½Ò»¸öl2cap_chan¶ÔÏóµØÖ·  £¬Äܹ»Í¨¹ýamp_mgr½á¹¹ÌåÄÚ´æµØÖ·²é³­Ò»ÏÂÊÇ·ñÕýÈ·  £¬ÓÉÓÚamp_mgr½á¹¹ÌåÆ«ÒÆ0x18´¦Îªl2cap_chanÖ¸Õë  £¬ÈçÏÂͼÖкì¿òËùʾ£º


26.png


³É¹¦Ð¹Â¶l2cap_chan¶ÔÏóµØÖ·ºó  £¬¶øºóÈ¥Ìî³äamp_mgr½á¹¹ÌåÆ«ÒÆ0x10´¦µÄÊý¾ÝÓò¡£


¸´ÏÖ²âÊÔ


ÎÒÃÇÔÚubuntu 5.4.0-26-genericϵͳϸ´ÏÖ²âÊÔ·ì϶ÀûÓà  £¬Ö´Ðйý³ÌÈçÏ£º


27.png


³É¹¦·´µ¯root¼¶shell  £¬ÈçÏÂËùʾ£º


28.png


²Î¿¼Á´½Ó£º

[1]https://google.github.io/security-research/pocs/linux/bleedingtooth/writeup

[2]https://github.com/google/security-research/security/advisories/GHSA-ccx2-w2r4-x649

[3]https://github.com/google/security-research/security/advisories/GHSA-7mh3-gq28-gfrq

[4]https://github.com/google/security-research/security/advisories/GHSA-h637-c88j-47wq


mansion88Ã÷Éý»ý¼«·ÀÓù³¢ÊÔÊÒ£¨ADLab£©


ADLab³ÉÁ¢ÓÚ1999Äê  £¬ÊÇÖйú°²È«ÐÐÒµ×îÔç³ÉÁ¢µÄ¹¥·À¼¼Êõ×êÑг¢ÊÔÊÒÖ®Ò»  £¬Î¢ÈíMAPP´òËãÖ÷Ìâ³ÉÔ±  £¬¡°ºÚȸ¹¥»÷¡±¸ÅÏëÊ×ÍÆÕß¡£½ØÖ¹Ä¿Ç°  £¬ADLabÒÑͨ¹ýCVEÀۼư䲼°²È«·ì϶½ü1100¸ö  £¬Í¨¹ý CNVD/CNNVDÀۼư䲼°²È«·ì϶1000Óà¸ö  £¬³ÖÐøÎ¬³Ö¹ú¼ÊÍøÂ簲ȫÁìÓòÒ»Á÷Ë®×¼¡£³¢ÊÔÊÒ×êÑз½Ïòº­¸Ç²Ù×÷ϵͳÓëÀûÓÃϵͳ°²È«×êÑÓ×¢ÖÇÄÜÖն˰²È«×êÑÓ×¢ÎïÁªÍøÖÇÄÜÉ豸°²È«×êÑÓ×¢Web°²È«×êÑÓ×¢¹¤¿ØÏµÍ³°²È«×êÑÓ×¢ÔÆ°²È«×êÑС£×êÑгɾÍÀûÓÃÓÚ²úÆ·Ö÷Ìâ¼¼Êõ×êÑÓ×¢¹ú¶È³Áµã¿Æ¼¼ÏîÄ¿¹¥¹Ø¡¢×¨Òµ°²È«·þÎñµÈ¡£


adlab.jpg