Add kernelCTF CVE-2023-31248_mitigation

pocs/linux/kernelctf/CVE-2023-31248_mitigation/docs/exploit.md

@@ -0,0 +1,137 @@
+# Overview
+
+In in nftables, three functions, `nft_chain_lookup()`, `nft_chain_lookup_byhandle()`, and `nft_chain_lookup_byid()`, are used to lookup a chain.
+
+```c
+static struct nft_chain *nft_chain_lookup(struct net *net,
+					  struct nft_table *table,
+					  const struct nlattr *nla, u8 genmask)
+{
+	...
+
+	rhl_for_each_entry_rcu(chain, tmp, list, rhlhead) {
+		if (nft_active_genmask(chain, genmask))
+			goto out_unlock;
+	}
+	chain = ERR_PTR(-ENOENT);
+out_unlock:
+	rcu_read_unlock();
+	return chain;
+}
+```
+
+```c
+static struct nft_chain *nft_chain_lookup_byid(const struct net *net,
+					       const struct nft_table *table,
+					       const struct nlattr *nla)
+{
+	struct nftables_pernet *nft_net = nft_pernet(net);
+	u32 id = ntohl(nla_get_be32(nla));
+	struct nft_trans *trans;
+
+	list_for_each_entry(trans, &nft_net->commit_list, list) {
+		struct nft_chain *chain = trans->ctx.chain;
+
+		if (trans->msg_type == NFT_MSG_NEWCHAIN &&
+		    chain->table == table &&
+		    id == nft_trans_chain_id(trans))
+			return chain;
+	}
+	return ERR_PTR(-ENOENT);
+}
+```
+
+`nft_chain_lookup()` and `nft_chain_lookup_byhandle()` check whether the chain is active by calling `nft_active_genmask()` when looking up the chain. In contrast, `nft_chain_lookup_byid()` does not perform this check. As a result, a use-after-free vulnerability occurs by referencing an inactive chain.
+
+```c
+static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
+			    struct nft_data_desc *desc, const struct nlattr *nla)
+{
+	...
+	switch (data->verdict.code) {
+	...
+	case NFT_JUMP:
+	case NFT_GOTO:
+		if (tb[NFTA_VERDICT_CHAIN]) {
+			chain = nft_chain_lookup(ctx->net, ctx->table,
+						 tb[NFTA_VERDICT_CHAIN],
+						 genmask);
+		} else if (tb[NFTA_VERDICT_CHAIN_ID]) {
+			chain = nft_chain_lookup_byid(ctx->net, ctx->table,
+						      tb[NFTA_VERDICT_CHAIN_ID]);
+			if (IS_ERR(chain))
+				return PTR_ERR(chain);
+		} else {
+			return -EINVAL;
+		}
+
+		if (IS_ERR(chain))
+			return PTR_ERR(chain);
+		if (nft_is_base_chain(chain))
+			return -EOPNOTSUPP;
+		if (nft_chain_is_bound(chain))
+			return -EINVAL;
+		if (desc->flags & NFT_DATA_DESC_SETELEM &&
+		    chain->flags & NFT_CHAIN_BINDING)
+			return -EINVAL;
+
+		chain->use++;
+		data->verdict.chain = chain;
+		break;
+	}
+
+	desc->len = sizeof(data->verdict);
+
+	return 0;
+}
+```
+
+If we delete the chain after creating it, it becomes inactive until destroying. Then, we can create a nft_expr that refers to an inactive chain by calling `nft_chain_lookup_byid()` in `nft_verdict_init()`. When the rule that includes this expr is deleted, the reference counter of the chain becomes 0, the chain is actually freed. Finally, in the destroy phase of the rule, `nft_immediate_destroy()` is called, and use-after-free is triggered referring to `data->verdict.chain` that has already been freed.
+
+```c
+static void nft_immediate_destroy(const struct nft_ctx *ctx,
+				  const struct nft_expr *expr)
+{
+	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
+	const struct nft_data *data = &priv->data;
+	struct nft_rule *rule, *n;
+	struct nft_ctx chain_ctx;
+	struct nft_chain *chain;
+
+	if (priv->dreg != NFT_REG_VERDICT)
+		return;
+
+	switch (data->verdict.code) {
+	case NFT_JUMP:
+	case NFT_GOTO:
+		chain = data->verdict.chain;
+
+		if (!nft_chain_is_bound(chain))
+			break;
+
+		chain_ctx = *ctx;
+		chain_ctx.chain = chain;
+
+		list_for_each_entry_safe(rule, n, &chain->rules, list)
+			nf_tables_rule_release(&chain_ctx, rule);
+
+		nf_tables_chain_destroy(&chain_ctx);
+		break;
+	default:
+		break;
+	}
+}
+```
+
+# Triggering Vulnerability
+
+1. Create Table 1
+2. Create Chain Trigger
+3. Create Chain Target
+4. Delete Chain Trigger
+5. Create Rule Trigger under Chain Target with immediate expr referring to Chain Trigger
+6. Delete Rule Trigger
+
+# Exploitation
+
+To be updated.

pocs/linux/kernelctf/CVE-2023-31248_mitigation/docs/novel-techniques.md

@@ -0,0 +1,3 @@
+# Novel Techniques
+
+To be updated.

pocs/linux/kernelctf/CVE-2023-31248_mitigation/docs/vulnerability.md

@@ -0,0 +1,12 @@
+- Requirements:
+	- Capabilities: CAP_NET_ADMIN
+	- Kernel configuration: CONFIG_NETFILTER, CONFIG_NF_TABLES
+	- User namespaces required: Yes
+- Introduced by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=837830a4b439bfeb86c70b0115c280377c84714b (netfilter: nf_tables: add NFTA_RULE_CHAIN_ID attribute)
+- Fixed by: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=515ad530795c118f012539ed76d02bacfd426d89 (netfilter: nf_tables: do not ignore genmask when looking up chain by id)
+- Affected Version: v5.9-rc1 - v6.5-rc1
+- Affected Component: net/netfilter
+- Cause: Use-After-Free
+- Syscall to disable: disallow unprivileged username space
+- URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2023-31248
+- Description: Linux Kernel nftables Use-After-Free Local Privilege Escalation Vulnerability; `nft_chain_lookup_byid()` failed to check whether a chain was active and CAP_NET_ADMIN is in any user or network namespace

pocs/linux/kernelctf/CVE-2023-31248_mitigation/exploit/mitigation-6.1/Makefile

@@ -0,0 +1,35 @@
+LIBMNL_DIR = $(realpath ./)/libmnl_build
+LIBNFTNL_DIR = $(realpath ./)/libnftnl_build
+
+exploit:
+	gcc -o exploit exploit.c -L$(LIBNFTNL_DIR)/install/lib -L$(LIBMNL_DIR)/install/lib -lnftnl -lmnl -I$(LIBNFTNL_DIR)/libnftnl-1.2.5/include -I$(LIBMNL_DIR)/libmnl-1.0.5/include -static -s
+
+prerequisites: libmnl-build libnftnl-build
+
+libmnl-build : libmnl-download
+	tar -C $(LIBMNL_DIR) -xvf $(LIBMNL_DIR)/libmnl-1.0.5.tar.bz2
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make
+	cd $(LIBMNL_DIR)/libmnl-1.0.5 && make install
+
+libnftnl-build : libmnl-build libnftnl-download
+	tar -C $(LIBNFTNL_DIR) -xvf $(LIBNFTNL_DIR)/libnftnl-1.2.5.tar.xz
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && PKG_CONFIG_PATH=$(LIBMNL_DIR)/install/lib/pkgconfig ./configure --enable-static --prefix=`realpath ../install`
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && C_INCLUDE_PATH=$(C_INCLUDE_PATH):$(LIBMNL_DIR)/install/include LD_LIBRARY_PATH=$(LD_LIBRARY_PATH):$(LIBMNL_DIR)/install/lib make
+	cd $(LIBNFTNL_DIR)/libnftnl-1.2.5 && make install
+
+libmnl-download :
+	mkdir $(LIBMNL_DIR)
+	wget -P $(LIBMNL_DIR) https://netfilter.org/projects/libmnl/files/libmnl-1.0.5.tar.bz2 
+
+libnftnl-download :
+	mkdir $(LIBNFTNL_DIR)
+	wget -P $(LIBNFTNL_DIR) https://netfilter.org/projects/libnftnl/files/libnftnl-1.2.5.tar.xz
+
+run:
+	./exploit
+
+clean:
+	rm -rf $(LIBMNL_DIR)
+	rm -rf $(LIBNFTNL_DIR)
+	rm -f exploit