Sure I could not get past the hype topic of BPF (overvalued mechanism to allow you just run your buggy code in kernel with low performance and lots of overhead). For access of some kernel data they add so called iterators - and maybe you even can write your own and register it with bpf_iter_reg_target (spoiler: you can`t, bcs this function is not exported. Welcome to wonderful world of open-source with unexplained and unreasonable restrictions). I was curious what BPF iterators are in the system - they stored iterators in list targets synchronized with mutex targets_mutex. It would seem what could go wrong?
grep " targets" System.map-5.11.0-37-genericffffffff820ff8e0 r targetsffffffff826e1240 d targets_mutexffffffff826e1260 d targetsffffffff8277a5c0 d targetsffffffff8286b2e8 d targets_supportedIn this case, we are dealing with another mechanism for hiding information in linux kernel - using of non-unique names. I was not even lazy and wrote a script to count such names - 998 names. Top 5:
_acpi_module_name: 155
cpumask_weight.constprop.0: 47
kzalloc.constprop.0: 39
get_order: 32
kmalloc_array.constprop.0: 28
We can make simple two-state FSM
- wait for mutex_lock call
- access to memory in .data gives us right address
Results:
sudo ./lkmem -d -c -t ~/krnl/curr ~/krnl/System.map-5.11.0-37-genericbpf_iter_reg at 0xffffffff859be700: 11 [0] feature 0 at 0xffffffff85af86e0 - kernel!bpf_sk_storage_map_reg_info attach_target: 0xffffffff84c2a430 - kernel!bpf_iter_attach_map detach_target: 0xffffffff84c2a410 - kernel!bpf_iter_detach_map show_fdinfo: 0xffffffff8440dee0 - kernel!bpf_iter_map_show_fdinfo fill_link_info: 0xffffffff8440dec0 - kernel!bpf_iter_map_fill_link_info [1] feature 0 at 0xffffffff85af7620 - kernel!sock_map_iter_reg attach_target: 0xffffffff84c14fc0 - kernel!sock_map_iter_attach_target detach_target: 0xffffffff84c14fa0 - kernel!sock_map_iter_detach_target show_fdinfo: 0xffffffff8440dee0 - kernel!bpf_iter_map_show_fdinfo fill_link_info: 0xffffffff8440dec0 - kernel!bpf_iter_map_fill_link_info [2] feature 0 at 0xffffffff859be840 - kernel!bpf_prog_reg_info [3] feature 1 at 0xffffffff859be780 - kernel!task_file_reg_info [4] feature 1 at 0xffffffff859be7e0 - kernel!task_reg_info [5] feature 0 at 0xffffffff85236420 - kernel!bpf_map_elem_reg_info attach_target: 0xffffffff8440e060 - kernel!bpf_iter_attach_map detach_target: 0xffffffff8440df10 - kernel!bpf_iter_detach_map show_fdinfo: 0xffffffff8440dee0 - kernel!bpf_iter_map_show_fdinfo fill_link_info: 0xffffffff8440dec0 - kernel!bpf_iter_map_fill_link_info [6] feature 0 at 0xffffffff859be720 - kernel!bpf_map_reg_info [7] feature 0 at 0xffffffff85afe7e0 - kernel!ipv6_route_reg_info [8] feature 0 at 0xffffffff85afa300 - kernel!udp_reg_info [9] feature 0 at 0xffffffff85af9cc0 - kernel!tcp_reg_info [10] feature 0 at 0xffffffff85af8bc0 - kernel!netlink_reg_info