__IO_FILE之FSOP链

参考资料:

https://blog.csdn.net/KaliLinux_V/article/details/146547239?utm_medium=distribute.pc_relevant.none-task-blog-2defaultbaidujs_baidulandingword~default-0-146547239-blog-115327308.235^v43^pc_blog_bottom_relevance_base4&spm=1001.2101.3001.4242.1&utm_relevant_index=2

FSOP 链执行过程:

FSOP __Stream Oriented Programming. 针对 glibc 标准 IO 流(_IO_FILE 结构体)的堆漏洞利用技术,核心是通过篡改文件流(stdin/stdout/stderr 等)的结构体数据,劫持程序执行流,实现任意代码执行。

我们通对 __IO_FILE 的学习可以知道:进程内所有的 __IO_FILE 结构会使用 chain 域互相连接形成一个链表,这个链表的头部由 __IO_list_all 维护

1
2
3
4
5
6
pwndbg> p _IO_list_all->file._chain
$5 = (struct _IO_FILE *) 0x7ffff7dd2620 <_IO_2_1_stdout_>
pwndbg> p _IO_list_all->file._chain._chain
$6 = (struct _IO_FILE *) 0x7ffff7dd18e0 <_IO_2_1_stdin_>
pwndbg> p _IO_list_all->file._chain._chain._chain
$7 = (struct _IO_FILE *) 0x0

FSOP 的核心思想就是劫持_IO_list_all 的值来伪造链表和其中的_IO_FILE 项,但是单纯的伪造只是构造了数据还需要某种方法进行触发。FSOP 选择的触发方法是调用_IO_flush_all_lockp,这个函数会刷新_IO_list_all 链表中所有项的文件流,相当于对每个 FILE 调用 fflush,也对应着会调用_IO_FILE_plus.vtable 中的_IO_overflow

_IO_flush_all_lockp函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int
_IO_flush_all_lockp (int do_lock) //这是一个内部函数,用于刷新所有已打开的文件流。do_lock 参数用于控制是否在刷新时对文件流加锁
{
  ...
  fp = (_IO_FILE *) _IO_list_all;//fp 是一个指向 __IO_FILE 结构的指针,用于遍历链表
  while (fp != NULL)	//这个循环遍历链表中的每一个文件流,直到链表结束
  {
       ...
       if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base))
           //检查文件流的模式。如果 _mode 小于或等于 0,表示这是一个输出流或以写模式打开的文件。检查输出缓冲区中是否有未写入的数据
               && _IO_OVERFLOW (fp, EOF) == EOF)	//调用 _IO_OVERFLOW 函数来刷新缓冲区。如果刷新失败(返回 EOF)
           {
               result = EOF;
          }
        ...
  }
}

在 malloc 时 unsorted bin出错会调用malloc_printerr 输出错误:

__init_malloc函数中部分
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
_int_malloc (mstate av, size_t bytes)	//这是 malloc 的内部函数,用于从内存池中分配内存.
    .........							//av 是一个指向内存分配状态(mstate)的指针,表示当前的内存分配区
    .........							//bytes 是请求分配的内存大小。
    .........
for (;; )	//这是一个无限循环
    {
      int iters = 0;	//是一个计数器,用于限制循环的次数,防止无限循环
      while ((victim = unsorted_chunks (av)->bk) != unsorted_chunks (av)) //这个循环遍历未排序的 chunk链表
          //unsorted_chunks(av)返回未排序 chunk 链表的头部
          //victim 是当前正在检查的 chunk。
		  //bk 是 chunk 的后向指针,指向链表中的下一个 chunk
        {																			
          bck = victim->bk;
          //__builtin_expect 是 GCC 的一个内置函数,用于优化条件判断,提示编译器哪个条件更有可能为真。
          if (__builtin_expect (victim->size <= 2 * SIZE_SZ, 0)		//检查当前 chunk 的大小是否有效
              || __builtin_expect (victim->size > av->system_mem, 0))	//检查 chunk 的大小是否超过了系统内存的大小,这也是无效的。
            malloc_printerr (check_action, "malloc(): memory corruption",
                             chunk2mem (victim), av);
          //如果 chunk 的大小无效,调用 malloc_printerr 函数报告内存损坏错误
          size = chunksize (victim);


如果 chunk 的大小无效,调用 malloc_printerr 函数报告内存损坏错误

malloc_printerr函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
malloc_printerr (int action, const char *str, void *ptr, mstate ar_ptr)
{
    /*
    action:表示错误的处理方式(如打印错误信息、终止程序等)。
    str:错误信息字符串,描述错误的类型。
    ptr:指向发生错误的内存地址。
	ar_ptr:指向内存分配区(mstate)的指针
*/
    
  /* Avoid using this arena in future.  We do not attempt to synchronize this
     with anything else because we minimally want to ensure that __libc_message
     gets its resources safely without stumbling on the current corruption.  */
  if (ar_ptr)
    set_arena_corrupt (ar_ptr); 	//如果 ar_ptr 不为空,调用 set_arena_corrupt 函数将该内存分配区标记为损坏

  if ((action & 5) == 5)
    __libc_message (action & 2, "%s\n", str);	//检查action 的低三位是否为 5(101)调用 __libc_message 函数打印错误信息。
  else if (action & 1)
    {
      /*
      如果 action 的最低位为 1,表示需要打印详细的错误信息。构造一个包含错误地址的字符串:buf 是一个缓冲区,用于存储格式化后的地址
*/
      char buf[2 * sizeof (uintptr_t) + 1];

      buf[sizeof (buf) - 1] = '\0';
      char *cp = _itoa_word ((uintptr_t) ptr, &buf[sizeof (buf) - 1], 16, 0);
      //__itoa_word 将指针 ptr 转换为十六进制字符串
      while (cp > buf)
        *--cp = '0';

      __libc_message (action & 2, "*** Error in `%s': %s: 0x%s ***\n",
                      __libc_argv[0] ? : "<unknown>", str, cp);	//__libc_argv[0]是程序的名称,为空则用<unknown>。
    }
  else if (action & 2)
    abort ();
}

跟进__libc_message函数,最后也调用了abort函数:

__libc_message函数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
/* Abort with an error message.  */
void
__libc_message (int do_abort, const char *fmt, ...)
{
  va_list ap;
  int fd = -1;

  va_start (ap, fmt);

#ifdef FATAL_PREPARE
  FATAL_PREPARE;
#endif

  /* Open a descriptor for /dev/tty unless the user explicitly
     requests errors on standard error.  */
  const char *on_2 = __libc_secure_getenv ("LIBC_FATAL_STDERR_");
  if (on_2 == NULL || *on_2 == '\0')
    fd = open_not_cancel_2 (_PATH_TTY, O_RDWR | O_NOCTTY | O_NDELAY);

  if (fd == -1)
    fd = STDERR_FILENO;

  struct str_list *list = NULL;
  int nlist = 0;

  const char *cp = fmt;
  while (*cp != '\0')
    {
      /* Find the next "%s" or the end of the string.  */
      const char *next = cp;
      while (next[0] != '%' || next[1] != 's')
	{
	  next = __strchrnul (next + 1, '%');

	  if (next[0] == '\0')
	    break;
	}

      /* Determine what to print.  */
      const char *str;
      size_t len;
      if (cp[0] == '%' && cp[1] == 's')
	{
	  str = va_arg (ap, const char *);
	  len = strlen (str);
	  cp += 2;
	}
      else
	{
	  str = cp;
	  len = next - cp;
	  cp = next;
	}

      struct str_list *newp = alloca (sizeof (struct str_list));
      newp->str = str;
      newp->len = len;
      newp->next = list;
      list = newp;
      ++nlist;
    }

  bool written = false;
  if (nlist > 0)
    {
      struct iovec *iov = alloca (nlist * sizeof (struct iovec));
      ssize_t total = 0;

      for (int cnt = nlist - 1; cnt >= 0; --cnt)
	{
	  iov[cnt].iov_base = (char *) list->str;
	  iov[cnt].iov_len = list->len;
	  total += list->len;
	  list = list->next;
	}

      written = WRITEV_FOR_FATAL (fd, iov, nlist, total);

      if (do_abort)
	{
	  total = ((total + 1 + GLRO(dl_pagesize) - 1)
		   & ~(GLRO(dl_pagesize) - 1));
	  struct abort_msg_s *buf = __mmap (NULL, total,
					    PROT_READ | PROT_WRITE,
					    MAP_ANON | MAP_PRIVATE, -1, 0);
	  if (__glibc_likely (buf != MAP_FAILED))
	    {
	      buf->size = total;
	      char *wp = buf->msg;
	      for (int cnt = 0; cnt < nlist; ++cnt)
		wp = mempcpy (wp, iov[cnt].iov_base, iov[cnt].iov_len);
	      *wp = '\0';

	      /* We have to free the old buffer since the application might
		 catch the SIGABRT signal.  */
	      struct abort_msg_s *old = atomic_exchange_acq (&__abort_msg,
							     buf);
	      if (old != NULL)
		__munmap (old, old->size);
	    }
	}
    }
  va_end (ap);
  if (do_abort)
    {
      BEFORE_ABORT (do_abort, written, fd);

      /* Kill the application.  */
      abort ();
    }
}


跟进abort函数,其中调用了fflush函数:

about 函数:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
/* Cause an abnormal program termination with core-dump.  */
void
abort (void)
{
  struct sigaction act;
  sigset_t sigs;

  /* First acquire the lock.  */
  __libc_lock_lock_recursive (lock);

  /* Now it's for sure we are alone.  But recursive calls are possible.  */

  /* Unlock SIGABRT.  */
  if (stage == 0)
    {
      ++stage;
      if (__sigemptyset (&sigs) == 0 &&
	  __sigaddset (&sigs, SIGABRT) == 0)
	__sigprocmask (SIG_UNBLOCK, &sigs, (sigset_t *) NULL);
    }

  /* Flush all streams.  We cannot close them now because the user
     might have registered a handler for SIGABRT.  */
  if (stage == 1)
    {
      ++stage;
      fflush (NULL);
    }
······
}


跟进fflush函数,fflush是一个宏定义,调用了IO_fflush函数,且参数是NULL

fllush 函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
int
_IO_fflush (_IO_FILE *fp)
{
  if (fp == NULL)
    return _IO_flush_all ();
  else
    {
      int result;
      CHECK_FILE (fp, EOF);
      _IO_acquire_lock (fp);
      result = _IO_SYNC (fp) ? EOF : 0;
      _IO_release_lock (fp);
      return result;
    }
}


继续跟进IO_fflush(NULL),由于传入的参数为NULL,所以会调用_IO_flush_all函数:

__IO_flush_all 函数:

1
2
3
4
5
6
int
_IO_flush_all (void)
{
  /* We want locking.  */
  return _IO_flush_all_lockp (1);
}

_IO_flush_all_lockp调用了_IO_flush_all_lockp(1):

跟进_IO_flush_all_lockp(1),而 _IO_flush_all_lockp就是这条FILE终点:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
int
_IO_flush_all_lockp (int do_lock)
{
  int result = 0;
  struct _IO_FILE *fp;
  int last_stamp;

#ifdef _IO_MTSAFE_IO
  __libc_cleanup_region_start (do_lock, flush_cleanup, NULL);
  if (do_lock)
    _IO_lock_lock (list_all_lock);
#endif

  last_stamp = _IO_list_all_stamp;
  fp = (_IO_FILE *) _IO_list_all;//这里fp取到了_IO_list_all 这里fp直接指向了_IO_2_1_stderr_首地址
  while (fp != NULL)//进入循环
    {
      run_fp = fp;
      if (do_lock)
	_IO_flockfile (fp);

      if (((fp->_mode <= 0 && fp->_IO_write_ptr > fp->_IO_write_base)
#if defined _LIBC || defined _GLIBCPP_USE_WCHAR_T
	   || (_IO_vtable_offset (fp) == 0
	       && fp->_mode > 0 && (fp->_wide_data->_IO_write_ptr
				    > fp->_wide_data->_IO_write_base))
#endif
	   )
	  && _IO_OVERFLOW (fp, EOF) == EOF)//这里经过前面的判断后调用了_IO_OVERFLOW(fp,EOF)
	result = EOF;

      if (do_lock)
	_IO_funlockfile (fp);
      run_fp = NULL;

      if (last_stamp != _IO_list_all_stamp)
	{
	  /* Something was added to the list.  Start all over again.  */
	  fp = (_IO_FILE *) _IO_list_all;
	  last_stamp = _IO_list_all_stamp;
	}
      else
	fp = fp->_chain;//这里使用FILE结构中的_chain来更新fp,直到fp为空才退出循环,所以会刷新_IO_list_all 链表中所有项的文件流
    }

#ifdef _IO_MTSAFE_IO
  if (do_lock)
    _IO_lock_unlock (list_all_lock);
  __libc_cleanup_region_end (0);
#endif

  return result;
}


查看_IO_OVERFLOW(fp, EOF)定义,以及最后的

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
//libc_2.23 的定义
define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH)
    //调用 JUMP1 宏,传入 __overflow 函数指针、FILE 结构体指针 FP 和字符 CH
define JUMP1(FUNC, THIS, X1) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1)
    //通过 _IO_JUMPS_FUNC(THIS) 获取虚表指针,然后调用虚表中的 FUNC 函数。
define _IO_JUMPS_FUNC(THIS) (*(struct _IO_jump_t **) ((void *) &_IO_JUMPS_FILE_plus (THIS) + (THIS)->_vtable_offset))
    /*
    	获取 FILE 结构体的虚表偏移量 _vtable_offset。
		将 _IO_JUMPS_FILE_plus(THIS) 的地址转换为 void* 类型。
		加上 _vtable_offset 偏移量,得到虚表指针。
		解引用虚表指针,得到 struct _IO_jump_t 类型的虚表
    */
//结合传入的参数转化后如下:相当于调用了fp的__overflow函数
define _IO_OVERFLOW(FP, CH) JUMP1 (__overflow, FP, CH)
define JUMP1(__overflow, FP, CH) (_IO_JUMPS_FUNC(FP)->__overflow) (FP, CH)
define _IO_JUMPS_FUNC(FP) (*(struct _IO_jump_t **) ((void *) &_IO_JUMPS_FILE_plus (FP) + (FP)->_vtable_offset))
    

    
//在libc_2.24后:_IO_JUMPS_FUNC的宏定义变化
define JUMP1(FUNC, THIS, X1) (_IO_JUMPS_FUNC(THIS)->FUNC) (THIS, X1)
define _IO_JUMPS_FUNC(THIS) (IO_validate_vtable (_IO_JUMPS_FILE_plus (THIS)))
/*_IO_JUMPS_FUNC(THIS):调用 IO_validate_vtable 函数,对虚表指针进行验证。IO_validate_vtable:验证虚表指针是否合法*/    
/* Check if unknown vtable pointers are permitted; otherwise,
   terminate the process.  */
void _IO_vtable_check (void) attribute_hidden; //提前声明

/* Perform vtable pointer validation.  If validation fails, terminate
   the process.  */
static inline const struct _IO_jump_t *
IO_validate_vtable (const struct _IO_jump_t *vtable)
{
  /* Fast path: The vtable pointer is within the __libc_IO_vtables
     section.  */
  uintptr_t section_length = __stop___libc_IO_vtables - __start___libc_IO_vtables;
  const char *ptr = (const char *) vtable;
  uintptr_t offset = ptr - __start___libc_IO_vtables;
  if (__glibc_unlikely (offset >= section_length))
    /* The vtable pointer is not in the expected section.  Use the
       slow path, which will terminate the process if necessary.  */
    _IO_vtable_check ();
  return vtable;
}

void attribute_hidden _IO_vtable_check (void)
{
#ifdef SHARED
  /* Honor the compatibility flag.  */
  void (*flag) (void) = atomic_load_relaxed (&IO_accept_foreign_vtables);
#ifdef PTR_DEMANGLE
  PTR_DEMANGLE (flag);
#endif
  if (flag == &_IO_vtable_check)
    return;

  /* In case this libc copy is in a non-default namespace, we always
     need to accept foreign vtables because there is always a
     possibility that FILE * objects are passed across the linking
     boundary.  */
  {
    Dl_info di;
    struct link_map *l;
    if (_dl_open_hook != NULL
        || (_dl_addr (_IO_vtable_check, &di, &l, NULL) != 0
            && l->l_ns != LM_ID_BASE))
      return;
  }

#else /* !SHARED */
  /* We cannot perform vtable validation in the static dlopen case
     because FILE * handles might be passed back and forth across the
     boundary.  Therefore, we disable checking in this case.  */
  if (__dlopen != NULL)
    return;
#endif

  __libc_fatal ("Fatal error: glibc detected an invalid stdio handle\n");
}



最后找函数地址时,使用了_vtable_offset 即 _IO_FILE 结构体的 vtable 指针,而vtable 指针指向的是一个虚表,所以相当于最后调用到了下面的_IO_file_overflow函数,并且传入的参数是fp指针,即文件的地址

1774932265790-1f627b7b-cd61-4899-8034-8f91362626a7.png

1774932282286-e50324e1-a33e-4a08-b3f2-2c67d82e1a94.png

所以最后IO_FILE链为:malloc报错 ==> malloc_printerr ==> __libc_message ==> abort ==> fflush ==> IO_fflush ==> _IO_flush_all ==> _IO_flush_all_lockp ==> _IO_OVERFLOW(最后使用vtable 指向的虚表中的指针),

最后在_IO_flush_all_lockp中时有两个判断条件需要绕过,才能调用到_IO_OVERFLOW :

1
2
fp->_mode <= 0
fp-> _IO_write_ptr > fp->_IO_write_base

更新: 2026-03-31 12:54:08
原文: https://www.yuque.com/idcm/wnemg9/ryo4gboq4x7kmgmm