Retme的未来道具研究所

世界線の収束には、逆らえない

然而Android上面并不能访问key retention

https://github.com/torvalds/linux/blob/3a50597de8635cd05133bd12c95681c82fe7b878/security/keys/process_keys.c

long join_session_keyring(const char *name)
{
    const struct cred *old;
    struct cred *new;
    struct key *keyring;
    long ret, serial;

    new = prepare_creds();
    if (!new)
        return -ENOMEM;
    old = current_cred();

    /* if no name is provided, install an anonymous keyring */
    if (!name) {
        ret = install_session_keyring_to_cred(new, NULL);
        if (ret < 0)
            goto error;

        serial = new->session_keyring->serial;
        ret = commit_creds(new);
        if (ret == 0)
            ret = serial;
        goto okay;
    }

    /* allow the user to join or create a named keyring */
    mutex_lock(&key_session_mutex);

    /* look for an existing keyring of this name */
    keyring = find_keyring_by_name(name, false);  //这里 key->usage +1
    if (PTR_ERR(keyring) == -ENOKEY) {
        /* not found - try and create a new one */
        keyring = keyring_alloc(name, old->uid, old->gid, old,
                    KEY_ALLOC_IN_QUOTA, NULL);
        if (IS_ERR(keyring)) {
            ret = PTR_ERR(keyring);
            goto error2;
        }
    } else if (IS_ERR(keyring)) {
        ret = PTR_ERR(keyring);
        goto error2;
    } else if (keyring == new->session_keyring) {  //走到这个路径,说明请求的 keyname == 当前cred中的 key name 
        ret = 0;                //直接返回,绕过key_put
        goto error2;
    }

    /* we've got a keyring - now to install it */
    ret = install_session_keyring_to_cred(new, keyring);
    if (ret < 0)
        goto error2;

    commit_creds(new);
    mutex_unlock(&key_session_mutex);

    ret = keyring->serial;
    key_put(keyring);
okay:
    return ret;

error2:
    mutex_unlock(&key_session_mutex);
error:
    abort_creds(new);
    return ret;
}
ref:

https://gist.github.com/PerceptionPointTeam/18b1e86d1c0f8531ff8f


这是一份可以从华为mate 7中获取指纹数据的TrustZone攻击利用代码,现在已经完全公开并且包含漏洞细节的文档。

https://github.com/retme7/mate7_TZ_exploit



图片来自  P站:51658095 | 画师:またろ


MOSEC会议很有意思~

我的议题相关资料:

https://github.com/retme7/mate7_TZ_exploit

媒体图片:

http://www.freebuf.com/news/69299.html