(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞
一、漏洞简介
Amazon Kindle Fire HD(3rd)Fire OS 4.5.5.3的内核组件中的内核模块/omap/drivers/misc/gcx/gcioctl/gcif.c允许攻击者通过设备/ dev上ioctl的参数注入特制参数/ gcioctl使用命令1077435789并导致内核崩溃。
二、漏洞影响
Fire OS 4.5.5.3
三、复现过程
poc
|
崩溃日志
[ 144.428375] Unable to handle kernel paging request at virtual address d900000c
[ 144.436462] pgd = dcac0000
[ 144.439697] [d900000c] *pgd=00000000
[ 144.443939] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[ 144.450012] Modules linked in: omaplfb(O) pvrsrvkm(O) pvr_logger(O)
[ 144.457672] CPU: 0 Tainted: G O (3.4.83-gd2afc0bae69 #1)
[ 144.465118] PC is at c2dm_l1cache+0x30/0x100
[ 144.469940] LR is at dev_ioctl+0x3f0/0x10c4
[ 144.474670] pc : [<c03187ac>] lr : [<c031782c>] psr: a0000013
[ 144.474670] sp : c2d6be38 ip : 00000000 fp : c2d6be6c
[ 144.487640] r10: 00000000 r9 : d8c0cca8 r8 : 00b8dd90
[ 144.493621] r7 : 00000000 r6 : c2d6bea4 r5 : 00b8dd90 r4 : 388b77c4
[ 144.500915] r3 : d9000004 r2 : 75e0c121 r1 : c2d6bea4 r0 : 00000000
[ 144.508331] Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 144.516418] Control: 10c5387d Table: 9cac004a DAC: 00000015
[ 144.522827]
[ 144.522857] PC: 0xc031872c:
[ 144.527954] 872c e51b2034 e592300c eaffffa5 e30c281c e34c209d e5923000 e3530000 1affffbd
[ 144.538482] 874c eaffffc0 e51b303c e51b1040 e2833001 e51b2034 e1530001 e50b303c e2822010
[ 144.549163] 876c e50b2034 1affff8c eaffff83 c09dc81c e1a0c00d e92ddff0 e24cb004 e24dd00c
[ 144.559844] 878c e3500000 e1a07002 e50b0030 da00000d e0814200 e1a06001 e1a03001 e3a02000
[ 144.570404] 87ac e5930008 e593c004 e2833010 e1530004 e022209c 1afffff9 e3520902 3a000003
[ 144.581085] 87cc e3570002 9a000022 e24bd028 e89daff0 e59f9090 e2818008 e3a0a000 e5963008
[ 144.591735] 87ec e5184008 e3530000 13a05000 1a00000a ea000010 e5181004 e5993024 e0841001
[ 144.602416] 880c e12fff33 e5962008 e2855001 e596300c e1550002 e0844003 2a000006 e2572000
[ 144.612976]
[ 144.612976] LR: 0xc03177ac:
[ 144.618072] 77ac ebf55c15 eaffff35 e3053d8d e3443038 e1510003 1affff30 e1a0200d e3c23d7f
[ 144.628631] 77cc e3c3303f e24b0064 e5933008 e2952038 30d22003 33a03000 e3530000 1a0001a8
[ 144.639160] 77ec e1a01005 e3a02038 ebfcfa90 e3500000 1a00000e e51b2030 e3520001 0a0001cb
[ 144.649780] 780c e3520002 0a0001ee e3520000 1a000007 e51b0064 e3a02000 e24b1060 eb0003d3
[ 144.660369] 782c e51b0064 e24b1060 e51b2030 eb000338 e3a05000 eaffff11 e24b1064 e50b1088
[ 144.670776] 784c e51b0088 e3a01010 ebfd03c1 e3a03004 e50b3064 e5963008 e2952004 30d22003
[ 144.681213] 786c 33a03000 e3530000 0a0001c5 e3e0500d eaffff02 e1a0200d e3c26d7f e3c6603f
[ 144.691528] 788c e5963008 e2952008 30d22003 33a03000 e3530000 1a000021 e24b3064 e1a01005
[ 144.701995]
[ 144.701995] SP: 0xc2d6bdb8:
[ 144.706878] bdb8 c2d6be24 00b8dd90 c2d6bdec c2d6bdd0 c00084d0 c03187ac a0000013 ffffffff
[ 144.717407] bdd8 c2d6be24 00b8dd90 c2d6be6c c2d6bdf0 c06a5318 c0008370 00000000 c2d6bea4
[ 144.727905] bdf8 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4 00000000 00b8dd90 d8c0cca8
[ 144.738586] be18 00000000 c2d6be6c 00000000 c2d6be38 c031782c c03187ac a0000013 ffffffff
[ 144.749145] be38 c02ba53c 575b4b92 d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90
[ 144.759796] be58 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088
[ 144.770355] be78 000ffeff 00000001 c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000
[ 144.781005] be98 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261
[ 144.791687]
[ 144.791687] FP: 0xc2d6bdec:
[ 144.796661] bdec c0008370 00000000 c2d6bea4 75e0c121 d9000004 388b77c4 00b8dd90 c2d6bea4
[ 144.807189] be0c 00000000 00b8dd90 d8c0cca8 00000000 c2d6be6c 00000000 c2d6be38 c031782c
[ 144.817840] be2c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000 00000000 00b8dd90
[ 144.828399] be4c 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04 c2d6be70 c031782c
[ 144.839080] be6c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc c2d6be90 c0207454
[ 144.849761] be8c c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92 4ccba3b5 47a0578f
[ 144.860290] beac 83b275c7 00000000 00020261 00000000 00000000 00000000 00000000 00000000
[ 144.870971] becc 00000000 00000000 00000000 c02089fc 00000000 dcae46c0 0000000b dcae46c0
[ 144.881652]
[ 144.881652] R1: 0xc2d6be24:
[ 144.886627] be24 c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[ 144.897308] be44 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[ 144.907989] be64 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[ 144.918518] be84 c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[ 144.929199] bea4 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[ 144.939849] bec4 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[ 144.950531] bee4 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[ 144.961059] bf04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 144.971710]
[ 144.971710] R3: 0xd8ffff84:
[ 144.976623] ff84 d8ffff20 d8efb000 00000707 020e40fb d8efb075 d8ffff3c d8efb01c d8ffffa0
[ 144.987213] ffa4 d8ffffa0 d8efb028 ca9788f0 d8ffffb0 d8ffffb0 00000000 bf06e9c8 80000088
[ 144.997772] ffc4 dd2eac00 dd309540 00000000 00000000 00000000 00000000 00000000 00000000
[ 145.008392] ffe4 00000000 00000000 00000000 00000000 00000000 00000000 00000000 ********
[ 145.018798] 0004 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.029327] 0024 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.039886] 0044 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.050384] 0064 ******** ******** ******** ******** ******** ******** ******** ********
[ 145.060913]
[ 145.060913] R6: 0xc2d6be24:
[ 145.066009] be24 c2d6be38 c031782c c03187ac a0000013 ffffffff c02ba53c 575b4b92 d8578000
[ 145.076568] be44 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf04
[ 145.087219] be64 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001 c2d6bedc
[ 145.097900] be84 c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8 575b4b92
[ 145.108459] bea4 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000 00000000
[ 145.118988] bec4 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000 dcae46c0
[ 145.129638] bee4 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08 c0136044
[ 145.140319] bf04 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190 dcf8c440
[ 145.150848]
[ 145.150848] R9: 0xd8c0cc28:
[ 145.155944] cc28 d8c0cc28 d8c0cc28 00000000 00000000 00000000 c06bc674 000200da c09dda58
[ 145.166503] cc48 00000000 00000000 d8c0cc50 d8c0cc50 00000000 c0aa5174 c0aa5174 c0aa5148
[ 145.177062] cc68 5aefd94b 00000000 00000000 00000000 d8c0cc80 9ad1f453 00000000 00000000
[ 145.187713] cc88 00200000 00000000 00000000 d8c0cc94 d8c0cc94 dd3b56c0 dd3b56c0 00000000
[ 145.198394] cca8 000521a4 000003e8 000003e8 00000000 00000000 00000000 c06b9600 dd150400
[ 145.208923] ccc8 d8c0cd80 dd3e3e70 00001064 00000001 0fb00000 5aefd94b 2d2b4d13 5aefd94b
[ 145.219573] cce8 2d2b4d13 5aefd94b 2d2b4d13 00000000 00000000 00000000 00000000 00000000
[ 145.230255] cd08 00000000 00000000 00000000 00000000 00000001 00000000 00000000 d8c0cd24
[ 145.240936] Process executor32 (pid: 3810, stack limit = 0xc2d6a2f8)
[ 145.248016] Stack: (0xc2d6be38 to 0xc2d6c000)
[ 145.253082] be20: c02ba53c 575b4b92
[ 145.262176] be40: d8578000 00000000 00b8dd90 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000
[ 145.271392] be60: c2d6bf04 c2d6be70 c031782c c0318788 00000001 00000088 000ffeff 00000001
[ 145.280609] be80: c2d6bedc c2d6be90 c0207454 c00bd920 00000027 d7ce5000 c2d6bed4 c2d6bea8
[ 145.289703] bea0: 575b4b92 4ccba3b5 47a0578f 83b275c7 00000000 00020261 00000000 00000000
[ 145.298919] bec0: 00000000 00000000 00000000 00000000 00000000 00000000 c02089fc 00000000
[ 145.308105] bee0: dcae46c0 0000000b dcae46c0 00b8dd90 d8c0cca8 00000000 c2d6bf74 c2d6bf08
[ 145.317352] bf00: c0136044 c0317448 00000000 00000000 00000000 00000001 00000000 dd045190
[ 145.326416] bf20: dcf8c440 c2d6bf0c c2d6a000 00b8dd80 00b8dd90 40385d8d dcae46c0 0000000b
[ 145.335662] bf40: c2d6a000 00000000 c2d6bf64 00000000 00b8dd90 40385d8d dcae46c0 0000000b
[ 145.344879] bf60: c2d6a000 00000000 c2d6bfa4 c2d6bf78 c01365e0 c0135fc4 00000000 00000000
[ 145.354095] bf80: c0013e08 00b8dd80 000121c0 00000000 00000036 c0013e08 00000000 c2d6bfa8
[ 145.363159] bfa0: c0013c60 c0136578 00b8dd80 000121c0 0000000b 40385d8d 00b8dd90 00b8dd90
[ 145.372406] bfc0: 00b8dd80 000121c0 00000000 00000036 00000000 00000000 00000000 bee035f4
[ 145.381622] bfe0: 810100fc bee030f4 00011578 0002b28c 60000010 0000000b 4d6969d9 03020430
[ 145.390686] Backtrace:
[ 145.393829] [<c031877c>] (c2dm_l1cache+0x0/0x100) from [<c031782c>] (dev_ioctl+0x3f0/0x10c4)
[ 145.403228] [<c031743c>] (dev_ioctl+0x0/0x10c4) from [<c0136044>] (do_vfs_ioctl+0x8c/0x5b4)
[ 145.412658] [<c0135fb8>] (do_vfs_ioctl+0x0/0x5b4) from [<c01365e0>] (sys_ioctl+0x74/0x84)
[ 145.421874] [<c013656c>] (sys_ioctl+0x0/0x84) from [<c0013c60>] (ret_fast_syscall+0x0/0x30)
[ 145.431304] r8:c0013e08 r7:00000036 r6:00000000 r5:000121c0 r4:00b8dd80
[ 145.439605] Code: e0814200 e1a06001 e1a03001 e3a02000 (e5930008)
[ 145.450225] Board Information:
[ 145.450225] Revision : 0001
[ 145.450256] Serial : 0000000000000000
[ 145.450256] SoC Information:
[ 145.450256] CPU : OMAP4470
[ 145.450286] Rev : ES1.0
[ 145.450286] Type : HS
[ 145.450286] Production ID: 0002B975-000000CC
[ 145.450286] Die ID : 1CC60000-50002FFF-0B00935D-11007004
[ 145.450317]
[ 145.485900] ---[ end trace 0fe3b4c74b4e9fa7 ]---
[ 145.491149] Kernel panic - not syncing: Fatal exception
[ 145.496917] CPU1: stopping
[ 145.500152] Backtrace:
[ 145.503204] [<c0018148>] (dump_backtrace+0x0/0x10c) from [<c0698bb8>] (dump_stack+0x18/0x1c)
[ 145.512695] r6:c09ddc50 r5:c09dc844 r4:00000001 r3:c0a0e950
[ 145.519714] [<c0698ba0>] (dump_stack+0x0/0x1c) from [<c0019bd8>] (handle_IPI+0x190/0x1c4)
[ 145.528961] [<c0019a48>] (handle_IPI+0x0/0x1c4) from [<c00084fc>] (gic_handle_irq+0x58/0x60)
[ 145.538482] [<c00084a4>] (gic_handle_irq+0x0/0x60) from [<c06a5540>] (__irq_usr+0x40/0x60)
[ 145.547637] Exception stack(0xd85a5fb0 to 0xd85a5ff8)
[ 145.553466] 5fa0: 41822290 418185e8 00000001 41c95000
[ 145.562561] 5fc0: 418185e8 41687460 4010d0ec 418185e8 4010d038 41689398 7fffffff 401602ec
[ 145.571777] 5fe0: 418191e8 5ba34d10 41609aa8 41609974 200b0010 ffffffff
[ 145.579284] r6:ffffffff r5:200b0010 r4:41609974 r3:41822290
[ 145.586364] CPU0 PC (0) : 0xc003ee38
[ 145.590576] CPU0 PC (1) : 0xc003ee54
[ 145.594635] CPU0 PC (2) : 0xc003ee54
[ 145.598693] CPU0 PC (3) : 0xc003ee54
[ 145.602722] CPU0 PC (4) : 0xc003ee54
[ 145.606781] CPU0 PC (5) : 0xc003ee54
[ 145.610839] CPU0 PC (6) : 0xc003ee54
[ 145.614898] CPU0 PC (7) : 0xc003ee54
[ 145.619110] CPU0 PC (8) : 0xc003ee54
[ 145.623168] CPU0 PC (9) : 0xc003ee54
[ 145.627227] CPU1 PC (0) : 0xc0019b2c
[ 145.631408] CPU1 PC (1) : 0xc0019b2c
[ 145.635467] CPU1 PC (2) : 0xc0019b2c
[ 145.639495] CPU1 PC (3) : 0xc0019b2c
[ 145.643707] CPU1 PC (4) : 0xc0019b2c
[ 145.647766] CPU1 PC (5) : 0xc0019b2c
[ 145.651824] CPU1 PC (6) : 0xc0019b2c
[ 145.656005] CPU1 PC (7) : 0xc0019b2c
[ 145.660064] CPU1 PC (8) : 0xc0019b2c
[ 145.664123] CPU1 PC (9) : 0xc0019b2c
[ 145.668182]
[ 145.669952] Restarting Linux version 3.4.83-gd2afc0bae69 (build@14-use1a-b-39) (gcc version 4.7 (GCC) ) #1 SMP PREEMPT Tue Sep 19 22:04:47 UTC 2017
[ 145.669982]
(CVE-2018-11024)Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞