漏洞介绍
cv3-2015-3636 这个漏洞能用来提升权限,对于android 4.3以后的设备都能提升权限,包括64位的系统,漏洞利用了kernel UAF(use-after-free) bug.
BUG 分析
当我们创建一个icmp socket, 并且调用connect:
int sockfd = socket(AF_INET,SOCK_DGRAM, IPPROTO_ICMP);
struct sockaddr addr
= { .sa_family = AF_INET };
int ret = connect(sockfd, &addr,sizeof(addr));
那么内核里就会调用:
int inet_dgram_connect(struct socket *sock, struct sockaddr * uaddr,
int addr_len, int flags)
{
struct sock *sk = sock->sk;
if (addr_len < sizeof(uaddr->sa_family))
return -EINVAL;
if (uaddr->sa_family == AF_UNSPEC)
return sk->sk_prot->disconnect(sk, flags);
if (!inet_sk(sk)->inet_num && inet_autobind(sk))
return -EAGAIN;
return sk->sk_prot->connect(sk, (struct sockaddr *)uaddr, addr_len);
}
EXPORT_SYMBOL(inet_dgram_connect);
int udp_disconnect(struct sock *sk, int flags)
{
struct inet_sock *inet =