0x0 漏洞信息
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6282
0x1 漏洞描述
ARM v6/v7架构的Linux内核中的get_user/put_user接口没有验证目标地址,由于硬件架构的更迭,get_user/put_user最初用于实现和控制域切换的功能被弃用了,导致任何使用该API的内核代码都可能存在安全隐患.让任意应用来读写内核内存,造成权限泄漏.
0x2 代码分析
//摘自run_root_shell
void *kallsyms_get_symbol_address(constchar *symbol_name)
{
FILE *fp;
char function[BUFSIZ];
char symbol;
void *address;
intret;
fp= fopen("/proc/kallsyms", "r");
if(!fp)
{
printf("Failed to open /proc/kallsyms due to %s.", strerror(errno));
return 0;
}
while(!feof(fp))
{
ret = fscanf(fp, "%p %c %s", &address, &symbol,function);
if (ret != 3)
{
break;
}
if (!strcmp(function, symbol_name))
{
fclose(fp);
return address;
}
}
fclose(fp);
return NULL;
}