影响所有Nexus手机的漏洞,浅析CVE-2015-1805

Android安全-Root漏洞分析 专栏收录该内容
14 篇文章 2 订阅

 

 

0x0  漏洞信息

影响所有Nexus手机和部分Android手机的漏洞,Google于2016/03/18发布了公告修复,具体请看链接.

http://www.cvedetails.com/cve-details.php?t=1&cve_id=cve-2015-1805X

http://source.android.com/security/advisory/2016-03-18.html

 

0x1  漏洞描述

在linux 内核3.16版本之前的fs/pipe.c当中,由于pipe_read和pipe_write没有考虑到拷贝过程中数据没有同步的一些临界情况,造成了拷贝越界的问题,因此有可能导致系统crash以及系统权限提升.这种漏洞又称之为” I/O vector array overrun”

 

 

0x2  代码分析

 

 

//摘自fs/pipe.c:
static ssize_t
pipe_read(struct kiocb *iocb, const struct iovec *_iov,
	   unsigned long nr_segs, loff_t pos)
{
	struct file *filp = iocb->ki_filp;
	struct pipe_inode_info *pipe = filp->private_data;
	int do_wakeup;
	ssize_t ret;
	struct iovec *iov = (struct iovec *)_iov;
	size_t total_len;
	total_len = iov_length(iov, nr_segs);
	/* Null read succeeds. */
	if (unlikely(total_len == 0))
		return 0;
	do_wakeup = 0;
	ret = 0;
	__pipe_lock(pipe);
	for (;;) {
		int bufs = pipe->nrbufs;
		if (bufs) {
			int curbuf = pipe->curbuf;
			struct pipe_buffer *buf = pipe->bufs + curbuf;
			const struct pipe_buf_operations *ops = buf->ops;
			void *addr;
			size_t chars = buf->len;
			int error, atomic;
			if (chars > total_len)
				chars = total_len;
			error = ops->confirm(pipe, buf);
			if (error) {
				if (!ret)
					ret = error;
				break;
			}

			//(1)
			atomic = !iov_fault_in_pages_write(iov, chars);
redo:
			addr = ops->map(pipe, buf, atomic);

			//(2)
			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
			ops->unmap(pipe, buf, addr);
			if (unlikely(error)) {
				/*
				 * Just retry with the slow path if we failed.
				 */
				//(3)
				if (atomic) {
					atomic = 0;
					goto redo;
				}
				if (!ret)
					ret = error;
				break;
			}
			ret += chars;
			buf->offset += chars;
			buf->len -= chars;
			/* Was it a packet buffer? Clean up and exit */
			if (buf->flags & PIPE_BUF_FLAG_PACKET) {
				total_len = chars;
				buf->len = 0;
			}
			if (!buf->len) {
				buf->ops = NULL;
				ops->release(pipe, buf);
				curbuf = (curbuf + 1) & (pipe->buffers - 1);
				pipe->curbuf = curbuf;
				pipe->nrbufs = --bufs;
				do_wakeup = 1;
			}

			(5)//在这里更新total_len
			total_len -= chars;
			if (!total_len)
				break;	/* common path: read succeeded */
		}
		if (bufs)	/* More to do? */
			continue;
		if (!pipe->writers)
			break;
		if (!pipe->waiting_writers) {
			/* syscall merging: Usually we must not sleep
			 * if O_NONBLOCK is set, or if we got some data.
			 * But if a writer sleeps in kernel space, then
			 * we can wait for that data without violating POSIX.
			 */
			if (ret)
				break;
			if (filp->f_flags & O_NONBLOCK) {
				ret = -EAGAIN;
				break;
			}
		}
		if (signal_pending(current)) {
			if (!ret)
				ret = -ERESTARTSYS;
			break;
		}
		if (do_wakeup) {
			wake_up_interruptible_sync_poll(&pipe->wait, POLLOUT | POLLWRNORM);
 			kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
		}
		pipe_wait(pipe);
	}
	__pipe_unlock(pipe);
	/* Signal writers asynchronously that there is more room. */
	if (do_wakeup) {
		wake_up_interruptible_sync_poll(&pipe->wait, POLLOUT | POLLWRNORM);
		kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT);
	}
	if (ret > 0)
		file_accessed(filp);
	return ret;
}

 

 

 

(1).首先pipe_read()函数会先循环读取iovec结构,并且通过iov_fault_in_pages_write()函数判断iov->len是否大于0,且iov->base指向的地址是否可写且处于用户态,之后返回atomic.

(2)如果atomic=1,则pipe_iov_copy_to_user ->__copy_to_user_inatomic ->

__copy_to_user_nocheck;如果atomic=0,则pipe_iov_copy_to_user -> copy_to_user -> access_ok.

(3).如果atomic为1,pipe_iov_copy_to_user拷贝出现错误,会进入redo的逻辑,将再次调用pipe_iov_copy_to_user函数进行拷贝,且将atomic置为0.但是pipe_iov_copy_to_user的第三个参数chars并没有更新,还是会拷贝total_len大小的数据

 

static int
pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
		      int atomic)
{
	unsigned long copy;
	while (len > 0) 
	{
		while (!iov->iov_len)
			iov++;
		copy = min_t(unsigned long, len, iov->iov_len);
		if (atomic) 
		{
			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
				//(4)
				return -EFAULT;
		} 
		else 
		{
			if (copy_to_user(iov->iov_base, from, copy))
				//(4)
				return -EFAULT;
		}
		from += copy;
		len -= copy;
		iov->iov_base += copy;
		//每次对iov->iov_len进行更新
		iov->iov_len -= copy;
	}
	return 0;
}

 

4. 如果copy到某种情况出错返回,已经copy成功的iov->len会被减去但总长度total_len并不会同步减去.也就是说如果total_len是0x100,第一次消耗掉了x;再次进入redo逻辑后还是0x100,然而实际已经被消耗掉了x.

 

 

0x3  具体探究

假设有一个iov结构,total_len为0x40,len为0x20.

iov[0]:iov_base = 0xdead0000 iov_len = 0x10

iov[1]:iov_base = 0xdead1000 iov_len = 0x10

iov[2]:iov_base = 0xdead2000 iov_len = 0x10

iov[3]:iov_base = 0xdead3000 iov_len = 0x10

 

如果iov[1].iov_base的地址被设置成不可写入.那么第一次pipe_iov_copy_to_user()会返回失败.而iov->iov_base += copy,iov->iov_len -= copy.

 

iov[0]:iov_base = 0xdead0010 iov_len = 0

iov[1]:iov_base = 0xdead1000 iov_len = 0x10

iov[2]:iov_base = 0xdead2000 iov_len = 0x10

iov[3]:iov_base = 0xdead3000 iov_len = 0x10

 

现在,redo的逻辑发生在0xdead0010,它以某种方式被设置成可写,并且len仍未0x20.那么iov[1]和iov[2]都将被用掉.

 

iov[0]:iov_base = 0xdead0010 iov_len = 0

iov[1]:iov_base = 0xdead1010 iov_len = 0

iov[2]:iov_base = 0xdead2010 iov_len = 0

iov[3]:iov_base = 0xdead3000 iov_len = 0x10

 

在注释(5)中,根据total_len -= chars;那么total_len的大小就被设置为0x20(0x40-0x20).如果total_len变为了0x20,可我们iov[3]的大小只有0x10.这就会导致pipe_iov_copy_to_user()函数有可能读取到一个未知的iov[4].具体来查看下代码

static int iov_fault_in_pages_write(struct iovec *iov, unsigned long len)
{
    //(6)
	while (!iov->iov_len)
		iov++;
	while (len > 0) {
		unsigned long this_len;
		this_len = min_t(unsigned long, len, iov->iov_len);
		if (fault_in_pages_writeable(iov->iov_base, this_len))
			break;
		len -= this_len;
		iov++;
	}
	return len;
}

static inline int fault_in_pages_writeable(char __user *uaddr, int size)
{
        int ret;
        if (unlikely(size == 0))
                return 0;
        /*
         * Writing zeroes into userspace here is OK, because we know that if
         * the zero gets there, we'll be overwriting it.
        */
        ret = __put_user(0, uaddr);
        if (ret == 0) {
                char __user *end = uaddr + size - 1;
                /*
                * If the page was already mapped, this will get a cache miss
                 * for sure, so try to avoid doing it.
                 */
                if (((unsigned long)uaddr & PAGE_MASK) !=
                                ((unsigned long)end & PAGE_MASK))
                        ret = __put_user(0, end);
       }
        return ret;
}

 

在iov_fault_in_pages_write()函数中的注释(6),也就意味着iov[0],iov[1],iov[2]都会被跳过,iov[3]被用掉.之后len -= this_len;len被设置为0x10.iov的指针将指向一块未知的内存区域.iov[4].iov_base将被__put_user使用.

 

 

0x4  如何利用

核心的思路就是想办法触发redo的逻辑,之后精心构造一个readv()调用.把payload结构定义在已经被校验过的iov数组后,让它成为__put_user()等函数调用的目标地址.如果我们再以某种方式让构造的slab结构在iov数组后包含一个函数指针,让它指向要写的内核地址.

1.   第一次循环要保证pipe_iov_copy_to_user()函数失败,这样会进入redo逻辑

2.   第二次要保证pipe_iov_copy_to_user()成功,但是不能在这里overrun,否则会走向copy_to_user,要校验地址,所以还是无法写内核地址

3.   当iov->len走完之后,total_len还有剩余,所以第三次循环的时候,atomic=1.可以overrun触发

4.   第一次要保证失败,也就是说需要把iov_base的地址设置成不可写,第二次要成功,就要保证iov_base的地址有效.所以这里可以通过创建竞争关系的线程,调用mmap/munmap等函数来实现.

 

0x5  POC

 

我测试的Nexus 6p  6.0.1系统会crash掉.

 

Talk is cheap,show me the code…

Github:

https://github.com/panyu6325/CVE-2015-1805.git

 

  • 1
    点赞
  • 0
    评论
  • 0
    收藏
  • 一键三连
    一键三连
  • 扫一扫,分享海报

©️2021 CSDN 皮肤主题: 大白 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值