影响所有Nexus手机的漏洞,浅析CVE-2015-1805
2016-03-24 13:37:02 来源:360VulpeckerTeam 作者:360安全卫士
阅读:22821次 点赞(10) 收藏(8)
By @少仲
From 360 VulpeckerTeam
0x0 漏洞信息
影响所有Nexus手机和部分Android手机的漏洞,Google于2016/03/18发布了公告修复,具体请看链接.
http://www.cvedetails.com/cve-details.php?t=1&cve_id=cve-2015-1805X
http://source.android.com/security/advisory/2016-03-18.html
0x1 漏洞描述
在linux 内核3.16版本之前的fs/pipe.c当中,由于pipe_read和pipe_write没有考虑到拷贝过程中数据没有同步的一些临界情况,造成了拷贝越界的问题,因此有可能导致系统crash以及系统权限提升.这种漏洞又称之为” I/O vector array overrun”
0x2 代码分析
//摘自fs/pipe.c:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
static ssize_t pipe_read( struct kiocb *iocb, const struct iovec *_iov, unsigned long nr_segs, loff_t pos) { struct file *filp = iocb->ki_filp; struct pipe_inode_info *pipe = filp->private_data; int do_wakeup; ssize_t ret; struct iovec *iov = ( struct iovec *)_iov; size_t total_len; total_len = iov_length(iov, nr_segs); /* Null read succeeds. */ if (unlikely(total_len == 0)) return 0; do_wakeup = 0; ret = 0; __pipe_lock(pipe); for (;;) { int bufs = pipe->nrbufs; if (bufs) { int curbuf = pipe->curbuf; struct pipe_buffer *buf = pipe->bufs + curbuf; const struct pipe_buf_operations *ops = buf->ops; void *addr; size_t chars = buf->len; int error, atomic; if (chars > total_len) chars = total_len; error = ops->confirm(pipe, buf); if (error) { if (!ret) ret = error; break ; } //(1) atomic = !iov_fault_in_pages_write(iov, chars); redo: addr = ops->map(pipe, buf, atomic); //(2) error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic); ops->unmap(pipe, buf, addr); if (unlikely(error)) { /* * Just retry with the slow path if we failed. */ //(3) if (atomic) { atomic = 0; goto redo; } if (!ret) ret = error; break ; } ret += chars; buf->offset += chars; buf->len -= chars; /* Was it a packet buffer? Clean up and exit */ if (buf->flags & PIPE_BUF_FLAG_PACKET) { total_len = chars; buf->len = 0; } if (!buf->len) { buf->ops = NULL; ops->release(pipe, buf); curbuf = (curbuf + 1) & (pipe->buffers - 1); pipe->curbuf = curbuf; pipe->nrbufs = --bufs; do_wakeup = 1; } |
(5)//在这里更新total_len
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
total_len -= chars; if (!total_len) break ; /* common path: read succeeded */ } if (bufs) /* More to do? */ continue ; if (!pipe->writers) break ; if (!pipe->waiting_writers) { /* syscall merging: Usually we must not sleep * if O_NONBLOCK is set, or if we got some data. * But if a writer sleeps in kernel space, then * we can wait for that data without violating POSIX. */ if (ret) break ; if (filp->f_flags & O_NONBLOCK) { ret = -EAGAIN; break ; } } if (signal_pending(current)) { if (!ret) ret = -ERESTARTSYS; break ; } if (do_wakeup) { wake_up_interruptible_sync_poll(&pipe->wait, POLLOUT | POLLWRNORM); kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT); } pipe_wait(pipe); } __pipe_unlock(pipe); /* Signal writers asynchronously that there is more room. */ if (do_wakeup) { wake_up_interruptible_sync_poll(&pipe->wait, POLLOUT | POLLWRNORM); kill_fasync(&pipe->fasync_writers, SIGIO, POLL_OUT); } if (ret > 0) file_accessed(filp); return ret; } |
(1).首先pipe_read()函数会先循环读取iovec结构,并且通过iov_fault_in_pages_write()函数判断iov->len是否大于0,且iov->base指向的地址是否可写且处于用户态,之后返回atomic.
(2)如果atomic=1,则pipe_iov_copy_to_user -> __copy_to_user_inatomic ->
__copy_to_user_nocheck;如果atomic=0,则pipe_iov_copy_to_user -> copy_to_user -> access_ok.
(3).如果atomic为1,pipe_iov_copy_to_user拷贝出现错误,会进入redo的逻辑,将再次调用pipe_iov_copy_to_user函数进行拷贝,且将atomic置为0.但是pipe_iov_copy_to_user的第三个参数chars并没有更新,还是会拷贝total_len大小的数据
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
|
static int pipe_iov_copy_to_user( struct iovec *iov, const void *from, unsigned long len, int atomic) { unsigned long copy; while (len > 0) { while (!iov->iov_len) iov++; copy = min_t(unsigned long , len, iov->iov_len); if (atomic) { if (__copy_to_user_inatomic(iov->iov_base, from, copy)) //(4) return -EFAULT; } else { if (copy_to_user(iov->iov_base, from, copy)) //(4) return -EFAULT; } from += copy; len -= copy; iov->iov_base += copy; //每次对iov->iov_len进行更新 iov->iov_len -= copy; } return 0; } |
4. 如果copy到某种情况出错返回,已经copy成功的iov->len会被减去但总长度total_len并不会同步减去.也就是说如果total_len是0x100,第一次消耗掉了x;再次进入redo逻辑后还是0x100,然而实际已经被消耗掉了x.
0x3 具体探究
假设有一个iov结构,total_len为0x40,len为0x20.
iov[0]: iov_base = 0xdead0000 iov_len = 0x10
iov[1]: iov_base = 0xdead1000 iov_len = 0x10
iov[2]: iov_base = 0xdead2000 iov_len = 0x10
iov[3]: iov_base = 0xdead3000 iov_len = 0x10
如果iov[1].iov_base的地址被设置成不可写入.那么第一次pipe_iov_copy_to_user()会返回失败.而iov->iov_base += copy,iov->iov_len -= copy.
iov[0]: iov_base = 0xdead0010 iov_len = 0
iov[1]: iov_base = 0xdead1000 iov_len = 0x10
iov[2]: iov_base = 0xdead2000 iov_len = 0x10
iov[3]: iov_base = 0xdead3000 iov_len = 0x10
现在,redo的逻辑发生在0xdead0010,它以某种方式被设置成可写,并且len仍未0x20.那么iov[1]和iov[2]都将被用掉.
iov[0]: iov_base = 0xdead0010 iov_len = 0
iov[1]: iov_base = 0xdead1010 iov_len = 0
iov[2]: iov_base = 0xdead2010 iov_len = 0
iov[3]: iov_base = 0xdead3000 iov_len = 0x10
在注释(5)中,根据total_len -= chars;那么total_len的大小就被设置为0x20(0x40 -0x20).如果total_len变为了0x20,可我们iov[3]的大小只有0x10.这就会导致pipe_iov_copy_to_user()函数有可能读取到一个未知的iov[4].具体来查看下代码
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
static int iov_fault_in_pages_write( struct iovec *iov, unsigned long len) { //(6) while (!iov->iov_len) iov++; while (len > 0) { unsigned long this_len; this_len = min_t(unsigned long , len, iov->iov_len); if (fault_in_pages_writeable(iov->iov_base, this_len)) break ; len -= this_len; iov++; } return len; } static inline int fault_in_pages_writeable( char __user *uaddr, int size) { int ret; if (unlikely(size == 0)) return 0; /* * Writing zeroes into userspace here is OK, because we know that if * the zero gets there, we'll be overwriting it. */ ret = __put_user(0, uaddr); if (ret == 0) { char __user *end = uaddr + size - 1; /* * If the page was already mapped, this will get a cache miss * for sure, so try to avoid doing it. */ if (((unsigned long )uaddr & PAGE_MASK) != ((unsigned long )end & PAGE_MASK)) ret = __put_user(0, end); } return ret; } |
在iov_fault_in_pages_write()函数中的注释(6),也就意味着iov[0],iov[1],iov[2]都会被跳过,iov[3]被用掉.之后len -= this_len;len被设置为0x10.iov的指针将指向一块未知的内存区域.iov[4].iov_base将被__put_user使用.
0x4 如何利用
核心的思路就是想办法触发redo的逻辑,之后精心构造一个readv()调用.把payload结构定义在已经被校验过的iov数组后,让它成为__put_user()等函数调用的目标地址.如果我们再以某种方式让构造的slab结构在iov数组后包含一个函数指针,让它指向要写的内核地址.
1.第一次循环要保证pipe_iov_copy_to_user()函数失败,这样会进入redo逻辑
2.第二次要保证pipe_iov_copy_to_user()成功,但是不能在这里overrun,否则会走向copy_to_user,要校验地址,所以还是无法写内核地址
3.当iov->len走完之后,total_len还有剩余,所以第三次循环的时候,atomic=1.可以overrun触发
4.第一次要保证失败,也就是说需要把iov_base的地址设置成不可写,第二次要成功,就要保证iov_base的地址有效.所以这里可以通过创建竞争关系的线程,调用mmap/munmap等函数来实现.
0x5 POC
我测试的Nexus 6p 6.0.1系统会crash掉.
Talk is cheap,show me the code…
Github:
https://github.com/panyu6325/CVE-2015-1805.git
本文由 360安全播报 原创发布,如需转载请注明来源及本文地址。
本文地址:http://bobao.360.cn/learning/detail/2810.html