w h y ? y o u a r e h e r e ?

About a month ago, when I was looking at the android kernle source code, I found a strange logic, it could trigger the device crash by bypassing the detection logic. I test it in Nexus 4 and the security patch level is 20161005.

Read more »

Illegal access caused by an empty list. This problem is not repaired, I only test it in Nexus4 and Nexus5 with the security patch level 20161005. It will cause kernel panic.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
const char __user *ubuf, size_t cnt, loff_t *ppos)

{

...
list_for_each_entry(cldata, &cl_list, list) {
if (strstr(chid, cldata->pdata->name)) {
cldata = cldata;
strsep(&chid, " ");
if (chid) {
ret = strict_strtoul(chid, 10, &index);
if (ret) {
MSM_BUS_DBG("Index conversion"
" failed\n");
return -EFAULT;
}
} else
MSM_BUS_DBG("Error parsing input. Index not"
" found\n");
break;
}
}

msm_bus_dbg_update_request(cldata, index);
kfree(buf);
return cnt;
}
Read more »

你们这些人啊,每年年底都想搞个大新闻。。。

Linux内核 >= 2.6.22(2007年发行)以后的版本都受到影响,同时影响到android系统。

Linux内核的内存子系统在处理写时拷贝(Copy-on-Write)时存在条件竞争漏洞,导致可以破坏私有只读内存映射。一个低权限的本地用户能够利用此漏洞获取其他只读内存映射的写权限,有可能进一步导致提权漏洞。

Read more »

cve-2016-3768

Due to the duplicate constraints, arch/arm/mach-msm/perf_event_msm_krait_l2.c
drivers marks the event as OFF but returns TRUE to perf_event.c which
goes ahead and allocates the hw_event and enables it.

Since event is marked OFF, kernel events core will try to enable this event
again during next perf_event_enable. Which results in same event enabled
on multiple hw_events. But during the perf_release, event struct is freed
and only one hw_event is released. This results in dereferencing the
invalid pointer and hence the crash.

Read more »

在linux 内核3.16版本之前的fs/pipe.c当中,由于pipe_read和pipe_write没有考虑到拷贝过程中数据没有同步的一些临界情况,造成了拷贝越界的问题,因此有可能导致系统crash以及系统权限提升。这种漏洞又称之为”I/O vector array overrun”。

Read more »