w h y ? y o u a r e h e r e ?

About a month ago, when I was looking at the android kernle source code, I found a strange logic, it could trigger the device crash by bypassing the detection logic. I test it in Nexus 4 and the security patch level is 20161005.

Read more »

Illegal access caused by an empty list. This problem is not repaired, I only test it in Nexus4 and Nexus5 with the security patch level 20161005. It will cause kernel panic.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
const char __user *ubuf, size_t cnt, loff_t *ppos)

{

...
list_for_each_entry(cldata, &cl_list, list) {
if (strstr(chid, cldata->pdata->name)) {
cldata = cldata;
strsep(&chid, " ");
if (chid) {
ret = strict_strtoul(chid, 10, &index);
if (ret) {
MSM_BUS_DBG("Index conversion"
" failed\n");
return -EFAULT;
}
} else
MSM_BUS_DBG("Error parsing input. Index not"
" found\n");
break;
}
}

msm_bus_dbg_update_request(cldata, index);
kfree(buf);
return cnt;
}
Read more »

你们这些人啊,每年年底都想搞个大新闻。。。

Linux内核 >= 2.6.22(2007年发行)以后的版本都受到影响,同时影响到android系统。

Linux内核的内存子系统在处理写时拷贝(Copy-on-Write)时存在条件竞争漏洞,导致可以破坏私有只读内存映射。一个低权限的本地用户能够利用此漏洞获取其他只读内存映射的写权限,有可能进一步导致提权漏洞。

Read more »

patch1234567 static int is_ashmem_file(struct file *file){- char fname[256], *name;- name = dentry_path(file->f_dentry, fname, 256);- re ...
Read more »

patch1234567891011121314diff --git a/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c b/drivers/media/platform/msm/camera_v2/isp/msm_isp_util.c ...
Read more »