ILLEGAL ACCESS CAUSED BY AN EMPTY LIST

Illegal access caused by an empty list. This problem is not repaired, I only test it in Nexus4 and Nexus5 with the security patch level 20161005. It will cause kernel panic.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
static ssize_t  msm_bus_dbg_update_request_write(struct file *file,
const char __user *ubuf, size_t cnt, loff_t *ppos)

{

...
list_for_each_entry(cldata, &cl_list, list) {
if (strstr(chid, cldata->pdata->name)) {
cldata = cldata;
strsep(&chid, " ");
if (chid) {
ret = strict_strtoul(chid, 10, &index);
if (ret) {
MSM_BUS_DBG("Index conversion"
" failed\n");
return -EFAULT;
}
} else
MSM_BUS_DBG("Error parsing input. Index not"
" found\n");
break;
}
}

msm_bus_dbg_update_request(cldata, index);
kfree(buf);
return cnt;
}

LIST_HEAD(cl_list);

1
2
3
4
#define LIST_HEAD_INIT(name) { &(name), &(name) }

#define LIST_HEAD(name) \
struct list_head name = LIST_HEAD_INIT(name)

if cl_list don’t have any node, prev and next is point to itself;

list_for_each_entry func:

1
2
3
4
#define list_for_each_entry(pos, head, member)				\
for (pos = list_entry((head)->next, typeof(*pos), member); \
&pos->member != (head); \
pos = list_entry(pos->member.next, typeof(*pos), member))

in this func, &pos->member == (head);

now, see cldata struct:

1
2
3
4
5
6
7
8
9
10
struct msm_bus_cldata *cldata;
struct msm_bus_cldata {
const struct msm_bus_scale_pdata *pdata;
int index;
uint32_t clid;
int size;
struct dentry *file;
struct list_head list; // offset 0x14
char buffer[MAX_BUFF_SIZE];
};

pos = list_entry((head)->next, typeof(*pos), member);
cldata = &head - 0x14 = &cl_list - 0x14;

in msm_bus_dbg_update_request func:

1
2
3
4
5
6
7
8
9
10
11
static int msm_bus_dbg_update_request(struct msm_bus_cldata *cldata, int index)
{

int ret = 0;

if ((index < 0) || (index > cldata->pdata->num_usecases)) {
MSM_BUS_DBG("Invalid index!\n");
return -EINVAL;
}
ret = msm_bus_scale_client_update_request(cldata->clid, index);
return ret;
}

when access cldata->pdata->num_usecases, and cldata->pdata point to unknow address, it will cause kernel panic.

also, cl_list address is exports in nexus 5,
the cl_list address = 0xC1064F44,
so cldata = 0xC1064F44 - 0x14 = 0xC1064F30,
but cldata->pdata = [0xC1064F30] = 0,
so cldata->pdata->num_usecases will access address 0x4.

last_kmsg:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
[   58.790209] Unable to handle kernel NULL pointer dereference at virtual address 00000004
[ 58.790683] pgd = ea458000
[ 58.791290] [00000004] *pgd=32ab7831, *pte=00000000, *ppte=00000000
[ 58.792167] Internal error: Oops: 17 [#1] PREEMPT SMP ARM
[ 58.792585] CPU: 0 Not tainted (3.4.0-gd59db4e #1)
[ 58.792844] PC is at msm_bus_dbg_update_request_write+0x164/0x22c
[ 58.793256] LR is at msm_bus_dbg_update_request_write+0xf0/0x22c
[ 58.793491] pc : [<c01811c8>] lr : [<c0181154>] psr: 60000013
[ 58.793505] sp : ea771f08 ip : 00000034 fp : ea771f3c
[ 58.794106] r10: c10d1278 r9 : ea770000 r8 : eb67ce40
[ 58.794511] r7 : 00000011 r6 : eb67ce40 r5 : c1065004 r4 : c1064ff0
[ 58.794742] r3 : 00000000 r2 : 00000061 r1 : 00000000 r0 : 00000000
[ 58.795152] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 58.795556] Control: 10c5787d Table: 3285806a DAC: 00000015
[ 58.795782]
[ 58.795789] PC: 0xc0181148:
[ 58.796376] 1148 e1a00006 e5931008 eb09c65c e3500000 0afffff5 e24b0028 e59f10fc eb09c5cb
[ 58.798445] 1168 e51b0028 e3500000 0a000009 e3a0100a e24b202c eb09e506 e3500000 0a00000b
[ 58.800668] 1188 e1da3ab2 e3130004 1a000023 e3e0000d eaffffd1 e1da3bba e3130004 0a000003
[ 58.802891] 11a8 e59f10b8 e59f20b8 e59f00b8 eb0a1872 e51b102c e3510000 ba000003 e5943000
[ 58.804974] 11c8 e5933004 e1510003 da000006 e1da3db2 e3130004 1a00000b e1a00008 eb037a79
[ 58.807237] 11e8 e1a00007 eaffffbc e5940008 ebffec38 eafffff8 e59f0070 e59f1064 eb225d0c
[ 58.809497] 1208 e3e0000b eaffffb4 e59f1060 e59f2060 e59f0060 eb0a1858 eaffffee e59f0058
[ 58.811567] 1228 e59f1058 e59f2038 eb0a1853 e3e0000d eaffffa9 e3a03004 e28a0078 e58d3000
[ 58.813651]
...
[ 58.957523]
[ 58.957530] R10: 0xc10d11f8:
[ 58.957944] 11f8 00000090 00000000 c0d0eb0c c0b07c58 c0d0eb1c c0d0eb90 00000098 00000000
[ 58.960189] 1218 c0d0eb0c c0b07c58 c0d0eb1c c0d0eb6c 000000ad 00000000 c0d0eb0c c0b07c70
[ 58.962412] 1238 c0d0eb1c c0d0ebe0 000000cb 00000000 c0d0eb0c c0b07c8c c0d0eb1c c0d0ebc4
[ 58.964503] 1258 00000043 00000000 c0d0eb0c c0b07c8c c0d0eb1c c0d0ebc4 0000004a 00000000
[ 58.966752] 1278 c0d0f328 c0b07ca8 c0d0f334 c0d0f564 000000b0 00000000 c0d0f328 c0b07cbc
[ 58.969009] 1298 c0d0f334 c0d0f53c 000000c1 00000000 c0d0f328 c0b07cd0 c0d0f334 c0d0f51c
[ 58.971269] 12b8 000000d2 00000000 c0d0f328 c0b07ce4 c0d0f334 c0d0f4fc 000000e2 00000000
[ 58.973357] 12d8 c0d0f328 c0b07cf8 c0d0f334 c0d0f44c 000000f2 00000000 c0d0f328 c0b07d0c
[ 58.975435] Process fuzz (pid: 3242, stack limit = 0xea7702f0)
[ 58.975846] Stack: (0xea771f08 to 0xea772000)
[ 58.976081] 1f00: ea2ef800 eb299548 00000000 eb67ce40 eb299540 00000011
[ 58.976503] 1f20: 000263eb ea771f78 00000011 00000000 ea771f6c ea771f40 c0264608 c0181070
[ 58.976745] 1f40: c026e744 c025f294 ea771f94 00000000 00000000 eb299540 000263eb 00000011
[ 58.977164] 1f60: ea771fa4 ea771f70 c0264774 c0264564 0002d4a4 00000000 00000000 00000000
[ 58.977581] 1f80: c0107544 0002d4a4 00000004 0000881d 00000004 c0107544 00000000 ea771fa8
[ 58.977999] 1fa0: c0107300 c0264738 0002d4a4 00000004 00000004 000263eb 00000011 00000000
[ 58.978238] 1fc0: 0002d4a4 00000004 0000881d 00000004 000080f4 00000000 00000000 be9fea9c
[ 58.978651] 1fe0: 0002bec8 be9fea40 000089ef 0000e654 20000010 00000004 00000000 00000000
[ 58.979111] [<c01811c8>] (msm_bus_dbg_update_request_write+0x164/0x22c) from [<c0264608>] (vfs_write+0xb0/0x154)
[ 58.979565] [<c0264608>] (vfs_write+0xb0/0x154) from [<c0264774>] (sys_write+0x48/0x80)
[ 58.979835] [<c0264774>] (sys_write+0x48/0x80) from [<c0107300>] (ret_fast_syscall+0x0/0x30)
[ 58.980261] Code: e51b102c e3510000 ba000003 e5943000 (e5933004)
[ 58.983832] ---[ end trace 114cfb12a6c4858a ]---
[ 58.985413] Kernel panic - not syncing: Fatal exception
[ 59.985839] Rebooting in 5 seconds..
[ 64.987517] Going down for restart now
[ 64.988789] Calling SCM to disable SPMI PMIC arbiter

POC