bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/android/dos/38557.txt
Offensive Security d63de06c7a DB: 2022-11-10 
2776 changes to exploits/shellcodes/ghdb
2022-11-10 16:39:50 +00:00

59 lines
No EOL
2.4 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Source: https://code.google.com/p/google-security-research/issues/detail?id=492
The Samsung Graphics 2D driver (/dev/fimg2d) is accessible by unprivileged users/applications. It was found that the ioctl implementation for this driver contains a locking error which can lead to memory errors (such as use-after-free) due to a race condition.
The key observation is in the locking routine definitions in fimg2d.h:
#ifdef BLIT_WORKQUE
#define g2d_lock(x) do {} while (0)
#define g2d_unlock(x) do {} while (0)
#define g2d_spin_lock(x, f) spin_lock_irqsave(x, f)
#define g2d_spin_unlock(x, f) spin_unlock_irqrestore(x, f)
#else
#define g2d_lock(x) mutex_lock(x)
#define g2d_unlock(x) mutex_unlock(x)
#define g2d_spin_lock(x, f) do { f = 0; } while (0)
#define g2d_spin_unlock(x, f) do { f = 0; } while (0)
#endif
This means that the g2d_lock/g2d_unlock routines are no-ops when BLIT_WORKQUE is defined, which appears to be the default configuration. Unfortunately the alternative spin lock routines are not used consistently with this configuration. For example, the FIMG2D_BITBLT_BLIT ioctl command (with notes annotated as "PZ"):
ctx = file->private_data; /* PZ: ctx allocated at open(), lives on the heap. */
switch (cmd) {
case FIMG2D_BITBLT_BLIT:
mm = get_task_mm(current);
if (!mm) {
fimg2d_err("no mm for ctx\n");
return -ENXIO;
}
g2d_lock(&ctrl->drvlock); /* PZ: This is a no-op. */
ctx->mm = mm;
ret = fimg2d_add_command(ctrl, ctx, (struct fimg2d_blit __user *)arg);
if (ret) {
...
}
ret = fimg2d_request_bitblt(ctrl, ctx); /* PZ: Does stuff with the ctx. */
if (ret) {
...
}
g2d_unlock(&ctrl->drvlock); /* PZ: Another no-op */
As the lock macros are no-ops, a second process can change ctx->mm when the original process is still using the same ctx->mm (as long as it has access to the same file descriptor).
Reproduction steps:
Open /dev/fimg2d
Fork to get two processes with different mms with the access to the fd
Concurrently call the FIMG2D_BITBLT_BLIT ioctl from both processes.
One ioctl should have valid data, the other should fail
At this point ctx->mm will now have invalid or free data (free if the forked process dies). Proof-of-concept code to trigger this condition is attached (fimg2d-lock.c)
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38557.zip
Reference in a new issue View git blame Copy permalink