Re: CVE-2015-8088: Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone

[Dan Rosenberg <dan.j.rosenberg () gmail com>]

Comments inline below.

On 12/12/2015 09:51 AM, Pray3r wrote:

>   First, with a large value set to para.para_size, the smart phone
>   will break down because of heap overflow inside kernel space.
>   Second, this vulnerability could be used as a kernel information
>   disclosure if para.para_in points to kernel objects and the exploit
>   is wrapped with heap fengshui technique.  Third, sophisticated
>   exploitation methodology such as heap spray of thread_info published
>   by Keen Team, an attacker could build a workable exploit gaining the
>   root privilege of the smart phone.

If para.para_in points to a kernel object, the copy_from_user() call
will gracefully fail due to the access_ok() check, so there is no
possibility for an information leak like you described. Heap fengshui
has nothing to do with it.

The thread_info struct is allocated using the alloc_pages() buddy
allocator, which is different from ioremap(), so this technique does not
apply here.

Finally, this bug is most likely not exploitable at all (beyond a local
DoS), because ioremap() pages are followed by a guard page, meaning your
heap overflow would cause a kernel fault/panic before overwriting
anything that could be used to violate kernel integrity.

> Security is a bitch!

True.

> |=-----------------------------------------------------------------=|
> |=-----=[ D O   N O T   F U C K   W I T H   A   H A C K E R ]=-----=|
> |=-----------------------------------------------------------------=|

Sorry for fucking with a hacker,
Dan