oss-sec mailing list archives
Re: CVE-2015-8088: Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone
From: Dan Rosenberg <dan.j.rosenberg () gmail com>
Date: Thu, 17 Dec 2015 18:06:12 -0500
Comments inline below. On 12/12/2015 09:51 AM, Pray3r wrote:
First, with a large value set to para.para_size, the smart phone will break down because of heap overflow inside kernel space. Second, this vulnerability could be used as a kernel information disclosure if para.para_in points to kernel objects and the exploit is wrapped with heap fengshui technique. Third, sophisticated exploitation methodology such as heap spray of thread_info published by Keen Team, an attacker could build a workable exploit gaining the root privilege of the smart phone.
If para.para_in points to a kernel object, the copy_from_user() call will gracefully fail due to the access_ok() check, so there is no possibility for an information leak like you described. Heap fengshui has nothing to do with it. The thread_info struct is allocated using the alloc_pages() buddy allocator, which is different from ioremap(), so this technique does not apply here. Finally, this bug is most likely not exploitable at all (beyond a local DoS), because ioremap() pages are followed by a guard page, meaning your heap overflow would cause a kernel fault/panic before overwriting anything that could be used to violate kernel integrity.
Security is a bitch!
True.
|=-----------------------------------------------------------------=| |=-----=[ D O N O T F U C K W I T H A H A C K E R ]=-----=| |=-----------------------------------------------------------------=|
Sorry for fucking with a hacker, Dan
Current thread:
- CVE-2015-8088: Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone Pray3r (Dec 12)
- Re: CVE-2015-8088: Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone Dan Rosenberg (Dec 17)