Some examples of kernel infoleak bugs on Android

Leave a reply

Recently as KASLR is slowly adopted into Android and because of the requirements of exploitation stability of previous bugs, kernel infoleak bugs are becoming more and more important. Here I want to explain two infoleak bugs on Android, one found by me and is fixed now, and other one is a known and fixed bug but very useful as it exists on all android platforms.

Qualcomm SPMI kernel heap infoleak

Reported in https://code.google.com/p/android/issues/detail?id=221288.

In https://android.googlesource.com/kernel/msm/+/android-7.0.0_r0.7/drivers/spmi/spmi.c line 239:

int spmi_add_device(struct spmi_device *spmidev)
{
    int rc;
    struct device *dev = get_valid_device(spmidev);
    if (!dev) {
        pr_err("invalid SPMI device\n");
        return -EINVAL;
    }
    /* Set the device name */
    dev_set_name(dev, "%s-%p", spmidev->name, spmidev);

A heap object’s pointer address is set in sysfs /sys/devices/soc.0/

angler:/sys/fs $ ls -lZ /sys/devices/soc.0/ | grep -i ffffffc
ls: /sys/devices/soc.0//modalias: Permission denied
ls: /sys/devices/soc.0//subsystem: Permission denied
ls: /sys/devices/soc.0//uevent: Permission denied
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 leds-qpnp-ffffffc00ea22800
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 msm-bcl-ffffffc0061f7c00
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-adc-tm-ffffffc0061f5800
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-coincell-ffffffc0061f5c00
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:05 qpnp-fg-ffffffc00ea20800
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-flash-led-ffffffc00ea22c00
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-haptic-ffffffc00ea22400
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-labibb-regulator-ffffffc00ea21c00
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pin-ffffffc0061f4c00
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pin-ffffffc0061f5000
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pin-ffffffc0061f7400
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pin-ffffffc0061f7800
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-power-on-ffffffc0061f4800
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-power-on-ffffffc0061f7000
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pwm-ffffffc00ea20c00
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pwm-ffffffc00ea21000
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pwm-ffffffc00ea21400
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-pwm-ffffffc00ea21800
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-revid-ffffffc0061f4000
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-revid-ffffffc0061f6c00
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-rtc-ffffffc0061f6000
drwxr-xr-x  5 root root u:object_r:sysfs:s0              0 1970-08-13 03:44 qpnp-smbcharger-ffffffc00ea20400
drwxr-xr-x  3 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-temp-alarm-ffffffc0061f4400
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-vadc-ffffffc0061f5400
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-vadc-ffffffc00ea20000
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 qpnp-wled-ffffffc00ea22000
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 spm-regulator-ffffffc0061f6400
drwxr-xr-x  4 root root u:object_r:sysfs:s0              0 2016-08-30 07:06 spm-regulator-ffffffc0061f6800

These devices are all spmi devices.

Note these these entries can also be accessed from isolated_app, since domain.te permits view of sysfs labelled directory. There’re more in debugfs, but as debugfs is strictly constrained in newer version of Android, the value of those bugs is downgraded.

xt_qtaguid socket object infoleak

I believe this bug is first written about by laginimaineb in 2015.8 at http://bits-please.blogspot.com/2015/08/effectively-bypassing-kptrrestrict-on.html, so I will not write too much about it here, just a brief intro.

/proc/net/xt_qtaguid/ctrl is a globally accessable procfs entry, with no SELinux constraint. The following source gives out address of a labelled socket object.

1927 static int qtaguid_ctrl_proc_show(struct seq_file *m, void *v)
1928{
1929    struct sock_tag *sock_tag_entry = v;
1930    uid_t uid;
1931    long f_count;
1932
1933    CT_DEBUG("qtaguid: proc ctrl pid=%u tgid=%u uid=%u\n",
1934         current->pid, current->tgid, from_kuid(&init_user_ns, current_fsuid()));
1935
1936    if (sock_tag_entry != SEQ_START_TOKEN) {
1937        uid = get_uid_from_tag(sock_tag_entry->tag);
1938        CT_DEBUG("qtaguid: proc_read(): sk=%p tag=0x%llx (uid=%u) "
1939             "pid=%u\n",
1940             sock_tag_entry->sk,
1941             sock_tag_entry->tag,
1942             uid,
1943             sock_tag_entry->pid
1944            );
1945        f_count = atomic_long_read(
1946            &sock_tag_entry->socket->file->f_count);
1947        seq_printf(m, "sock=%p tag=0x%llx (uid=%u) pid=%u "
1948               "f_count=%lu\n",
1949               sock_tag_entry->sk,
1950               sock_tag_entry->tag, uid,
1951               sock_tag_entry->pid, f_count);

Which helped us to improve the stability of CVE-2015-3636 exploit.

Leave a Reply

Your email address will not be published. Required fields are marked *