Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo
From: Marc Schoenefeld <marc.schoenefeld () gmx org>
Date: Mon, 28 Mar 2011 10:09:32 +0200

Hi,

the dexdump tool, bundled with Android SDK was identified to
perform suspicious write accesses in the  dexDecodeDebugInfo function,
as defined in dalvik/libdex/DexFile.c.

The structural parser in dexdump failed to properly parse debug info
such as code position info, with indications of code execution.  This
could potentially be misused by remote attackers, tricking users into
opening apk/dex-files from untrusted sources (such as for disassembling
or decompiling via undx).

The crash dump looks as follows:

exception=EXC_BAD_ACCESS:signal=Segmentation
fault:is_exploitable=yes:instruction_disassembly=movl
%edx,(%eax,%esi):instruction_address=0x00000000000087e0:access_type=write:access_address=0x00000000c00feeb0:
Crash accessing invalid address.  Consider running it again with
libgmalloc(3) to see if the log changes.

Process:         dexdump [75749]
Path:
/Users/marc/android-sdk-mac_86/platforms/android-8/tools/dexdump
Identifier:      dexdump
Version:         ??? (???)
Code Type:       X86 (Native)
Parent Process:  exc_handler_snowleopard [75748]

Date/Time:       2010-05-26 08:30:16.960 +0200
OS Version:      Mac OS X 10.6.3 (10D573)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000c00feeb0
Crashed Thread:  0

Thread 0 Crashed:
0   dexdump                             0x000087e0 dexDecodeDebugInfo + 672
1   dexdump                             0x00003bd7 dumpPositions + 135
2   dexdump                             0x00005183 dumpCode + 179
3   dexdump                             0x00005335 dumpMethod + 405
4   dexdump                             0x00005a6f dumpClass + 1087
5   dexdump                             0x00005d04 processDexFile + 148
6   dexdump                             0x00005edf process + 239
7   dexdump                             0x00006212 main + 754
8   dexdump                             0x00002a36 start + 54


The issue was reported to Google in May 2010 and fixed in trunk with
this patch adding new constraints that prevent the bug to be triggered:

http://android.git.kernel.org/?p=platform/dalvik.git;a=commit;h=4b0750e8df91220690bb417f45d7ae8b7851b220

Late February 2011 Android security team confirmed the bug to be a
vulnerability, pre-assigning CVE-2011-1001.

The current version dumps a correct error message for the given testcase:

W/dalvikvm(63949): Bad index: (item->typeIdx)(1050) >
(state->pHeader->typeIdsSize)(233)
E/dalvikvm(63949): Trouble with item 7 @ offset 0x4a48
E/dalvikvm(63949): Swap of section type 0004 failed
E/dalvikvm(63949): ERROR: Byte swap + verify failed
ERROR: Failed structural verification of 'blabla.dex'

Anyone interesting in the reproducer for research purposes, feel free to
contact me.

Cheers
Marc









_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo Marc Schoenefeld (Mar 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]