Re: CVE-2015-8088: Heap Overflow Vulnerability in the HIFI Driver of Huawei Smart Phone

[Pray3r <pray3r.z () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I reviewed the code(ioremap()) in kernel[1], found get_vm_area_node()
called ioremap(), and the function always allocate a guard PAGE_SIZE
page.You are right. ;-)

Thanks for your pointing.

[1]. http://lxr.free-electrons.com/source/mm/vmalloc.c#L1351


On 15/12/18 07:06, Dan Rosenberg wrote:
> Comments inline below.
>
> On 12/12/2015 09:51 AM, Pray3r wrote:
>
> > First, with a large value set to para.para_size, the smart phone 
> > will break down because of heap overflow inside kernel space. 
> > Second, this vulnerability could be used as a kernel information 
> > disclosure if para.para_in points to kernel objects and the
> > exploit is wrapped with heap fengshui technique.  Third,
> > sophisticated exploitation methodology such as heap spray of
> > thread_info published by Keen Team, an attacker could build a
> > workable exploit gaining the root privilege of the smart phone.
>
> If para.para_in points to a kernel object, the copy_from_user()
> call will gracefully fail due to the access_ok() check, so there is
> no possibility for an information leak like you described. Heap
> fengshui has nothing to do with it.
>
> The thread_info struct is allocated using the alloc_pages() buddy 
> allocator, which is different from ioremap(), so this technique
> does not apply here.
>
> Finally, this bug is most likely not exploitable at all (beyond a
> local DoS), because ioremap() pages are followed by a guard page,
> meaning your heap overflow would cause a kernel fault/panic before
> overwriting anything that could be used to violate kernel
> integrity.
>
> > Security is a bitch!
>
> True.
>
> > |=-----------------------------------------------------------------=|
|=-----=[ D O   N O T   F U C K   W I T H   A   H A C K E R ]=-----=|
> > |=-----------------------------------------------------------------=|
>
> >
> Sorry for fucking with a hacker, Dan

- -- 
Security is a bitch!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWnoQAAAoJEM+cWi9WgY1efBQP/3KwwT+Ap1HoobbGVun6LnHn
khf0XOhLthXnXIK15iWDihhv+vMNZiXs8htPHBLBtODSTYAmiwBEb2MexQwNGfnW
ioTzzM1kdhfPyrZiV12gX26/VXWq1vg3gYcRDdGxuGyXJZmsr1QwUXUj5DAdt9X1
cjWtlw3ZgvSMVBvt0eRomHV+ATkVuPoaGgNpEJMaM0zYH7s5RC9IkevAq64GXsWp
v2OuuvQK75Qxu13Fvp2tO3+9OemuscnNt7FxYvhh410ExeydFbczACAZvZeD382i
DGbCq3DwAyTRcY2gqghRNnOnnQyzn3ZrOoDBrCI2pqIj6Gjnvsqli0O27JfeukqS
juadFPXPnt/kM/BKAkzhn9Z0+98iII2ucnj07evmBiasG7HVw2J/XMX6AOpZ4yjI
XElX8xW7qOAYUMcb0nPNB5ZdrDHvLf2BMbZszFwra+l+ltyT3AyfSaRmzqfRL492
eEI1uzdYquKCGqf4RrsqHQ2my7K9t75AyLh0EZYZ2iYTVjJ5A1VFsub/FBWI3fLo
jzmmweP4sTiIMCT7lcNMtBIslCdiMp3m+ECNCFwWkMVMVw4NzBoov+apBzAwRPVj
aAR3YZED4G/K5Sanp7NyEagLKH+fmUqca8bsz7sdM1bnMk3z7fxBdslAfCJgk5vt
/lz/7QCz0b/Z5kNNWWG0
=BrNh
-----END PGP SIGNATURE-----