zergRush (CVE-2 0 1 1-3 8 7 4) mention the right vulnerability analysis-vulnerability warning-the black bar safety net

Recent finally turn Android, 2 0 1 1 years of the famous zergrush is the contact of the first ROOT vulnerability. Although it has been, only affects Android 2.2 - 2.3.6, but there is still necessary records about the analysis proceeds.

On the market various ROOT tools basic are included zergrush, mostly open source zergRush. c compiled. Has some analysis of the article:

tomken_zhang, the vulnerability — zergRush, the vulnerability — zergRush (Supplement)

Claud, Android provide the right code for zergRush analysis

The content analysis focused on the zergRush. c the structure of the code, the vulnerability principle there is no parsing, or an error that is stack overflow. In fact, CVE-2 0 1 1-3 8 7 4 has been described very well understood, this vulnerability is the essence of the"use after free".

1. Stack overflow? No.

Vulnerability exists in/system/bin/vold the root of the system program. Specifically, vold invokes libsysutils. so, the real question Is this so. Specifically then, the problem is in/system/core/libsysutils/src/FrameworkListener. cpp the FrameworkListener::dispatchCommand method.

It’s on the stack is assigned a fixed-size array argv,

void FrameworkListener::dispatchCommand(SocketClient *cli, char *data) { FrameworkCommandCollection::iterator i; int argc = 0; char *argv[FrameworkListener::CMD_ARGS_MAX]; char tmp[2 5 5]; char *p = data; char *q = tmp; bool esc = false; bool quote = false; int k;

FrameworkListener::CMD_ARGS_MAX = 1 to 6. But back fill the argv array, the code does not check whether the occurrence of the bounds.

if (! quote && *q == ’ ') { *q = ‘\0’; argv[argc++] = strdup(tmp); memset(tmp, 0, sizeof(tmp)); q = tmp; continue;
}

Let argv out of bounds is very easy, the bounds of the data will be written to argv below the tmp array. zergRush is actually just to the argv is filled with CMD_ARGS_MAX + 2 a char*, the border of 8 bytes only, 2 5 5 bytes tmp array is fully connected to live and did not destroy dispatchCommand stack. In fact, even dispatchCommand stack overflow, there’s nothing to do, because it is compiled into the__stack_chk, once the return address is changed, it will Abend. So, this vulnerability is not a“stack overflow”.

2. free(any address)

User app to system/bin/vold sent data will arrive at the FrameworkListener::onDataAvailable it. onDataAvailable will be extracted from the data command string, and call dispatchCommand processing commands. The user data may contain multiple commands, each command is a’\0’at the end of the string, by the name and number of parameters of the Constitution, name and arguments by spaces. For example,

“cmd1 arg11 arg12\0cmd2 arg21 arg22 arg23\0”

Such data into the onDataAvailable, it will extract the 2 command string:“cmd1 arg11 arg12” and “cmd2 arg21 arg22 arg23”, for each command is called once dispatchCommand。 dispatchCommand received command string, it will further parse out the command name and parameters, and stored into the argv array. For example, for the"cmd1 arg11 arg12", the dispatchCommand complete resolution after

[1] [2] [3] next