qualcomm-dsp-driver: adsprpc
该漏洞是与task相关联的 group_info 结构体的引用计数泄漏导致的UAF。在 fastrpc_get_process_gids 函数中,调用了 get_current_groups,它会增加 group_info 结构体的引用计数,但该引用计数从未被减1。此外,这个引用计数是一个非饱和引用计数(non-saturating refcount),这意味着如果你大约调用 fastrpc_get_process_gids 2^32 次,就有可能发生溢出。
尽管在实际中很难利用这个漏洞(触发这个错误至少需要 14 个小时),但它仍然是一次内存损坏,并可能导致其相关的后果。下面是由该问题引发的示例崩溃日志。日志显示了一个无效内存读错误(Invalid read),读取地址是 0xffffff89572a0000,这是因为 group_info 的内存已经被释放,但仍被访问。
[77306.174599] [7: adbd: 5455] BUG: KFENCE: invalid read in groups_to_user+0x34/0x1a4
[77306.174606] [7: adbd: 5455] Invalid read at 0xffffff89572a0000: <-- uaf 读
[77306.174607] [7: adbd: 5455] groups_to_user+0x34/0x1a4
[77306.174609] [7: adbd: 5455] invoke_syscall+0x58/0x13c
[77306.174612] [7: adbd: 5455] el0_svc_common+0xb4/0xf0
[77306.174614] [7: adbd: 5455] do_el0_svc+0x24/0x90
[77306.174615] [7: adbd: 5455] el0_svc+0x20/0x7c
[77306.174617] [7: adbd: 5455] el0t_64_sync_handler+0x84/0xe4
[77306.174618] [7: adbd: 5455] el0t_64_sync+0x1b8/0x1bc
[77306.174620] [7: adbd: 5455]
[77306.174621] [7: adbd: 5455] CPU: 7 PID: 5455 Comm: adbd Tainted: G S W OE 5.15.123-android13-8-28577312-abS911BXXU3CXD3 #1
[77306.174623] [7: adbd: 5455] Hardware name: Samsung DM1Q PROJECT (board-id,13) (DT)
[77306.174624] [7: adbd: 5455] pstate: 22400005 (nzCv daif +PAN -UAO +TCO -DIT -SSBS BTYPE=--)
[77306.174626] [7: adbd: 5455] pc : groups_to_user+0x34/0x1a4
[77306.174628] [7: adbd: 5455] lr : __arm64_sys_getgroups+0x4c/0x6c
[77306.174629] [7: adbd: 5455] sp : ffffffc02a073e00
[77306.174630] [7: adbd: 5455] x29: ffffffc02a073e00 x28: ffffff8868030040 x27: 0000000000000000
[77306.174633] [7: adbd: 5455] x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000
[77306.174635] [7: adbd: 5455] x23: 0000000060001000 x22: 00000077219a4f2c x21: ffffff8868030040
[77306.174637] [7: adbd: 5455] x20: ffffffc0081bd46c x19: 000000006b6b6b6b x18: ffffffc016089000
[77306.174638] [7: adbd: 5455] x17: 000000000000fffe x16: b4000074e392f638 x15: ffffff895729fff8
[77306.174640] [7: adbd: 5455] x14: 00000000524e68f8 x13: ffffff8868030040 x12: ffffffc00ad82000
[77306.174641] [7: adbd: 5455] x11: 0000007fffffffff x10: ffffffc00aa93000 x9 : 0000000014939a3e
[77306.174643] [7: adbd: 5455] x8 : 000000006b6b6b6b x7 : 0000000000000000 x6 : 0000000000000000
[77306.174645] [7: adbd: 5455] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000
[77306.174646] [7: adbd: 5455] x2 : 0000000000000040 x1 : ffffff8904db9700 x0 : b400007491448d40
[77306.174648] [7: adbd: 5455] Call trace:
[77306.174648] [7: adbd: 5455] groups_to_user+0x34/0x1a4
[77306.174650] [7: adbd: 5455] invoke_syscall+0x58/0x13c
[77306.174651] [7: adbd: 5455] el0_svc_common+0xb4/0xf0
[77306.174653] [7: adbd: 5455] do_el0_svc+0x24/0x90
[77306.174654] [7: adbd: 5455] el0_svc+0x20/0x7c
[77306.174655] [7: adbd: 5455] el0t_64_sync_handler+0x84/0xe4
[77306.174656] [7: adbd: 5455] el0t_64_sync+0x1b8/0x1bc
漏洞代码和patch如下:
static int fastrpc_get_process_gids(struct gid_list *gidlist)
{
- struct group_info *group_info = get_current_groups(); // 只加,但没地方减
+ struct group_info *group_info = current_cred()->group_info;
int i = 0, err = 0, num_gids = group_info->ngroups + 1;
unsigned int *gids = NULL;
gids = kcalloc(num_gids, sizeof(unsigned int), GFP_KERNEL);
if (!gids) {
err = -ENOMEM;
goto bail;
}
/* Get the real GID */
gids[0] = __kgid_val(current_gid());
/* Get the supplemental GIDs */
for (i = 1; i < num_gids; i++)
gids[i] = __kgid_val(group_info->gid[i - 1]);
sort(gids, num_gids, sizeof(*gids), uint_cmp_func, NULL);
gidlist->gids = gids;
gidlist->gidcount = num_gids;
bail:
if (err)
kfree(gids);
return err;
}
参考文献
- https://googleprojectzero.blogspot.com/2024/12/qualcomm-dsp-driver-unexpectedly-excavating-exploit.html
- https://project-zero.issues.chromium.org/issues/42451711
- https://git.codelinaro.org/clo/la/kernel/msm-5.15