timwr/CVE-2019-2215

systemui crash and reboot in `clobber_addr_limit`

maoyun2019 opened this issue · 15 comments

Here is the output:

Starting POC
CHILD: Doing EPOLL_CTL_DEL.
CHILD: Finished EPOLL_CTL_DEL.
CHILD: Finished write to FIFO.
writev() returns 0x2000
PARENT: Finished calling READV
current_ptr == 0xffffffc0be2f5e80
CHILD: Doing EPOLL_CTL_DEL.

it seems the devices stock in: https://github.com/timwr/CVE-2019-2215/blob/master/poc.c#L158
and then the device reboot automatically.

The device is Pixel and linux version is :

Linux localhost 3.18.137-g382d7256ce44 #1 SMP PREEMPT Fri Jul 12 06:00:07 UTC 2019 aarch64

any advice?

timwr commented

You'll need to update the offsets for your kernel. If it's pixel you can download the image, extract the kernel from boot.img, and figure out the offsets with r2 and https://github.com/nforest/droidimg

I can replicate this issue on Pixel with kernel:
Linux localhost 3.18.131-g27a6e3d260f4 #1 SMP PREEMPT Fri Apr 12 22:06:12 UTC 2019 aarch64

Working on a fix. If anyone reading has an understanding of the POC and wants to work together, contact me on xda or twitter (same username). I'm recompiling this kernel with debug output to better understand how the bug is leveraged.

@chompie1337 how did you fix it in Pixel ? Is the wait_queue offset different ?

I previously managed to get the offsets with r2 and droidimg but this doesn't get for us the other values extracted using pahole, as the stock kernel doesn't ship with debugging symbols.

As an addition these folks are dealing with the struct varying in size: https://forum.xda-developers.com/v20/help/root-cve-2019-2215-t3979341

@chompie1337 how did you fix it in Pixel ? Is the wait_queue offset different ?

i haven't fixed it in the Pixel yet but I think I understand what's wrong now. the wait_queue offset is correct, as the first part of the exploit (leaking a kernel memory) is working which depends on the wait_queue offset being right. I believe that the offset 0xe8 on this line:

current_ptr = *(unsigned long *)(page_buffer + 0xe8);

is incorrect.

As an addition these folks are dealing with the struct varying in size: https://forum.xda-developers.com/v20/help/root-cve-2019-2215-t3979341

yes, that's me in that thread ^^

I have a Pixel XL (2016) also so it'd be nice to root...we could then figure out OEM unlocking since it's writing a bit to a certain partition...

We could then come up with something marginally noob friendly.

So has anybody managed to achieve root on Pixel 1 with this?

I found all the offsets and I believe them to be true (even double-checked them), here's the code: https://gist.github.com/mrDoctorWho/7436d61490d5e71aee31f811b119bdc6

But all Pixel does is only crashes.

timwr commented

@mrDoctorWho can you post the full log? Which line causes the crash?
If it crashes before it has kernel rw it's likely these offsets: https://gist.github.com/mrDoctorWho/7436d61490d5e71aee31f811b119bdc6#file-su98-pixel1-c-L78

@timwr the line it crashes at varies from time to time.

Most of the time its this one: https://gist.github.com/mrDoctorWho/7436d61490d5e71aee31f811b119bdc6#file-su98-pixel1-c-L452

Sometimes this one:
https://gist.github.com/mrDoctorWho/7436d61490d5e71aee31f811b119bdc6#file-su98-pixel1-c-L454

It never gone further. I believe I got the right BINDER_THREAD_SIZE (as per the instructions from XDA). I also tried 0x190 and 0x188. WAITQUEUE_OFFSET must be right too. I got these two from disassembled kernel in Ghidra.

What log are you speaking of? dmesg or program output?

timwr commented

The only thing I can suggest is to try a reduced version of the POC to see if, at the very least, you can reliably leak some kernel memory. This would confirm you've got the right BINDER_THREAD_SIZE and WAITQUEUE_OFFSET. Presumably you tried using those offsets with the poc here?

@timwr what version do you suggest?

I tried one and it seemed to leak some data with different BINDER_THREAD_SIZEs. Interestingly enough, I couldn't leak anything with the correct BINDER_THREAD_SIZE for Pixel.

This is why I believe it to be correct:
Screenshot_20200218_164522

Presumably you tried using those offsets with the poc here?

Honestly, I don't remember. I checked a lot of PoCs, even for the Pixel 2 with kernel 4.4 (and it even rebooted the phone).

The PoC I posted above is the latest one made by @arpruss, but with modified offsets for Pixel.

I will try those posted here ASAP.