lPengfei Ding & Chenfu Bao
lSecurityResearcher&Developer@Baidu X-Lab
lFocusedonMobile,IoT andLinuxkernelsecurity
l Introduction
l PastCompat Vulnerabilities
l NewlyIdentifiedCompat Vulnerabilities
l Advices&Mitigations
l Conclusions
l 32-bitcompatibilitymodein64-bitLinuxkernels
systemcall
userprocess
64-bitprocess64-bitsyscall
compatsyscall
32-bitprocess
l Mainly usedtohandlethedifferencesinthedatasizes
l Many system callshaveparameterswith differentsizesin32-bitand64-bitsysteml long,pointer,…
l Convertthe valuesoftheseparameterstocorresponding64-bitvalues
l Coderedundancyrequiresmoremaintenanceefforts,thusintroducingmoresecurityrisks
l Additionaldefinitionofdatastructures,typeconversionanddataprocessinglogicexposenewattacksurfaces
l Occasionallydiscovered
l Mostlyindevicedrivers
l Mostlycausedbyinconsistencybetweencompat andnon-compat model Inconsistencyofdatastructuredefinitionl Inconsistencyofuserinputvalidationlogic
l Inconsistencyofuserinputvalidationlogic
eeprom_init_configvalidatesuserinput,whileitscompat versioneeprom_init_config32doesnotvalidateuserinput
patch url :https://source.codeaurora.org/quic/la/kernel /msm-3 .18/commit/drivers/media /platform/msm/camera_v2/sensor/eepr om? h=rel/msm-3.18.r5&i d=539399acbaecba7af7c411f6 f28a c0189e459bb5
l Inconsistencyofuserinputvalidationlogic
patchurl:https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/drivers/media/platform/msm/camera_v2/sensor/msm_sensor_driver.c?h=rel/msm-3.18.r5&id=17c31f3f3438c9f3e05b0d92c70b2b65d430d6cd
is_compat_task canreducecoderedundancy,butinconsistencystillexists
l Pastresearchoncompatvulnerabilitiesonlyfocusesonnormalprogramlogic
l Indevicedrivers,compatandnon-compatcodesareoftenmixedtogether
l Canmixedcodescauseabnormalprogramlogic?
ioctl syscall entry file_operations
compat_ioctl(fd,cmd32,pstruct32) 32-bitprocess
64-bitprocessunlocked_ioctl
(fd,cmd64,pstruct64)
cmd32 commoncmd
cmd64ioctl gotokernel file_operations
compat_ioctl(fd,cmd32,pstruct32)
32-bitprocess
64-bitprocess
checkuserinput&convertto
cmd64pstruct64
commonfunction
unlocked_ioctl(fd,cmd64,pstruct64)
cmd64
checkuserinput
cmd32
commoncmd
commoncmd
returntouser
converttopstruct32
64-bitprocess
32-bitprocess
l compat_ioctlwillmakeconversion accordingtothevalueofcmd32
lWhatifweintentionally confusecompat_ioctlparameterswithunlocked_ioctlparameters?
1.compat_ioctl(fd,cmd64,pstruct32)2.compat_ioctl(fd,cmd64,pstruct64)3.compat_ioctl(fd,cmd32,pstruct64)4.unlocked_ioctl(fd,cmd32,pstruct64)5.unlocked_ioctl(fd,cmd32,pstruct32)6.unlocked_ioctl(fd,cmd64,pstruct32)
l unlocked_ioctl doesnothaveconversionbehavior,cmd32parameterswillbefiltered,thuswillnotcausesecurityproblems.
l 4and5are ruled out
l Processinglogicofpstruct parameterinioctl dependsonthevalueofcmd,soweignorepstruct(pstruct32,pstruct64)parameter,onlyfocusingonhowchangesofcmd parameterwillaffectioctl
1.compat_ioctl(fd,cmd64,pstruct32)2.compat_ioctl(fd,cmd64,pstruct64)3.compat_ioctl(fd,cmd32,pstruct64)4.unlocked_ioctl(fd,cmd32,pstruct64)5.unlocked_ioctl(fd,cmd32,pstruct32)6.unlocked_ioctl(fd,cmd64,pstruct32)
compat_ioctl(fd,cmd64,pstruct)
compat_ioctl(fd,cmd64,pstruct)
compat_ioctl(fd,cmd32,pstruct32)
cmd32 commoncmd
cmd64ioctl gotokernel file_operations
32-bitprocess
64-bitprocess
checkuserinput&convertto
cmd64pstruct64
commonfunction
unlocked_ioctl(fd,cmd64,pstruct64)
cmd64
checkuserinput commoncmd
commoncmd
returntouser
converttopstruct32
64-bitprocess
32-bitprocess
cmd32
cmd64
l Existing Linuxsyscall fuzzing tools do not supportcompatl Trinityl Syzkaller
lWe extended Trinityandsyzkaller anddiscoveredmorevulnerabilities
l Bypassing verificationonuserinputarraylengthcanleadtoout-of-boundsR/Wtothisarray,thus causingprivilegeescalation
l Bypassingverificationonuserinputpointervaluecanleadtoarbitrary memory read,thuscausinginformationleakage
l Operatekernelmemoryinsteadofusermemoryincheck & conversion,whichincreasesthesecurityriskwhencheck & conversionisbypassedl Kmalloc vscompat_alloc_user_space
l Whenis_compat_task isusedincommon function,itiseasytocauselogicconfusion,anditismorelikelytocausesecurityproblemswhencheck&conversionisbypassed
Theprocessingflowofqualcommdriverfunctionmsm_cpp_subdev_fops_compat_ioctltocmd32:VIDIOC_MSM_CPP_POP_STREAM_BUFFER32isshownintheleftdiagram.Ifwepassdirectlytoitscorrespondingcmd64:VIDIOC_MSM_CPP_POP_STREAM_BUFFER,thevalidationofuserspacepointerioctl_ptr willbebypassed,soitcanbeassignedtoanyvaluebytheuser,resultinginarbitraryaddressaccesswhenusingmemcpy.
staticintmsm_cpp_copy_from_ioctl_ptr(void*dst_ptr,structmsm_camera_v4l2_ioctl_t*ioctl_ptr)
.../*Forcompattask,sourceptrisinkernelspace*/if(is_compat_task()){
memcpy(dst_ptr,ioctl_ptr->ioctl_ptr,ioctl_ptr->len);
staticlongmsm_cpp_subdev_fops_compat_ioctl(structfile*file,unsignedintcmd,unsignedlongarg)
caseVIDIOC_MSM_CPP_POP_STREAM_BUFFER32:{...
if(copy_from_user(&k32_frame_info,(void__user*)kp_ioctl.ioctl_ptr,sizeof(k32_frame_info))){
...cmd=VIDIOC_MSM_CPP_POP_STREAM_BUFFER;break;
Theprocessingflowofqualcomm driverfunctionmsm_flash_subdev_do_ioctltocmd32:VIDIOC_MSM_FLASH_CFG32isshownintheleftdiagram.copy_from_user checksuserspacepointercfg.flash_init_info.Ifwepassdirectlytoitscorrespondingcmd64:VIDIOC_MSM_FLASH_CFG,thevalidationwillbebypassed,socfg.flash_init_info canbeassignedtoanyvalue,resultinginarbitraryaddressaccess whenit’s dereferenced.
switch(cmd){caseVIDIOC_MSM_FLASH_CFG32:
cmd=VIDIOC_MSM_FLASH_CFG;...
flash_data.cfg.flash_init_info=&flash_init_info;if(copy_from_user(&flash_init_info32,
(void*)compat_ptr(u32->cfg.flash_init_info),sizeof(structmsm_flash_init_info_t32))){
#ifdefCONFIG_COMPATstaticlongmsm_flash_subdev_do_ioctl(
structfile*file,unsignedintcmd,void*arg)
staticint32_tmsm_flash_init(structmsm_flash_ctrl_t*flash_ctrl,structmsm_flash_cfg_data_t*flash_data)
{...
if(flash_data->cfg.flash_init_info->flash_driver_type==FLASH_DRIVER_DEFAULT) {
l Trytousecompat_alloc_user_space insteadofkmalloc duringentireuserinput check & conversion
l Trytoavoidusingis_compat_task incommonfunction
l Trytousestructsinsteadofpointersinuserinputtominimizevalidationofuserinput
l Development andtestengineersshouldstrengthenthetestingandauditingofcompatcodes
l Fuzztoolsandcodeauditingtoolsshould givemoreattentiontocompat codes
l Securityresearchers cancontinueto explorecompat attackonmoreplatforms
l Conceptandsecurityrisksofcompat,aswellassomecompat vulnerabilities inthepast
l Newtypeofcompat vulnerabilitiesinLinuxdevicedrivers
l Howtodiscoverthiskindofvulnerabilitiesandhowtoavoidthemindevelopment