Closed rcheung closed 9 years ago
Fuzion24
commented
9 years ago this should be fixed in the latest patches: https://github.com/nowsecure/android-vts/blob/master/bin/androidVTS.apk // https://github.com/nowsecure/android-vts/blob/master/app/src/main/jni/graphics_into_overflow_test.c
If you could please give it a try and let us know how it works, that would be splendid.
Fuzion24
commented
9 years ago I'm going to close this issue unless I hear back from you. If you still have this issue, could you please upload your libui.so?
rcheung
commented
9 years ago Just tried the new version. The issue is still not fixed on the patched android KK 4.4.4 version.
Reference for 4.4.4 libui http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp
if (handle http://androidxref.com/4.4.4_r1/s?defs=handle&project=frameworks) {229 http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#229 buf http://androidxref.com/4.4.4_r1/s?defs=buf&project=frameworks[6] = handle http://androidxref.com/4.4.4_r1/s?defs=handle&project=frameworks->numFds http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds;230 http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#230 buf http://androidxref.com/4.4.4_r1/s?defs=buf&project=frameworks[7] = handle http://androidxref.com/4.4.4_r1/s?defs=handle&project=frameworks->numInts http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts;231 http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#231 native_handle_t http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=frameworks const* const h = handle http://androidxref.com/4.4.4_r1/s?defs=handle&project=frameworks;232 http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#232 memcpy http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks(fds http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks, h->data http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks, h->numFds http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds*_sizeof_(_int_));233 http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#233 memcpy http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks(&buf http://androidxref.com/4.4.4_r1/s?defs=buf&project=frameworks[8], h->data http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks
Reference for 5.0.0 libui http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp
*if* (handlehttp://androidxref.com/5.0.0_r2/s?defs=handle&project=frameworks) {286 http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#286 buf http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#buf[8] = handle http://androidxref.com/5.0.0_r2/s?defs=handle&project=frameworks->numFds http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds;287 http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#287 buf http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#buf[9] = handle http://androidxref.com/5.0.0_r2/s?defs=handle&project=frameworks->numInts http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts;288 http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#288 native_handle_t http://androidxref.com/5.0.0_r2/s?defs=native_handle_t&project=frameworks const* const h = handle http://androidxref.com/5.0.0_r2/s?defs=handle&project=frameworks;289 http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#289 memcpy http://androidxref.com/5.0.0_r2/s?defs=memcpy&project=frameworks(fds http://androidxref.com/5.0.0_r2/s?defs=fds&project=frameworks, h->data http://androidxref.com/5.0.0_r2/s?defs=data&project=frameworks, h->numFds http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds*_sizeof_(_int_));290 http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#290 memcpy http://androidxref.com/5.0.0_r2/s?defs=memcpy&project=frameworks(&buf http://androidxref.com/5.0.0_r2/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#buf[10], h->data http://androidxref.com/5.0.0_r2/s?defs=data&project=frameworks
By the way, your latest code does not use the dynamic detection to determine J vs K/L vs M. You hardcoded the JellyBean when calling checkGraphicsBufferVuln( JELLYBEAN );
Thanks for the update and the work you did. It really makes checking for android security vulnerability much easier.
Thanks
Roger
On Thu, Oct 8, 2015 at 1:58 PM, Ryan Welton notifications@github.com wrote:
this should be fixed in the latest patches: https://github.com/nowsecure/android-vts/blob/master/bin/androidVTS.apk // https://github.com/nowsecure/android-vts/blob/master/app/src/main/jni/graphics_into_overflow_test.c
If you could please give it a try and let us know how it works, that would be splendid.
— Reply to this email directly or view it on GitHub https://github.com/nowsecure/android-vts/issues/21#issuecomment-146638414 .
rcheung
commented
9 years ago Sorry did not see the dynamic detection part is handled in java layer.
Fuzion24
commented
9 years ago @rcheung give 'er another rip when you get some time.
rcheung
commented
9 years ago Verified on both patched and non-patched KK version (Android 4.4.4), AndroidVTS is able to show correct information on GraphicsBuffer Unflatten as well as other CVEs.
Thanks for the update.
Fuzion24
commented
9 years ago Thank you for testing this!
CVE-2015-1528 check always come back as failed on Kitkat version even if the proper patch is applied. The check is assuming index 8 and 9 are numFds and numInts; but in KK version (Android 4.4.4), index 6 and 7 are numFds and numInts.