search

polygraphene / DirtyPipe-Android

Dirty Pipe root exploit for Android (Pixel 6)
771 stars 130 forks source link

Questions about TECHNICAL-DETAILS #5

Closed YeJZ closed 2 years ago

YeJZ commented 2 years ago

image

Hi, I have some doubts, why do we need to overwrite libstagefright_soft_mp3dec.so with the content of mymod.ko? Since we have tampered with /vendor/bin/modprobe, why not just execute finit_module(mymod.ko) and call the interface that closes SELINUX? What is the purpose of calling open(*.so) first?

polygraphene commented 2 years ago

The dump of selinux policy:

$ sesearch -A policy-dump|grep module_load
allow init-insmod-sh vendor_kernel_modules:system module_load;
allow ueventd vendor_file:system module_load;
allow vendor_modprobe vendor_file:system module_load;

By selinux enforcement, vendor_modprobe can load modules only from vendor_file files. It means finit_module must be called on fd which points to a vendor_file file. Otherwise finit_module fails with EACCES.

Furthermore init_module with memory buffer is also prohibited by selinux.

It is only way I found to load module.

YeJZ commented 2 years ago

The dump of selinux policy:

$ sesearch -A policy-dump|grep module_load
allow init-insmod-sh vendor_kernel_modules:system module_load;
allow ueventd vendor_file:system module_load;
allow vendor_modprobe vendor_file:system module_load;

By selinux enforcement, vendor_modprobe can load modules only from vendor_file files. It means finit_module must be called on fd which points to a vendor_file file. Otherwise finit_module fails with EACCES.

Furthermore init_module with memory buffer is also prohibited by selinux.

It is only way I found to load module.

Thank you very much for your answer. So the purpose of open lib.so is to bypass selinux's restriction on disabling memory buffers when loading_module. In other words, open lib.so is to load memory buffers into modprobe process, and these memory buffers will be used in the payload of closing selinux or get root?

I am still a little unclear about where the buffers brought by lib*.so are used in the code.Can you point out the lines of code that use these buffers? Thank you very much.

polygraphene commented 2 years ago

It is loaded inside kernel. Kernel loads file content into kernel memory from fd, then executes it.

https://github.com/torvalds/linux/blob/028192fea1de083f4f12bfb1eb7c4d7beb5c8ecd/kernel/module.c#L4207

YeJZ commented 2 years ago

It is loaded inside kernel. Kernel loads file content into kernel memory from fd, then executes it.

https://github.com/torvalds/linux/blob/028192fea1de083f4f12bfb1eb7c4d7beb5c8ecd/kernel/module.c#L4207

thank you very much. If my understanding is correct, assuming that mymod.ko has the role of vendor_file, then lib*.so is not needed, just open(mymod.ko) directly, and then call finit_module(fd) to complete the exploit.

polygraphene commented 2 years ago

Yes.

But in reality, you can't change context of any file because of selinux.