扫码分享
验证:
体验盒子Source: https://code.google.com/p/google-security-research/issues/detail?id=495
The attached JPEG file causes memory corruption the DCMProvider service when the file is processed by the media scanner, leading to the following crash:
quaramip.jpg:
I/DEBUG ( 2962): pid: 19350, tid: 19468, name: HEAVY#0>>> com.samsung.dcm:DCMService <<<
I/DEBUG ( 2962): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x8080808080808080
I/DEBUG ( 2962): x0 0000007f97afd000x1 0000007f98118650x2 0000007f9811eaa8x3 0000007f9815a430
I/DEBUG ( 2962): x4 8080808080808080x5 0000007f9811eaa8x6 0000000000000000x7 0000000000000003
I/DEBUG ( 2962): x8 0000000000000050x9 0000000000000005x100000000000000053x110000007f9815a470
I/DEBUG ( 2962): x120000007f97803920x130000007f978ff050x140000007f983fea40x150000000000000001
I/DEBUG ( 2962): x160000007faabefae0x170000007faf708880x180000007faf77da40x190000007f97afd000
I/DEBUG ( 2962): x2000000000ffffffffx210000000000000001x220000007f9815a410x230000007f981588f0
I/DEBUG ( 2962): x240000007f983feb44x250000007f983feb48x26ffffffffffffffe8x270000007f98118600
I/DEBUG ( 2962): x280000007f98177800x29000000000000001cx300000007faabb8ff8
I/DEBUG ( 2962): sp 0000007f983fea50pc 8080808080808080pstate 0000000000000000
I/DEBUG ( 2962):
I/DEBUG ( 2962): backtrace:
I/DEBUG ( 2962): #00 pc 8080808080808080<unknown>
I/DEBUG ( 2962): #01 pc 00000000000000a6<unknown>
quaramfree.jpg:
I/DEBUG ( 2956): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x808080808000d0
I/DEBUG ( 2956): x0 0000000000008080x1 0000007f89d03720x2 00000000000fffffx3 8080808080800000
I/DEBUG ( 2956): x4 0000000000000008x5 0000007f89cf2000x6 0000007f89d03758x7 0000000000000002
I/DEBUG ( 2956): x8 0000000000000006x9 0000000000000012x108080808080800090x110000007f803015d8
I/DEBUG ( 2956): x120000000000000013x130000007f89cf2000x140000007f89d00000x1500000000000014a4
I/DEBUG ( 2956): x160000007f850eec00x170000007f89c4e17cx180000007f89d037f8x198080808080808080
I/DEBUG ( 2956): x200000007f8031e618x210000007f89cf2000x220000000000000001x230000007f803166d8
I/DEBUG ( 2956): x240000007f80331170x250000000000000010x2600000000000001f4x27fffffffffffffffc
I/DEBUG ( 2956): x28000000000000007dx290000007f84efea60x300000007f89c4e194
I/DEBUG ( 2956): sp 0000007f84efea60pc 0000007f89cae0b4pstate 0000000020000000
I/DEBUG ( 2956):
I/DEBUG ( 2956): backtrace:
I/DEBUG ( 2956): #00 pc 00000000000790b4/system/lib64/libc.so (je_free+92)
I/DEBUG ( 2956): #01 pc 0000000000019190/system/lib64/libc.so (free+20)
I/DEBUG ( 2956): #02 pc 000000000003e8a0/system/lib64/libQjpeg.so (WINKJ_DeleteDecoderInfo+1076)
I/DEBUG ( 2956): #03 pc 00000000000427b0/system/lib64/libQjpeg.so (WINKJ_DecodeImage+2904)
I/DEBUG ( 2956): #04 pc 00000000000428d4/system/lib64/libQjpeg.so (WINKJ_DecodeFrame+88)
I/DEBUG ( 2956): #05 pc 0000000000042a08/system/lib64/libQjpeg.so (QURAMWINK_DecodeJPEG+276)
I/DEBUG ( 2956): #06 pc 000000000004420c/system/lib64/libQjpeg.so (QURAMWINK_PDecodeJPEG+200)
I/DEBUG ( 2956): #07 pc 00000000000a4234/system/lib64/libQjpeg.so (QjpgDecodeFileOpt+432)
I/DEBUG ( 2956): #08 pc 0000000000001b98/system/lib64/libsaiv_codec.so (saiv_codec_JpegCodec_decode_f2bRotate+40)
I/DEBUG ( 2956): #09 pc 0000000000001418/system/lib64/libsaiv_codec.so (Java_com_samsung_android_saiv_codec_JpegCodec_decodeF2BRotate+268)
I/DEBUG ( 2956): #10 pc 00000000000018ec/system/framework/arm64/saiv.odex
The pc is set to the value of content of the JPEG file, indicating that this issue could probably be exploited to allow code execution. We believe the issue is caused due to a flaw in libQjpeg.so (third-party Quram Qjpeg library).
To reproduce the issue, download the file and wait for media scanning to occur, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0
This issue was tested on a SM-G925V device running build number LRX22G.G925VVRU1AOE2.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38614.zip
体验盒子
