扫码分享
验证:
体验盒子Source: https://code.google.com/p/google-security-research/issues/detail?id=499
The attached files cause memory corruption when they are scanned by the face recognition library in android.media.process.
From faces-art.bmp
F/libc(11305): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 11555 (Thread-1136)
I/DEBUG ( 2955): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
I/DEBUG ( 2955): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys'
I/DEBUG ( 2955): Revision: '10'
I/DEBUG ( 2955): ABI: 'arm64'
I/DEBUG ( 2955): pid: 11305, tid: 11555, name: Thread-1136>>> android.process.media <<<
I/DEBUG ( 2955): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
I/DEBUG ( 2955): x0 0000007f94ca2100x1 0000007f94c63480x2 0000007f94c0e200x3 0000000000000000
I/DEBUG ( 2955): x4 0000000000000000x5 0000000000000040x6 000000000000003fx7 0000000000000000
I/DEBUG ( 2955): x8 0000007f94c0e240x9 0000000000000004x10000000000000003bx11000000000000003a
I/DEBUG ( 2955): x120000007f94c02080x1300000000ffffffffx140000007f94c02080x15000000000151c5e8
I/DEBUG ( 2955): x160000007f885fe900x170000007f9ee60d80x180000007f9eed5a40x190000007f94c1d100
I/DEBUG ( 2955): x200000000000000000x210000007f94c65150x220000007f949d0550x230000007f94c1d110
I/DEBUG ( 2955): x240000000012d39070x250000000000000066x260000000012d23b80x270000000000000066
I/DEBUG ( 2955): x280000000000000000x290000007f949cfd70x300000007f87acd200
I/DEBUG ( 2955): sp 0000007f949cfd70pc 0000000000000000pstate 0000000040000000
I/DEBUG ( 2955):
I/DEBUG ( 2955): backtrace:
I/DEBUG ( 2955): #00 pc 0000000000000000<unknown>
I/DEBUG ( 2955): #01 pc 0000000000000001<unknown>
I/DEBUG ( 2955): #02 pc 26221b0826221b08<unknown>
To reproduce, download the attached file and wait, or trigger media scanning by calling:
adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38611.zip
体验盒子
