Source: https://code.google.com/p/google-security-research/issues/detail?id=499 The attached files cause memory corruption when they are scanned by the face recognition library in android.media.process. From faces-art.bmp F/libc(11305): Fatal signal 11 (SIGSEGV), code 1, fault addr 0x0 in tid 11555 (Thread-1136) I/DEBUG ( 2955): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** I/DEBUG ( 2955): Build fingerprint: 'Verizon/zeroltevzw/zeroltevzw:5.0.2/LRX22G/G925VVRU2AOF1:user/release-keys' I/DEBUG ( 2955): Revision: '10' I/DEBUG ( 2955): ABI: 'arm64' I/DEBUG ( 2955): pid: 11305, tid: 11555, name: Thread-1136>>> android.process.media <<< I/DEBUG ( 2955): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0 I/DEBUG ( 2955): x0 0000007f94ca2100x1 0000007f94c63480x2 0000007f94c0e200x3 0000000000000000 I/DEBUG ( 2955): x4 0000000000000000x5 0000000000000040x6 000000000000003fx7 0000000000000000 I/DEBUG ( 2955): x8 0000007f94c0e240x9 0000000000000004x10000000000000003bx11000000000000003a I/DEBUG ( 2955): x120000007f94c02080x1300000000ffffffffx140000007f94c02080x15000000000151c5e8 I/DEBUG ( 2955): x160000007f885fe900x170000007f9ee60d80x180000007f9eed5a40x190000007f94c1d100 I/DEBUG ( 2955): x200000000000000000x210000007f94c65150x220000007f949d0550x230000007f94c1d110 I/DEBUG ( 2955): x240000000012d39070x250000000000000066x260000000012d23b80x270000000000000066 I/DEBUG ( 2955): x280000000000000000x290000007f949cfd70x300000007f87acd200 I/DEBUG ( 2955): sp 0000007f949cfd70pc 0000000000000000pstate 0000000040000000 I/DEBUG ( 2955): I/DEBUG ( 2955): backtrace: I/DEBUG ( 2955): #00 pc 0000000000000000<unknown> I/DEBUG ( 2955): #01 pc 0000000000000001<unknown> I/DEBUG ( 2955): #02 pc 26221b0826221b08<unknown> To reproduce, download the attached file and wait, or trigger media scanning by calling: adb shell am broadcast -a android.intent.action.MEDIA_MOUNTED -d file:///mnt/shell/emulated/0/ Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38611.zip
体验盒子
