Shulou(Shulou.com)05/31 Report--

MediaTek chip Rootkit vulnerability CVE-2020-0069 analysis is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

First, the background of loopholes

In March 2020, Google fixed a security vulnerability (CVE-2020-0069) in MediaTek chips, which affected more than 20 MediaTek chips and millions of Android devices. The flaw lies in the MediaTek Command Queue driver (CMDQ command queue driver), which allows local attackers to implement arbitrary read and write to physical memory addresses, resulting in privilege escalation.

II. Affected domestic mobile phone models

Huawei GR3 TAG-L21

Huawei Y5II

Huawei Y6II MT6735 series

Lenovo A5

Lenovo C2 series

Lenovo Tab E7

Lenovo Tab E8

Lenovo Tab2 A10-70F

Meizu M5c

Meizu M6

Meizu Pro 7 Plus

Oppo A59 series

Oppo A5s

Oppo A7x-up to Android 8.x

Oppo F5 series/A73-up to A.39

Oppo F7 series-- Android 8.x only

Oppo F9 series-- Android 8.x only

Oppo R9xm series

Xiaomi Redmi 6/6A series

ZTE Blade A530

ZTE Blade D6/V6

ZTE Quest 5 Z3351S

Third, a brief analysis of CMDQ driver

DMA (Direct memory access) is a feature that allows dedicated hardware to send or receive data directly from the main memory (RAM). The goal is to speed up the system by allowing large memory access without consuming too much CPU. The MediaTek Command Queue driver (CMDQ command queue driver) allows communication with the DMA controller from the user layer to perform media or display related tasks.

Based on the source code analysis of Redmi 6bot 6A, in the cmdq_ driver. h header file, declare that the IOCTL call of the cmdq driver is as follows:

(1) the CMDQ_IOCTL_ALLOC_WRITE_ADDRESS instruction allocates a DMA buffer

(2) the CMDQ_IOCTL_FREE_WRITE_ADDRESS instruction is to release a DMA buffer.

(3) the CMDQ_IOCTL_READ_WRITE_ADDRESS instruction is to read the data in a DMA buffer

(4) CMDQ_IOCTL_EXEC_COMMAND instruction runs and sends other commands

1. Distribution process

The cmdqCoreAllocWriteAddress () function is called through CMDQ_IOCTL_ALLOC_WRITE_ADDRESS to allocate a DMA buffer. The key code of this function is as follows:

Then, call the cmdq_core_alloc_hw_buffer () function to allocate the DMA buffer, pWriteAddr- > va is the virtual address, and pWriteAddr- > pa is the physical address, one by one. And clean up the buffer.

Finally, the physical address is assigned to * paStart and the pWriteAddr structure is added to the gCmdqContext.writeAddrList linked list.

2. Execute the command process

In the CMDQ_IOCTL_EXEC_COMMAND call, the cmdqCommandStruct structure is used as a parameter, and the structure is defined as follows:

PVABase points to the buffer where commands are stored at the user layer, and the buffer size is placed in blockSize. The definition of cmdqReadAddressStruct structure is as follows:

DmaAddresses is the physical address to be read, and the read value is stored in values. During the execution of the CMDQ_IOCTL_EXEC_COMMAND command, the implementation code is as follows:

The function call path is as follows:

The Cmdq_core_acquire_task () function binds the command to the task for execution. The specific implementation is as follows:

Call the cmdq_core_find_free_task () function to get a free task. Get the free task and make some initialization settings, and then start calling the cmdq_core_insert_read_reg_command () function to execute the command.

This function implements the analysis by first copying the commands passed in from the user layer into the DMA buffer.

PCommandDesc- > pVABase is the starting address of memory where commands are stored. After copying the command, it ends in several ways.

Without going any further here, finally copy the end of the EOC and JUMP instructions. Here is also the copy of the commands passed in from the user layer.

After returning from the cmdq_core_acquire_task () function, it looks like this:

Call the cmdq_core_consume_waiting_list () function to execute task. First get the task from the waiting queue.

Then, get the idle kernel thread.

Finally, bind the task to the thread to execute.

IV. Analysis of read and write commands

Take the cmdq_test.c test code as an example to analyze and understand a complete read and write command construction. Two types of registers are defined in the cmdq driver, one is the address register used to store the address, and the other is the numerical register used to store the values read or written.

RegResults is a virtual address. Call the cmdq_core_alloc_hw_buffer () function to assign a dma address, regResultsMVA corresponds to it, and then set the data in the regResults. Start splicing read and write commands:

Write the address of regResults [0] into the address register of type CMDQ_DATA_REG_DEBUG_DST.

Then, the data is read from the CMDQ_DATA_REG_DEBUG_DST address register and written to the CMDQ_DATA_REG_DEBUG value register. At this point, the value in the CMDQ_DATA_REG_DEBUG value register should be 0xdeaddead.

Next, the address of regResults [1] is transferred to the CMDQ_DATA_REG_DEBUG_DST address register.

Finally, the 0xdeaddead in the CMDQ_DATA_REG_DEBUG value register is written to the address of the regResults [1] saved in the CMDQ_DATA_REG_DEBUG_DST address register. That is, regResults [1] = 0xdeaddead. Determine whether regResults [0] and regResults [1] are equal.

If equal, it means that the read and write is successful.

V. Analysis and testing of PoC

(1) in the PoC code, the key codes for performing write operations are as follows:

In the process of writing, first move value [count] to the CMDQ_DATA_REG_DEBUG numerical register, then move the pa_address+offset address to the CMDQ_DATA_REG_DEBUG_DST address register, and finally write the value in the CMDQ_DATA_REG_DEBUG numerical register to the pa_address+offset address saved in the CMDQ_DATA_REG_DEBUG_DST address register, that is, * (pa_address+offset) = value [count].

(2) in the PoC code, the key codes for performing read operations are as follows:

In the process of reading, the first step is to move the pa_address+offset address to the CMDQ_DATA_REG_DEBUG_DST address register, then read the data from the address pa_address+offset stored in the CMDQ_DATA__REG_DEBUG_DST address register into the CMDQ_DATA_REG_DEBUG data register, and then move the dma_address+offset address to the CMDQ_DATA_REG_DEBUG_DST address register Finally, the data stored in the CMDQ_DATA_REG_DEBUG numerical register is written to the dma_address+offset address stored in the CMDQ_DATA_REG_DEBUG_DST address register, that is, * (dma_address+offset) = * (pa_address + offset).

(3) in the Reami6 test machine, the PoC test is performed and the Linux is successfully modified to minix.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.