[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo



Hi,

the dexdump tool, bundled with Android SDK was identified to
perform suspicious write accesses in the  dexDecodeDebugInfo function,
as defined in dalvik/libdex/DexFile.c.

The structural parser in dexdump failed to properly parse debug info
such as code position info, with indications of code execution.  This
could potentially be misused by remote attackers, tricking users into
opening apk/dex-files from untrusted sources (such as for disassembling
or decompiling via undx).

The crash dump looks as follows:

exception=EXC_BAD_ACCESS:signal=Segmentation
fault:is_exploitable=yes:instruction_disassembly=movl
%edx,(%eax,%esi):instruction_address=0x00000000000087e0:access_type=write:access_address=0x00000000c00feeb0:
Crash accessing invalid address.  Consider running it again with
libgmalloc(3) to see if the log changes.

Process:         dexdump [75749]
Path:
/Users/marc/android-sdk-mac_86/platforms/android-8/tools/dexdump
Identifier:      dexdump
Version:         ??? (???)
Code Type:       X86 (Native)
Parent Process:  exc_handler_snowleopard [75748]

Date/Time:       2010-05-26 08:30:16.960 +0200
OS Version:      Mac OS X 10.6.3 (10D573)
Report Version:  6

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000c00feeb0
Crashed Thread:  0

Thread 0 Crashed:
0   dexdump                             0x000087e0 dexDecodeDebugInfo + 672
1   dexdump                             0x00003bd7 dumpPositions + 135
2   dexdump                             0x00005183 dumpCode + 179
3   dexdump                             0x00005335 dumpMethod + 405
4   dexdump                             0x00005a6f dumpClass + 1087
5   dexdump                             0x00005d04 processDexFile + 148
6   dexdump                             0x00005edf process + 239
7   dexdump                             0x00006212 main + 754
8   dexdump                             0x00002a36 start + 54


The issue was reported to Google in May 2010 and fixed in trunk with
this patch adding new constraints that prevent the bug to be triggered:

http://android.git.kernel.org/?p=platform/dalvik.git;a=commit;h=4b0750e8df91220690bb417f45d7ae8b7851b220

Late February 2011 Android security team confirmed the bug to be a
vulnerability, pre-assigning CVE-2011-1001.

The current version dumps a correct error message for the given testcase:

W/dalvikvm(63949): Bad index: (item->typeIdx)(1050) >
(state->pHeader->typeIdsSize)(233)
E/dalvikvm(63949): Trouble with item 7 @ offset 0x4a48
E/dalvikvm(63949): Swap of section type 0004 failed
E/dalvikvm(63949): ERROR: Byte swap + verify failed
ERROR: Failed structural verification of 'blabla.dex'

Anyone interesting in the reproducer for research purposes, feel free to
contact me.

Cheers
Marc









_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/