[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo
- To: full-disclosure@xxxxxxxxxxxxxxxxx, "Bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
- Subject: [Full-disclosure] Android SDK: Segmentation fault with dexdump / dexDecodeDebugInfo
- From: Marc Schoenefeld <marc.schoenefeld@xxxxxxx>
- Date: Mon, 28 Mar 2011 10:09:32 +0200
Hi,
the dexdump tool, bundled with Android SDK was identified to
perform suspicious write accesses in the dexDecodeDebugInfo function,
as defined in dalvik/libdex/DexFile.c.
The structural parser in dexdump failed to properly parse debug info
such as code position info, with indications of code execution. This
could potentially be misused by remote attackers, tricking users into
opening apk/dex-files from untrusted sources (such as for disassembling
or decompiling via undx).
The crash dump looks as follows:
exception=EXC_BAD_ACCESS:signal=Segmentation
fault:is_exploitable=yes:instruction_disassembly=movl
%edx,(%eax,%esi):instruction_address=0x00000000000087e0:access_type=write:access_address=0x00000000c00feeb0:
Crash accessing invalid address. Consider running it again with
libgmalloc(3) to see if the log changes.
Process: dexdump [75749]
Path:
/Users/marc/android-sdk-mac_86/platforms/android-8/tools/dexdump
Identifier: dexdump
Version: ??? (???)
Code Type: X86 (Native)
Parent Process: exc_handler_snowleopard [75748]
Date/Time: 2010-05-26 08:30:16.960 +0200
OS Version: Mac OS X 10.6.3 (10D573)
Report Version: 6
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00000000c00feeb0
Crashed Thread: 0
Thread 0 Crashed:
0 dexdump 0x000087e0 dexDecodeDebugInfo + 672
1 dexdump 0x00003bd7 dumpPositions + 135
2 dexdump 0x00005183 dumpCode + 179
3 dexdump 0x00005335 dumpMethod + 405
4 dexdump 0x00005a6f dumpClass + 1087
5 dexdump 0x00005d04 processDexFile + 148
6 dexdump 0x00005edf process + 239
7 dexdump 0x00006212 main + 754
8 dexdump 0x00002a36 start + 54
The issue was reported to Google in May 2010 and fixed in trunk with
this patch adding new constraints that prevent the bug to be triggered:
http://android.git.kernel.org/?p=platform/dalvik.git;a=commit;h=4b0750e8df91220690bb417f45d7ae8b7851b220
Late February 2011 Android security team confirmed the bug to be a
vulnerability, pre-assigning CVE-2011-1001.
The current version dumps a correct error message for the given testcase:
W/dalvikvm(63949): Bad index: (item->typeIdx)(1050) >
(state->pHeader->typeIdsSize)(233)
E/dalvikvm(63949): Trouble with item 7 @ offset 0x4a48
E/dalvikvm(63949): Swap of section type 0004 failed
E/dalvikvm(63949): ERROR: Byte swap + verify failed
ERROR: Failed structural verification of 'blabla.dex'
Anyone interesting in the reproducer for research purposes, feel free to
contact me.
Cheers
Marc
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/