CVE-2019-10529 Detail

CVE-2019-10529

Score / Severity

8.1

High

CVE Descriptions

Possible use after free issue due to race condition while attempting to mark the entry pages as dirty using function set_page_dirty() in Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon IoT, Snapdragon Mobile, Snapdragon Voice & Music, Snapdragon Wearables in MDM9150, MDM9206, MDM9607, MDM9640, MDM9650, MSM8909W, MSM8996AU, QCS405, QCS605, Qualcomm 215, SD 210/SD 212/SD 205, SD 425, SD 439 / SD 429, SD 450, SD 615/16/SD 415, SD 625, SD 632, SD 636, SD 665, SD 675, SD 712 / SD 710 / SD 670, SD 730, SD 820, SD 820A, SD 835, SD 845 / SD 850, SD 855, SDA660, SDM439, SDM630, SDM660, SDX20, SDX24

CVE Informations

Related Weaknesses

CWE-ID	Weakness Name	Source
CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-416	Use After Free The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Metrics

Metrics	Score	Severity	CVSS Vector	Source
V3.1	8.1	HIGH	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H More informations Base: Exploitabilty Metrics The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component. Attack Vector This metric reflects the context by which vulnerability exploitation is possible. Network The vulnerable component is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). Attack Complexity This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. High successful attack depends on conditions beyond the attacker's control. That is, a successful attack cannot be accomplished at will, but requires the attacker to invest in some measurable amount of effort in preparation or execution against the vulnerable component before a successful attack can be expected. Privileges Required This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. None The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component. None The vulnerable system can be exploited without interaction from any user. Base: Scope Metrics The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope. Scope Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs. Unchanged An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority. Base: Impact Metrics The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve. Confidentiality Impact This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability. High There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server. Integrity Impact This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. High There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component. Availability Impact This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability. High There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable). Temporal Metrics The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability. Environmental Metrics These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.	[email protected]
V2	9.3		AV:N/AC:M/Au:N/C:C/I:C/A:C	[email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

EPSS First.org

Exploit information

Exploit Database EDB-ID : 46941

Publication date : 2019-05-28 22h00 +00:00
Author : Google Security Research
EDB Verified : Yes

The following issue exists in the android-msm-wahoo-4.4-pie branch of https://android.googlesource.com/kernel/msm (and possibly others): When kgsl_mem_entry_destroy() in drivers/gpu/msm/kgsl.c is called for a writable entry with memtype KGSL_MEM_ENTRY_USER, it attempts to mark the entry's pages as dirty using the function set_page_dirty(). This function first loads page->mapping using page_mapping(), then calls the function pointer mapping->a_ops->set_page_dirty. The bug is that, as explained in upstream commit e92bb4dd9673 ( https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e92bb4dd9673945179b1fc738c9817dd91bfb629), the mapping of a page can be freed concurrently unless it is protected somehow (e.g. by holding the page lock, or by holding a reference to the mapping). For callers who don't hold any such lock or reference, set_page_dirty_lock() is provided to safely mark a page as dirty: ================================== /* * set_page_dirty() is racy if the caller has no reference against * page->mapping->host, and if the page is unlocked. This is because another * CPU could truncate the page off the mapping and then free the mapping. * * Usually, the page _is_ locked, or the caller is a user-space process which * holds a reference on the inode by having an open file. * * In other cases, the page should be locked before running set_page_dirty(). */ int set_page_dirty_lock(struct page *page) { int ret; lock_page(page); ret = set_page_dirty(page); unlock_page(page); return ret; } ================================== To reproduce on a Pixel 2 (walleye): - Check out the tree specified above. - Enable KASAN in the kernel config. - Apply the attached kernel patch kgsl-bigger-race-window.patch to make the race window much bigger. - Build and boot the kernel. - Build the attached poc.c with `aarch64-linux-gnu-gcc -static -o poc poc.c -Wall`. - Run the PoC on the device (adb push, then run from adb shell). You should see a kernel crash like this; note KASAN's report of a UAF in set_page_dirty(): ================================== <6>[ 445.698708] c3 688 mdss_fb_blank_sub: mdss_fb_blank+0x1d0/0x2b4 mode:0 <3>[ 447.372706] c3 2621 ================================================================== <3>[ 447.372963] c3 2621 BUG: KASAN: use-after-free in set_page_dirty+0x4c/0xd0 <3>[ 447.380051] c3 2621 Read of size 8 at addr 0000000000000000 by task kworker/3:3/2621 <3>[ 447.387059] c3 2621 <4>[ 447.394762] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 447.397158] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 447.406473] c3 2621 Workqueue: kgsl-mementry _deferred_put <4>[ 447.418479] c3 2621 Call trace: <4>[ 447.418660] c3 2621 [<ffffffa689e8dfbc>] dump_backtrace+0x0/0x2b4 <4>[ 447.421952] c3 2621 [<ffffffa689e8e394>] show_stack+0x14/0x1c <4>[ 447.428066] c3 2621 [<ffffffa68a2f3d2c>] dump_stack+0xa4/0xcc <4>[ 447.433965] c3 2621 [<ffffffa68a07b254>] print_address_description+0x94/0x340 <4>[ 447.439870] c3 2621 [<ffffffa68a07b784>] kasan_report+0x1f8/0x340 <4>[ 447.447145] c3 2621 [<ffffffa68a079a10>] __asan_load8+0x74/0x90 <4>[ 447.453407] c3 2621 [<ffffffa68a0205b4>] set_page_dirty+0x4c/0xd0 <4>[ 447.459621] c3 2621 [<ffffffa68a6c5dec>] kgsl_mem_entry_destroy+0x1c0/0x218 <4>[ 447.465695] c3 2621 [<ffffffa68a6c63d8>] _deferred_put+0x34/0x3c <4>[ 447.473017] c3 2621 [<ffffffa689edc124>] process_one_work+0x254/0x78c <4>[ 447.479093] c3 2621 [<ffffffa689edc6f4>] worker_thread+0x98/0x718 <4>[ 447.485551] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130 <4>[ 447.491801] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40 <3>[ 447.497696] c3 2621 <3>[ 447.503818] c3 2621 Allocated by task 2684: <4>[ 447.506206] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8 <4>[ 447.511847] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20 <4>[ 447.517829] c3 2621 [<ffffffa68a079e74>] kasan_kmalloc.part.5+0x50/0x124 <4>[ 447.523494] c3 2621 [<ffffffa68a07a198>] kasan_kmalloc+0xc4/0xe4 <4>[ 447.529547] c3 2621 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c <4>[ 447.534931] c3 2621 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c <4>[ 447.540572] c3 2621 [<ffffffa68a187bdc>] ext4_alloc_inode+0x28/0x234 <4>[ 447.546387] c3 2621 [<ffffffa68a0afe94>] alloc_inode+0x34/0xd0 <4>[ 447.552112] c3 2621 [<ffffffa68a0b19e8>] new_inode+0x20/0xe8 <4>[ 447.557318] c3 2621 [<ffffffa68a154214>] __ext4_new_inode+0xe8/0x1f00 <4>[ 447.562360] c3 2621 [<ffffffa68a17087c>] ext4_tmpfile+0xb4/0x230 <4>[ 447.568172] c3 2621 [<ffffffa68a09f9e8>] path_openat+0x934/0x1404 <4>[ 447.573556] c3 2621 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188 <4>[ 447.579027] c3 2621 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4 <4>[ 447.584407] c3 2621 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18 <4>[ 447.589787] c3 2621 [<ffffffa689e842b0BCho<D5> ^@^@<90>^A,^A^Hp<D6>M>] el0_svc_naked+0x24/0x28 <3>[ 447.594909] c3 2621 <3>[ 447.599065] c3 2621 Freed by task 36: <4>[ 447.601330] c3 2621 [<ffffffa689e8d624>] save_stack_trace_tsk+0x0/0x1b8 <4>[ 447.606461] c3 2621 [<ffffffa689e8d7f4>] save_stack_trace+0x18/0x20 <4>[ 447.612450] c3 2621 [<ffffffa68a07aa1c>] kasan_slab_free+0xb0/0x1c0 <4>[ 447.618091] c3 2621 [<ffffffa68a0770c0>] kmem_cache_free+0x80/0x2f8 <4>[ 447.623733] c3 2621 [<ffffffa68a1863f8>] ext4_i_callback+0x18/0x20 <4>[ 447.629363] c3 2621 [<ffffffa689f5c430>] rcu_nocb_kthread+0x20c/0x264 <4>[ 447.634926] c3 2621 [<ffffffa689ee59a4>] kthread+0x114/0x130 <4>[ 447.640726] c3 2621 [<ffffffa689e84250>] ret_from_fork+0x10/0x40 <3>[ 447.645765] c3 2621 <3>[ 447.649913] c3 2621 The buggy address belongs to the object at 0000000000000000 <3>[ 447.649913] c3 2621 which belongs to the cache ext4_inode_cache of size 1048 <3>[ 447.652315] c3 2621 The buggy address is located 680 bytes inside of <3>[ 447.652315] c3 2621 1048-byte region [0000000000000000, 0000000000000000) <3>[ 447.667170] c3 2621 The buggy address belongs to the page: <1>[ 447.680933] c3 2621 Unable to handle kernel paging request at virtual address ffffffd8929b3000 <1>[ 447.686392] c3 2621 pgd = 0000000000000000 <1>[ 447.695099] c3 2621 [ffffffd8929b3000] *pgd=0000000000000000, *pud=0000000000000000 <4>[ 447.706506] c3 2621 ------------[ cut here ]------------ <2>[ 447.706664] c3 2621 Kernel BUG at 0000000000000000 [verbose debug info unavailable] <0>[ 447.711676] c3 2621 Internal error: Oops - BUG: 96000047 [#1] PREEMPT SMP <4>[ 447.719517] c3 2621 Modules linked in: <4>[ 447.729365] c3 2621 CPU: 3 PID: 2621 Comm: kworker/3:3 Not tainted 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 447.729573] c3 2621 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 447.738760] c3 2621 Workqueue: kgsl-mementry _deferred_put <4>[ 447.750779] c3 2621 task: 0000000000000000 task.stack: 0000000000000000 <4>[ 447.750972] c3 2621 PC is at el1_sync+0x28/0xe0 <4>[ 447.757719] c3 2621 LR is at dump_page+0x10/0x18 <4>[ 447.762390] c3 2621 pc : [<ffffffa689e836e8>] lr : [<ffffffa68a04d9dc>] pstate: 204003c5 <4>[ 447.767106] c3 2621 sp : ffffffd8929b2f60 <4>[ 447.775306] c3 2621 x29: ffffffd8929b4000 x28: ffffffd88e9a47d0 <4>[ 447.784631] c3 2621 x27: ffffffd8294fab80 x26: ffffffa68ba1f000 <4>[ 447.789927] c3 2621 x25: ffffffd8536fc908 x24: ffffffd8536fc4e8 <4>[ 447.795219] c3 2621 x23: ffffffd892e55500 x22: 0000000000000001 <4>[ 447.800513] c3 2621 x21: ffffffa68ba1aa00 x20: 0000000000000000 <4>[ 447.805809] c3 2621 x19: ffffffbe214dbe00 x18: 0000007f7dc4ef8a <4>[ 447.811105] c3 2621 x17: 0000007f809eb0e0 x16: ffffffa68a0a5178 <4>[ 447.816400] c3 2621 x15: 0000000000000021 x14: 202c303030303030 <4>[ 447.821694] c3 2621 x13: 3030303030303030 x12: e95cc056ac940c73 <4>[ 447.826992] c3 2621 x11: ffffffd8929fb810 x10: ffffff8b12978008 <4>[ 447.832286] c3 2621 x9 : ffffff8b12978007 x8 : ffffffa68a21a558 <4>[ 447.837590] c3 2621 x7 : ffffffa68c69ec28 x6 : 0000000000000040 <4>[ 447.842872] c3 2621 x5 : 0000000000000000 x4 : ffffff87c429b7c0 <4>[ 447.848170] c3 2621 x3 : ffffffa68a04d8dc x2 : 0000000000000000 <4>[ 447.853468] c3 2621 x1 : ffffffa68ba1aa00 x0 : ffffffbe214dbe00 <4>[ 447.858765] c3 2621 <4>[ 447.858765] c3 2621 PC: 0xffffffa689e836a8: <4>[ 447.859009] c3 2621 36a8 d503201f d503201f d503201f d503201f d503201f d503201f a90007e0 a9010fe2 <4>[ 447.873684] c3 2621 36c8 a90217e4 a9031fe6 a90427e8 a9052fea a90637ec a9073fee a90847f0 a9094ff2 <4>[ 447.881847] c3 2621 36e8 a90a57f4 a90b5ff6 a90c67f8 a90d6ffa a90e77fc 9104c3f5 d538411c f9400794 <4>[ 447.890005] c3 2621 3708 f90093f4 d2c01014 f9000794 d5384036 d5384017 a90f57fe d503201f d5382015 <4>[ 447.898172] c3 2621 <4>[ 447.898172] c3 2621 LR: 0xffffffa68a04d99c: <4>[ 447.898371] c3 2621 d99c b000ce80 9113e000 97feface aa1303e0 9400affc f9400260 9117e2e1 528002a2 <4>[ 447.91300BCho<D6> ^@^@<90>^A+^A<98>3<8E><DA>8] c3 2621 d9bc 9106c021 8a000280 97ffff2c 17ffffe6 a9bf7bfd d2800002 910003fd 97ffffb4 <4>[ 447.921170] c3 2621 d9dc a8c17bfd d65f03c0 a9ac7bfd 910003fd a90153f3 a9025bf5 a90363f7 a9046bf9 <4>[ 447.929328] c3 2621 d9fc a90573fb d10443ff aa0003f3 9400afe5 aa1303e0 f8410402 f90033a2 9400af97 <4>[ 447.937494] c3 2621 <4>[ 447.937494] c3 2621 SP: 0xffffffd8929b2f20: <4>[ 447.937693] c3 2621 2f20 8a04d9dc ffffffa6 929b2f60 ffffffd8 89e836e8 ffffffa6 204003c5 00000000 <4>[ 447.952331] c3 2621 2f40 00000000 00000000 00000000 00000000 ffffffff ffffffff 00000000 00000000 <4>[ 447.960491] c3 2621 2f60 214dbe00 ffffffbe 8ba1aa00 ffffffa6 00000000 00000000 8a04d8dc ffffffa6 <4>[ 447.968651] c3 2621 2f80 c429b7c0 ffffff87 00000000 00000000 00000040 00000000 8c69ec28 ffffffa6 <4>[ 447.976809] c3 2621 <0>[ 447.976941] c3 2621 Process kworker/3:3 (pid: 2621, stack limit = 0x0000000000000000) <4>[ 447.979247] c3 2621 Call trace: <4>[ 447.987122] c3 2621 Exception stack(0xffffffd8929b2d60 to 0xffffffd8929b2e90) <4>[ 447.990662] c3 2621 2d60: ffffffbe214dbe00 0000008000000000 00000000836e2000 ffffffa689e836e8 <4>[ 447.997788] c3 2621 2d80: 00000000204003c5 0000000000000025 ffffffd8536fc908 0000000000000000 <4>[ 448.006468] c3 2621 2da0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.015098] c3 2621 2dc0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.023777] c3 2621 2de0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.032461] c3 2621 2e00: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 <4>[ 448.041195] c3 2621 2e20: 0000000000000000 e95cc056ac940c73 ffffffbe214dbe00 ffffffa68ba1aa00 <4>[ 448.049872] c3 2621 2e40: 0000000000000000 ffffffa68a04d8dc ffffff87c429b7c0 0000000000000000 <4>[ 448.058561] c3 2621 2e60: 0000000000000040 ffffffa68c69ec28 ffffffa68a21a558 ffffff8b12978007 <4>[ 448.067216] c3 2621 2e80: ffffff8b12978008 ffffffd8929fb810 <4>[ 448.075867] c3 2621 [<ffffffa689e836e8>] el1_sync+0x28/0xe0 <0>[ 448.081787] c3 2621 Code: a90637ec a9073fee a90847f0 a9094ff2 (a90a57f4) <4>[ 448.087496] c3 2621 ---[ end trace 8d4b2347f8b71fe7 ]--- <4>[ 448.087540] c4 2684 ------------[ cut here ]------------ <2>[ 448.087544] c4 2684 Kernel BUG at 0000000000000000 [verbose debug info unavailable] <0>[ 448.087547] c4 2684 Internal error: Oops - BUG: 96000005 [#2] PREEMPT SMP <4>[ 448.087553] c4 2684 Modules linked in: <4>[ 448.087561] c4 2684 CPU: 4 PID: 2684 Comm: poc Tainted: G D 4.4.116-gbcd0ecccd040-dirty #45 <4>[ 448.087563] c4 2684 Hardware name: Qualcomm Technologies, Inc. MSM8998 v2.1 (DT) <4>[ 448.087565] c4 2684 task: 0000000000000000 task.stack: 0000000000000000 <4>[ 448.087578] c4 2684 PC is at qlist_free_all+0x3c/0x80 <4>[ 448.087581] c4 2684 LR is at qlist_free_all+0x7c/0x80 <4>[ 448.087585] c4 2684 pc : [<ffffffa68a07bbbc>] lr : [<ffffffa68a07bbfc>] pstate: 60400145 <4>[ 448.087586] c4 2684 sp : ffffffd87e3b3880 <4>[ 448.087591] c4 2684 x29: ffffffd87e3b3880 x28: ffffffa68ca1a000 <4>[ 448.087595] c4 2684 x27: 000000000591e848 x26: ffffffd87e3b3920 <4>[ 448.087598] c4 2684 x25: 0000000000000140 x24: 0000000000000000 <4>[ 448.087601] c4 2684 x23: ffffffd87e3b3920 x22: ffffffa68a07bbbc <4>[ 448.087604] c4 2684 x21: 0000000000000000 x20: ffffffd8929f8040 <4>[ 448.087607] c4 2684 x19: ffffffd8929f8040 x18: 00000000c8056d20 <4>[ 448.087611] c4 2684 x17: 000000002c754130 x16: 0000000085837409 <4>[ 448.087613] c4 2684 x15: 00000000a50d5ad3 x14: 0000000000000000 <4>[ 448.087617] c4 2684 x13: 0000000001075000 x12: ffffffffffffffff <4>[ 448.087620] c4 2684 x11: 0000000000000040 x10: ffffff8b0fc76746 <4>[ 448.087623] c4 2684 x9 : ffffff8b0fc76745 x8 : ffffffd87e3b3a2b <4>[ 448.087626] c4 2684 x7 : 0000000000000000 x6 : ffffffd87e3b3a08 <4>[ 448.087629] c4 2684 x5 : fffffffffe8c0000 x4 : 0000000000000000 <4>[ 448.087632] c4 2684 x3 : fBCho<D7> ^@^@<90>^A*^A<91><F9>%5fffffd8929f7ff0 x2 : 0000000000000000 <4>[ 448.087635] c4 2684 x1 : dead0000000000ff x0 : 0000000000000000 <4>[ 448.087637] c4 2684 <4>[ 448.087637] c4 2684 PC: 0xffffffa68a07bb7c: <4>[ 448.087646] c4 2684 bb7c 17fffff1 a9bc7bfd 910003fd a90153f3 a9025bf5 f9001bf7 f9400013 b4000253 <4>[ 448.087655] c4 2684 bb9c 90000016 aa0103f5 aa0003f7 912ef2d6 14000002 aa1403f3 aa1503e0 b40001f5 <4>[ 448.087664] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff <4>[ 448.087673] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93 <4>[ 448.087675] c4 2684 <4>[ 448.087675] c4 2684 LR: 0xffffffa68a07bbbc: <4>[ 448.087684] c4 2684 bbbc b980c401 aa1603e2 f9400274 cb010261 97fff36f b5ffff14 f90006ff f90002ff <4>[ 448.087692] c4 2684 bbdc f9000aff a94153f3 a9425bf5 f9401bf7 a8c47bfd d65f03c0 aa1303e0 97ffff93 <4>[ 448.087701] c4 2684 bbfc 17fffff0 a9bc7bfd aa0003e2 910003fd a90153f3 f0012ed3 aa0003f4 b000eb40 <4>[ 448.087711] c4 2684 bc1c 910083a1 d538d083 913c8000 f90013bf 8b000060 f9452a63 f9001fa3 f90017bf <4>[ 448.087712] c4 2684 <4>[ 448.087712] c4 2684 SP: 0xffffffd87e3b3840: <4>[ 448.087722] c4 2684 3840 8a07bbfc ffffffa6 7e3b3880 ffffffd8 8a07bbbc ffffffa6 60400145 00000000 <4>[ 448.087731] c4 2684 3860 7e3b3920 ffffffd8 00000000 00000000 00000000 00000080 8b4ddfd0 ffffffa6 <4>[ 448.087740] c4 2684 3880 7e3b38c0 ffffffd8 8a07bf9c ffffffa6 8c656000 ffffffa6 8ca1f500 ffffffa6 <4>[ 448.087749] c4 2684 38a0 8ca1a000 ffffffa6 000000f7 00000000 8c68d000 ffffffa6 fabb3a00 ffffffd7 <4>[ 448.087750] c4 2684 <0>[ 448.087753] c4 2684 Process poc (pid: 2684, stack limit = 0x0000000000000000) <4>[ 448.087754] c4 2684 Call trace: <4>[ 448.087758] c4 2684 Exception stack(0xffffffd87e3b3680 to 0xffffffd87e3b37b0) <4>[ 448.087763] c4 2684 3680: ffffffd8929f8040 0000008000000000 00000000836e2000 ffffffa68a07bbbc <4>[ 448.087768] c4 2684 36a0: 0000000060400145 0000000000000025 0000000000000140 ffffffd7fabb3a00 <4>[ 448.087773] c4 2684 36c0: 0000000000000000 ffffffd87e3b37d0 ffffffd87e3b3720 ffffffa68a0768e0 <4>[ 448.087779] c4 2684 36e0: ffffffbe224a7d80 0000000000000000 ffffffd7fabb3a00 ffffffd7fabb3a00 <4>[ 448.087784] c4 2684 3700: 0000000100150015 ffffffd8929f7e00 0000000180150014 ffffffd899803b00 <4>[ 448.087789] c4 2684 3720: ffffffd87e3b3830 ffffffa68a078b38 ffffffbe224a7d80 ffffffd8929f7ff0 <4>[ 448.087794] c4 2684 3740: ffffffd7fabb3a00 e95cc056ac940c73 0000000000000000 dead0000000000ff <4>[ 448.087799] c4 2684 3760: 0000000000000000 ffffffd8929f7ff0 0000000000000000 fffffffffe8c0000 <4>[ 448.087804] c4 2684 3780: ffffffd87e3b3a08 0000000000000000 ffffffd87e3b3a2b ffffff8b0fc76745 <4>[ 448.087808] c4 2684 37a0: ffffff8b0fc76746 0000000000000040 <4>[ 448.087813] c4 2684 [<ffffffa68a07bbbc>] qlist_free_all+0x3c/0x80 <4>[ 448.087819] c4 2684 [<ffffffa68a07bf9c>] quarantine_reduce+0x17c/0x1a0 <4>[ 448.087824] c4 2684 [<ffffffa68a07a1b4>] kasan_kmalloc+0xe0/0xe4 <4>[ 448.087828] c4 2684 [<ffffffa68a07a964>] kasan_slab_alloc+0x14/0x1c <4>[ 448.087832] c4 2684 [<ffffffa68a078030>] kmem_cache_alloc+0x144/0x27c <4>[ 448.087840] c4 2684 [<ffffffa68a15d0dc>] ext4_inode_attach_jinode+0x9c/0x118 <4>[ 448.087844] c4 2684 [<ffffffa68a150d74>] ext4_file_open+0xc8/0x21c <4>[ 448.087848] c4 2684 [<ffffffa68a087488>] do_dentry_open+0x350/0x4ec <4>[ 448.087851] c4 2684 [<ffffffa68a087930>] finish_open+0x74/0xa8 <4>[ 448.087857] c4 2684 [<ffffffa68a09fa34>] path_openat+0x980/0x1404 <4>[ 448.087861] c4 2684 [<ffffffa68a0a1a50>] do_filp_open+0x98/0x188 <4>[ 448.087866] c4 2684 [<ffffffa68a089004>] do_sys_open+0x170/0x2d4 <4>[ 448.087869] c4 2684 [<ffffffa68a0891a0>] SyS_openat+0x10/0x18 <4>[ 448.087875] c4 2684 [<ffffffa689e842b0>] el0_svc_naked+0x24/0x28 <0>[ 448.087881] c4 2684 Code: 14000002 aa1403f3 aa1503e0 b40001f5 (b980c401) <4>[ 448.087944] c4 2684 ---[ end trace 8d4DBGC ================================== The KASAN report points to instruction 267c in the following assembly: ================================== 0000000000002630 <set_page_dirty>: { 2630: a9bd7bfd stp x29, x30, [sp, #-48]! 2634: 910003fd mov x29, sp 2638: a90153f3 stp x19, x20, [sp, #16] 263c: f90013f5 str x21, [sp, #32] 2640: aa0003f3 mov x19, x0 struct address_space *mapping = page_mapping(page); 2644: 94000000 bl 0 <page_mapping> 2648: aa0003f4 mov x20, x0 264c: d5384115 mrs x21, sp_el0 if (current->jh_task_flags && mapping) 2650: 9128a2a0 add x0, x21, #0xa28 2654: 94000000 bl 0 <__asan_load4> 2658: b94a2aa0 ldr w0, [x21, #2600] 265c: 340000a0 cbz w0, 2670 <set_page_dirty+0x40> 2660: b40003b4 cbz x20, 26d4 <set_page_dirty+0xa4> msleep(500); 2664: 52803e80 mov w0, #0x1f4 // #500 2668: 94000000 bl 0 <msleep> 266c: 14000002 b 2674 <set_page_dirty+0x44> if (likely(mapping)) { 2670: b4000334 cbz x20, 26d4 <set_page_dirty+0xa4> int (*spd)(struct page *) = mapping->a_ops->set_page_dirty; 2674: 9101a280 add x0, x20, #0x68 2678: 94000000 bl 0 <__asan_load8> 267c: f9403694 ldr x20, [x20, #104] 2680: 91006280 add x0, x20, #0x18 2684: 94000000 bl 0 <__asan_load8> 2688: f9400e94 ldr x20, [x20, #24] 268c: aa1303e0 mov x0, x19 2690: 94000000 bl 0 <__asan_load8> 2694: f9400260 ldr x0, [x19] ================================== Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/46941.zip

Products Mentioned

Configuraton 0

Qualcomm>>Mdm9150_firmware >> Version -

Qualcomm>>Mdm9150_firmware >> Version - (Open CPE detail)

Qualcomm>>Mdm9150 >> Version -

Qualcomm>>Mdm9150 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Mdm9206_firmware >> Version -

Qualcomm>>Mdm9206_firmware >> Version - (Open CPE detail)

Qualcomm>>Mdm9206 >> Version -

Qualcomm>>Mdm9206 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Mdm9607_firmware >> Version -

Qualcomm>>Mdm9607_firmware >> Version - (Open CPE detail)

Qualcomm>>Mdm9607 >> Version -

Qualcomm>>Mdm9607 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Mdm9640_firmware >> Version -

Qualcomm>>Mdm9640_firmware >> Version - (Open CPE detail)

Qualcomm>>Mdm9640 >> Version -

Qualcomm>>Mdm9640 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Mdm9650_firmware >> Version -

Qualcomm>>Mdm9650_firmware >> Version - (Open CPE detail)

Qualcomm>>Mdm9650 >> Version -

Qualcomm>>Mdm9650 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Msm8909w_firmware >> Version -

Qualcomm>>Msm8909w_firmware >> Version - (Open CPE detail)

Qualcomm>>Msm8909w >> Version -

Qualcomm>>Msm8909w >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Msm8996au_firmware >> Version -

Qualcomm>>Msm8996au_firmware >> Version - (Open CPE detail)

Qualcomm>>Msm8996au >> Version -

Qualcomm>>Msm8996au >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Qcs405_firmware >> Version -

Qualcomm>>Qcs405_firmware >> Version - (Open CPE detail)

Qualcomm>>Qcs405 >> Version -

Qualcomm>>Qcs405 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Qcs605_firmware >> Version -

Qualcomm>>Qcs605_firmware >> Version - (Open CPE detail)

Qualcomm>>Qcs605 >> Version -

Qualcomm>>Qcs605 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Qualcomm_215_firmware >> Version -

Qualcomm>>Qualcomm_215 >> Version -

Qualcomm>>Qualcomm_215 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_210_firmware >> Version -

Qualcomm>>Sd_210_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_210 >> Version -

Qualcomm>>Sd_210 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_212_firmware >> Version -

Qualcomm>>Sd_212_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_212 >> Version -

Qualcomm>>Sd_212 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_205_firmware >> Version -

Qualcomm>>Sd_205_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_205 >> Version -

Qualcomm>>Sd_205 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_425_firmware >> Version -

Qualcomm>>Sd_425_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_425 >> Version -

Qualcomm>>Sd_425 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_439_firmware >> Version -

Qualcomm>>Sd_439_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_439 >> Version -

Qualcomm>>Sd_439 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_429_firmware >> Version -

Qualcomm>>Sd_429_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_429 >> Version -

Qualcomm>>Sd_429 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_450_firmware >> Version -

Qualcomm>>Sd_450_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_450 >> Version -

Qualcomm>>Sd_450 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_615_firmware >> Version -

Qualcomm>>Sd_615_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_615 >> Version -

Qualcomm>>Sd_615 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_616_firmware >> Version -

Qualcomm>>Sd_616_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_616 >> Version -

Qualcomm>>Sd_616 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_415_firmware >> Version -

Qualcomm>>Sd_415_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_415 >> Version -

Qualcomm>>Sd_415 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_625_firmware >> Version -

Qualcomm>>Sd_625_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_625 >> Version -

Qualcomm>>Sd_625 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_632_firmware >> Version -

Qualcomm>>Sd_632_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_632 >> Version -

Qualcomm>>Sd_632 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_636_firmware >> Version -

Qualcomm>>Sd_636_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_636 >> Version -

Qualcomm>>Sd_636 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_665_firmware >> Version -

Qualcomm>>Sd_665_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_665 >> Version -

Qualcomm>>Sd_665 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_675_firmware >> Version -

Qualcomm>>Sd_675_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_675 >> Version -

Qualcomm>>Sd_675 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_712_firmware >> Version -

Qualcomm>>Sd_712_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_712 >> Version -

Qualcomm>>Sd_712 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_710_firmware >> Version -

Qualcomm>>Sd_710_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_710 >> Version -

Qualcomm>>Sd_710 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_670_firmware >> Version -

Qualcomm>>Sd_670_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_670 >> Version -

Qualcomm>>Sd_670 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_730_firmware >> Version -

Qualcomm>>Sd_730_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_730 >> Version -

Qualcomm>>Sd_730 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_820_firmware >> Version -

Qualcomm>>Sd_820_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_820 >> Version -

Qualcomm>>Sd_820 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_820a_firmware >> Version -

Qualcomm>>Sd_820a_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_820a >> Version -

Qualcomm>>Sd_820a >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_835_firmware >> Version -

Qualcomm>>Sd_835_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_835 >> Version -

Qualcomm>>Sd_835 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_845_firmware >> Version -

Qualcomm>>Sd_845_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_845 >> Version -

Qualcomm>>Sd_845 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_850_firmware >> Version -

Qualcomm>>Sd_850_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_850 >> Version -

Qualcomm>>Sd_850 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sd_855_firmware >> Version -

Qualcomm>>Sd_855_firmware >> Version - (Open CPE detail)

Qualcomm>>Sd_855 >> Version -

Qualcomm>>Sd_855 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sda660_firmware >> Version -

Qualcomm>>Sda660_firmware >> Version - (Open CPE detail)

Qualcomm>>Sda660 >> Version -

Qualcomm>>Sda660 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sdm439_firmware >> Version -

Qualcomm>>Sdm439_firmware >> Version - (Open CPE detail)

Qualcomm>>Sdm439 >> Version -

Qualcomm>>Sdm439 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sdm630_firmware >> Version -

Qualcomm>>Sdm630_firmware >> Version - (Open CPE detail)

Qualcomm>>Sdm630 >> Version -

Qualcomm>>Sdm630 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sdm660_firmware >> Version -

Qualcomm>>Sdm660_firmware >> Version - (Open CPE detail)

Qualcomm>>Sdm660 >> Version -

Qualcomm>>Sdm660 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sdx20_firmware >> Version -

Qualcomm>>Sdx20_firmware >> Version - (Open CPE detail)

Qualcomm>>Sdx20 >> Version -

Qualcomm>>Sdx20 >> Version - (Open CPE detail)

Configuraton 0

Qualcomm>>Sdx24_firmware >> Version -

Qualcomm>>Sdx24_firmware >> Version - (Open CPE detail)

Qualcomm>>Sdx24 >> Version -

Qualcomm>>Sdx24 >> Version - (Open CPE detail)

References

https://source.android.com/security/bulletin/
Tags : x_refsource_CONFIRM

CVE-2019-10529 : Detail

CVE-2019-10529

CVE Descriptions

CVE Informations

Related Weaknesses

Metrics

Base: Exploitabilty Metrics

Base: Scope Metrics

Base: Impact Metrics

Temporal Metrics

Environmental Metrics

EPSS

EPSS Score

EPSS Percentile

Exploit information

Exploit Database EDB-ID : 46941

Products Mentioned

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

Configuraton 0

References