In the 64-bit linux kernel - in order to be compatible with 32-bit process - compat system call is added in linux kernel to ensure that the 32-bit process can normally run in the 64-bit linux system as 64-bit process. In achieving the same function in the kernel, it is usually required to implement the compat interface and non-compat interface respectively. Therefore, two different codes need to be maintained. On the one hand, the separation of this definition easily lead to a greater code maintenance work, while the update for the two codes may be out of sync. On the other hand, since the compat interface is not always triggered in the 64-bit system, the underlying logic problem is not easily found by the developer, even tools such as trinity and syzkaller may ignore the fuzzing test for compat interface.
Since 64-bit linux kernel has come into being, compat's security vulnerabilities have been constantly disclosed. In the past year, there have been a number of compat-related vulnerabilities disclosed in the Android Security Bulletin. However, these founded vulnerabilities are mostly common seen with familiar names: out-of-bounds access of arrays, heap overflow, stack overflow and so on.
This time, by taking Android Qualcomm platform driver as an example, we will show a new attack surface on the compat, and how to discover several types of vulnerabilities through this attack surface. At the same time, such vulnerabilities may also prevail in driver programs of other platforms and even in the kernel itself.
Our attack on these vulnerabilities are mainly utilizing a neglected logic defect when the compat interface is performing compatibility conversion, which will then bypass the length of the array, user memory pointer checks contained in the conversion process. Since the necessary conversion and validation check is lost, user input with malicious value is directly received and processed by the non-compat interface, further triggering the vulnerability.
We have discovered a number of device driver vulnerabilities on Android Qualcomm platform by applying this method and submitted them to Google and Qualcomm.