Usenix Submission: Automatic Hot Patch Generation for Android Kernels
Experiment Results on the Generated Hot Patches:
CVE-2012-6703:
- HOOK snd_compr_allocate_buffer
- CHECK params->buffer.fragment_size == 0
- CHECK params->buffer.fragments > SIZE_MAX / params->buffer.fragment_size
- IF true RETURN
CVE-2014-3145:
- HOOK u64 __skb_get_nlattr
- CHECK ctx->len < sizeof(struct nlattr)
- IF true RETURN
CVE-2014-4323:
- HOOK mdp_lut_hw_update
- CHECK cmap->start > MDP_HIST_LUT_SIZE
- CHECK cmap->len > MDP_HIST_LUT_SIZE
- CHECK cmap->start + cmap->len > MDP_HIST_LUT_SIZE
- IF true RETURN
CVE-2014-4656:
- HOOK snd_ctl_add
- CHECK kcontrol->id.index > UINT_MAX - kcontrol->count
- IF true RETURN
CVE-2014-7825:
- HOOK perf_syscall_enter
- HOOK syscall_get_nr for return value r1
- CHECK r1 < 0
- IF true RETURN
- HOOK perf_syscall_exit
- HOOK syscall_get_nr for return value r2
- CHECK r2 < 0
- IF true RETURN
CVE-2014-7826:
- HOOK ftrace_syscall_enter
- HOOK trace_get_syscall_nr for return value r1 (1)
- CHECK r1 >= NR_syscalls (2)
- IF true RETURN (3)
- HOOK ftrace_syscall_exit, perf_syscall_enter, perf_syscall_exit
- repeat steps (1), (2), (3) for each of the hooking
CVE-2014-9777:
- HOOK vid_dec_set_h264_mv_buffers
- CHECK client_ctx->vcd_h264_mv_buffer->count > 32
- IF true RETURN
CVE-2014-9778:
- HOOK vid_dec_set_h264_mv_buffers
- CHECK client_ctx->vcd_h264_mv_buffer->count > 32
- IF true RETURN
CVE-2014-9779:
- HOOK msm_audio_ion_mmap
- HOOK ion_phys for value phys_len
- CHECK vma->vm_pgoff * PAGE_SIZE > phys_len
- CHECK vma->vm_end - vma->vm_start > phys_len - offsetvma->vm_pgoff * PAGE_SIZE
- IF true RETURN
CVE-2014-9787:
- HOOK __qseecom_send_cmd
- CHECK req->cmd_req_len > UINT_MAX - req->resp_len
- IF true RETURN
CVE-2014-9789:
- HOOK msm_audio_ion_alloc
- CHECK !name
- CHECK !handle
- CHECK !paddr
- CHECK !vaddr
- CHECK !bufsz
- CHECK !pa_len
- IF true RETURN
CVE-2014-9873: Detail Presented in Paper
CVE-2014-9874:
- HOOK q6asm_audio_client_buf_alloc
- CHECK bufcnt != FRAME_NUM
- IF true RETURN
CVE-2014-9883:
- HOOK extract_dci_events
- CHECK *(buf + 2) > USHRT_MAX - 4
- IF true RETURN
CVE-2014-9887:
- HOOK qseecom_send_modfd_cmd
- CHECK *argp.cmd_req_len == 0
- CHECK *argp.cmd_req_len > data->client.sb_length
- CHECK *argp.resp_len > data->client.sb_length
- IF true RETURN
CVE-2014-9889:
- HOOK msm_cpp_cfg_frame
- CHECK new_frame->cpp_cmd_msg == NULL
- CHECK new_frame->msg_len < MSM_CPP_MIN_FRAME_LENGTH
- IF true RETURN
CVE-2014-9922:
- HOOK ecryptfs_mount
- HOOK kern_path for return value r1
- CHECK r1.dentry->d_sb->s_stack_depth + 1 > FILESYSTEM_MAX_STACK_DEPTH)
- IF true RETURN
CVE-2015-7515:
- HOOK aiptek_probe
- CHECK intf->altsetting[0].desc.bNumEndpoints < 1
- IF true RETURN
CVE-2015-7872:
- HOOK construct_key_and_link
- CHECK ctx->index_key.type == &key_type_keyring
- IF true RETURN
CVE-2015-8543:
- HOOK ax25_create
- CHECK protocol < 0
- CHECK protocol > SK_PROTOCOL_MAX
- IF true RETURN
CVE-2015-8575:
- HOOK sco_sock_bind
- CHECK addr_len < sizeof(struct sockaddr_sco)
- IF true RETURN
CVE-2015-8940: Detail Presented in Paper Sec 2.4
CVE-2016-0819:
- SYSCALL_DEFINE5
- CHECK attr.constraint_duplicate
- CHECK attr.__reserved_1
- IF true RETURN
CVE-2016-0823:
- HOOK pagemap_open
- HOOK capable for return value r1
- CHECK !r1
- IF true RETURN
CVE-2016-10088:
- HOOK bsg_write
- HOOK segment_eq for return value r1
- CHECK r1
- IF true RETURN
- HOOK sg_write
- HOOK segment_eq for return value r2
- CHECK r2
- IF true RETURN
CVE-2016-10230:
- HOOK qce_aead_req
- CHECK q_req->cryptlen > UINT_MAX - q_req->areq->assoclen
- IF true RETURN
CVE-2016-10233:
- HOOK msm_camera_config_vreg
- CHECK cam_vreg == NULL
- IF true RETURN
CVE-2016-2063:
- HOOK supply_lm_input_write
- CHECK count > (MODE_MAX - 1)
- IF true RETURN
CVE-2016-2186:
- HOOK powermate_probe
- CHECK intf->cur_altsetting->desc.bNumEndpoints < 1
- IF true RETURN
CVE-2016-2187:
- HOOK gtco_probe
- CHECK usbinterface->altsetting[0].desc.bNumEndpoints < 1
- IF true RETURN
CVE-2016-2188:
- HOOK iowarrior_probe
- CHECK interface->cur_altsetting->desc.bNumEndpoints < 1
- IF true RETURN
CVE-2016-2467:
- HOOK msm_compr_ioctl
- CHECK ddp->params_length*sizeof(int) > MAX_AC3_PARAM_SIZE
- IF true RETURN
CVE-2016-2475:
- HOOK wl_android_priv_cmd
- HOOK capable for return value r1
- CHECK !r1
- IF true RETURN
CVE-2016-3135:
- HOOK xt_alloc_table_info
- CHECK sizeof(*info) + size < sizeof(*info)
- IF true RETURN
CVE-2016-3138:
- HOOK acm_probe
- HOOK 1st usb_ifnum_to_if for return value r1
- CHECK !r1
- IF true RETURN
- HOOK 2nd usb_ifnum_to_if for return value r2
- CHECK !r2
- IF true RETURN
CVE-2016-3689:
- HOOK ims_pcu_parse_cdc_data
- HOOK 1st usb_ifnum_to_if for return value r1
- CHECK !r1
- IF true RETURN
- HOOK 2nd usb_ifnum_to_if for return value r2
- CHECK !r2
- IF true RETURN
CVE-2016-3813:
- HOOK dwc3_store_ep_num
- CHECK dir != 0 && dir != 1
- CHECK (num << 1) + dir >= s->private->num_in_eps + s->private->num_out_eps
- IF true RETURN
CVE-2016-3854:
- HOOK msm_mctl_buf_return_buf
- CHECK image_mode < 0
- CHECK image_mode >= MSM_MAX_IMG_MODE
- IF true RETURN
CVE-2016-3855:
- HOOK supply_lm_input_write
- CHECK count > (MODE_MAX - 1)
- IF true RETURN
CVE-2016-3902:
- HOOK qmi_filter_notify_send
- CHECK req->filter_index_list_len > QMI_IPA_MAX_FILTERS_V01
- IF true RETURN
CVE-2016-5346:
- HOOK avtimer_ioctl
- HOOK avcs_core_query_timer for return value r1
- CHECK r1
- IF true RETURN
CVE-2016-5854:
- HOOK spcom_device_read
- HOOK spcom_handle_read for return value r1
- CHECK r1 <= 0
- CHECK r1 > size
- IF true RETURN
CVE-2016-5855:
- HOOK spcom_handle_lock_ion_buf_command
- CHECK size != sizeof(*cmd)
- IF true RETURN
- HOOK spcom_handle_unlock_ion_buf_command
- CHECK size != sizeof(*cmd)
- IF true RETURN
CVE-2016-5856:
- HOOK spcom_handle_send_command
- CHECK size != sizeof(*cmd)
- CHECK size != sizeof(*cmd) + buf_size
- CHECK buf_size > SPCOM_MAX_RESPONSE_SIZE
- IF true RETURN
CVE-2016-5857:
- HOOK modify_ion_addr
- CHECK buf_size < sizeof(uint64_t)
- IF true RETURN
- HOOK spcom_handle_send_modified_command
- CHECK size < sizeof(*cmd)
- CHECK buf_size > SPCOM_MAX_RESPONSE_SIZE
- CHECK size != sizeof(*cmd) + buf_size
- IF true RETURN
- HOOK spcom_handle_read_req_resp
- CHECK size > SPCOM_MAX_RESPONSE_SIZE
- IF true RETURN
CVE-2016-5859:
- HOOK msm_dolby_dap_param_visualizer_control_get
- CHECK dolby_dap_params_value[DOLBY_PARAM_VCNB_OFFSET] > DOLBY_PARAM_VCNB_MAX_LENGTH
- CHECK dolby_dap_params_value[DOLBY_PARAM_VCNB_OFFSET] <= 0
- IF true RETURN
CVE-2016-5860:
- HOOK msm_cpe_lsm_reg_model
- HOOK lsm_ops->lsm_get_snd_model_offset for return value r1
- CHECK p_info->param_size > U32_MAX - r1
- IF true RETURN
CVE-2016-5867:
- HOOK msm_dolby_dap_param_to_set_control_put
- CHECK dolby_dap_params_offset[idx] + offset >= TOTAL_LENGTH_DOLBY_PARAM
- CHECK 0 == length
- CHECK dolby_dap_params_offset[idx] + offset + length - 1 < dolby_dap_params_offset[idx] + offset
- CHECK dolby_dap_params_offset[idx] + offset + length > TOTAL_LENGTH_DOLBY_PARAM
- IF true RETURN
CVE-2016-6740:
- HOOK msm_camera_cci_i2c_write_seq_table
- CHECK write_setting->reg_setting->reg_data_size > I2C_SEQ_REG_DATA_MAX
- IF true RETURN
CVE-2016-6742:
- HOOK fwu_sysfs_store_image
- CHECK count > fwu->image_size - fwu->data_pos
- IF true RETURN
CVE-2016-8394:
- HOOK fwu_sysfs_image_name_store
- CHECK !buf
- CHECK count > MAX_IMAGE_NAME_LEN
- IF true RETURN
CVE-2016-8399:
- HOOK ping_common_sendmsg
- CHECK len < icmph_len
- IF true RETURN
CVE-2016-8420:
- HOOK hdd_extscan_epno_fill_network_list
- CHECK index == req_msg->num_networks
- IF true RETURN
CVE-2016-8476:
- HOOK __wlan_hdd_cfg80211_set_passpoint_list
- HOOK nla_get_u32 for return value r1
- CHECK r1 > SIR_PASSPOINT_LIST_MAX_NETWORKS
- IF true RETURN
CVE-2016-8477:
- HOOK msm_eeprom_config
- HOOK strlen for return value r1
- CHECKL r1 +1 > MAX_EEPROM_NAME
- IF true RETURN
CVE-2016-9604:
- HOOK keyctl_join_session_keyring
- CHECK _name[0] == '.'
- IF true RETURN