ç§ãã¡ã¯ãAndroidãã©ãããã©ãŒã ããã¹ãŠã®ããã€ã¹ã®ãã¹ãŠã®ãŠãŒã¶ãŒã«ãšã£ãŠå®å šã«ä¿ã€ããã«ããããããšãè¡ããŸããã»ãã¥ãªãã£ã¢ããããŒãã¯æ¯æãªãªãŒã¹ãã ãVulnerability Rewards ProgramïŒVRPïŒã®ã¡ã³ããŒã«ãã£ãŠçºèŠãããè匱æ§ãä¿®æ£ãããŠããŸã ããã ããã³ã³ãã€ã© ã䜿çšããŠãã¹ãç°å¢ãæ¹åãããªã©ãä»ã®æœåšçãªè匱æ§ãããã©ãããã©ãŒã ãä¿è·ããããšãè©Šã¿ãŠã ãŸãã Androidãšã³ã·ã¹ãã ã«ã¯ããŸããŸãªæ©èœãåããããã€ã¹ãå«ãŸããŠããããããã¹ãŠã®æ±ºå®ã®ãã©ã³ã¹ãåããå©çšå¯èœãªããŒã¿ãèæ ®ã«å ¥ããå¿ èŠããããŸãã
ãã®èšäºã§ã¯ãç¹å®ã®ç¶æ³ã§ã»ãã¥ãªãã£å¶åŸ¡ãéžæããæ¹æ³ãšãããããå®è£ ããæ¹æ³ã«ã€ããŠèª¬æããŸãã
Androidãå®å šã«ä¿ã€ã«ã¯ãå šäœçãªã¢ãããŒããå¿ èŠã§ããæœåšçãªè匱æ§ã®æªçšãå°é£ã«ããããã«ãè€æ°ã®ååãšææ³ã䜿çšããŠããŒã¿ã«åºã¥ãææ決å®ãè¡ããŸãããã©ãããã©ãŒã ã®åŒ·åã«é¢ããŠã¯ã次ã®è³ªåã«çããå¿ èŠããããŸãã
- ç§ãã¡ã¯ã©ã®ãããªããŒã¿ãæã£ãŠããããããã¯ã©ã®ããã«ç§ãã¡ã決å®ãäžãã®ã«åœ¹ç«ã¡ãŸããïŒ
- ã©ã®ãããªæ»æé²æ¢ããŒã«ãå©çšã§ããŸããïŒã©ãããã°æ¹åã§ããŸããïŒã©ã®ãããªç¶æ³ã§ããããé©çšããå¿ èŠããããŸããïŒ
- ç¹å®ã®ã»ãã¥ãªãã£ããŒã«ã䜿çšãããšãã©ã®ãããªåé¡ãçºçããå¯èœæ§ããããŸããïŒã©ã®ãããªå¯èœãªã¬ã€ã¢ãŠããèæ ®ã«å ¥ããå¿ èŠããããŸããïŒ
ã»ãã¥ãªãã£ã®éžæã«äœ¿çšããååã¯ãAndroidãã©ãããã©ãŒã ã®ãŠãŒã¶ãŒãä¿è·ããããã®å šäœçãªã¢ãããŒããåæ ããŠããŸãã
ããŒã¿äž»å°ã®ã»ãã¥ãªãã£æ±ºå®ãè¡ã
ç¹å®ã®ãœãªã¥ãŒã·ã§ã³ãå¹æçãªãã©ãããã©ãŒã ã³ã³ããŒãã³ããèŠã€ããããã«ãããŸããŸãªæ å ±æºã«ç®ãåããŸãã Androidã®è匱æ§ã¯ãããã°ã©ã ã®ãªã¯ãŒã ïŒVRPïŒã¯ãããããããããã¹ãŠã®æãæçã§ããåœç€Ÿã®ã»ãã¥ãªãã£ãšã³ãžãã¢ã¯ãããã°ã©ã åå è ã«ãã£ãŠçºèŠããããã¹ãŠã®è匱æ§ãåæããæ ¹æ¬åå ãšé倧床ã¬ãã«ã決å®ããŸãïŒãããã®æšå¥šäºé ã«åºã¥ã㊠ïŒãããã«ãå éšããã³å€éšã®ãã°ã¬ããŒãããããŸãããããã¯ãè匱ãªã³ã³ããŒãã³ããã倱æã®åå ãšãªãããšãå€ãã³ãŒãã¹ãããããç¹å®ããã®ã«åœ¹ç«ã¡ãŸãããã®ãããªãã©ã°ã¡ã³ããã©ã®ããã«èŠããããç¥ãããããããçãããšã©ãŒã®é倧床ãšé »åºŠãç解ããããšã§ãã©ã®ã»ãã¥ãªãã£å¯Ÿçãæãå¹æçã§ãããã«ã€ããŠæ å ±ã«åºã¥ãã決å®ãäžãããšãã§ããŸãã
Android Security Bulletins 2019ã§ä¿®æ£ãããé倧床ã®é«ãè匱æ§ã
ãã ããè匱æ§ã¬ããŒãã ãã«äŸåããªãã§ãã ãããã»ãã¥ãªãã£ã®å°é家ã¯ããããããŸãŒã³ãã€ãŸãè匱æ§ããã§ã«çºèŠãããŠããé åïŒStagefrightãªã©ïŒã«æ³šæãæãããšãå€ããããæåã¯æªãã ç»åã瀺ã ãŸãããŸãã¯ãããã«äœ¿çšã§ãããœãªã¥ãŒã·ã§ã³ã䜿çšããŠæ€åºããããè匱æ§ãæ¢ãããšãã§ããŸããããšãã°ãã»ãã¥ãªãã£åæããŒã«ãGitHubãã©ãããã©ãŒã ã§å ¬éãããŠããå Žåãå€ãã®å°é家ãããã䜿çšããŸãã
ã»ãã¥ãªãã£ã®åäžã«åããåãçµã¿ãåçã«åæ£ããããåªããŠããŸããç§ãã¡ã®ããŒã ã¯ããã©ãããã©ãŒã ã®ããŸãæ¢çŽ¢ãããŠããããããè€éãªã³ã³ããŒãã³ãã«æ³šæãæã£ãŠããŸããããã«ãèªåãã¡ãžã³ã°ãã¹ãã¯ãä»®æ³ãã·ã³ãšç©çAndroidããã€ã¹ã§ç¶ç¶çã«å®è¡ããããããéçºã®åæ段éã§ãã°ãèŠã€ããŠä¿®æ£ã§ããŸãã䜿çšããããŒã«ã決å®ããéã«ã¯ãçºèŠããåé¡ã®æ ¹æ¬åå ãšé倧床ãåæããŸãã
Android VRPããã°ã©ã ã®äžéšãšããŠãéçºè ãå®å šãªè匱æ§ãã§ãŒã³ãè¿œå ããããšããå§ãã ãŸãæ»æããã»ã¹å šäœãæåããæåŸãŸã§è¿œè·¡ã§ããŸããååãšããŠããµã€ããŒç¯çœªè ã¯äžåºŠã«è€æ°ã®è匱æ§ãæªçšãããã®ãããªãã§ãŒã³ã§ã¯ãããã®ããã³ãã«ããã¯ã£ãããšèŠãããããéåžžã«æçã§ããåœç€Ÿã®ã»ãã¥ãªãã£ãšã³ãžãã¢ã¯ããã§ãŒã³å šäœãšãã®åã ã®ãªã³ã¯ã®äž¡æ¹ãåæãããã§ãŒã³å ã®æ°ããæ»ææŠç¥ãçºèŠããããšããŸãããã®åæã¯ãè匱æ§ã®é£ç¶çãªæªçšãé²ãããã®æŠç¥ïŒããšãã°ãã©ã³ãã ã¢ãã¬ã¹ç©ºéã®å²ãåœãŠ ãå¶åŸ¡ãããŒã®æŽåæ§ã¡ãœãã ïŒã決å®ããã®ã«åœ¹ç«ã¡ ãããã»ã¹ããªãœãŒã¹ãžã®äžèŠãªã¢ã¯ã»ã¹ãååŸããå Žåã«æ»æã軜æžã§ãããã©ãããç解ããŸãã
æããã«ãããã€ãã®è匱æ§ã¯äžåºŠã«è€æ°ã®ãã§ãŒã³ã«å«ãŸããå¯èœæ§ããããç°ãªãé åºã§é 眮ãããŸãããããã£ãŠããå€å±€é²åŸ¡ãã䜿çšããŠãåã ã®è匱æ§ã®æå¹æ§ãæžããããšã¯ã¹ããã€ãã®é£éãé·ãããããšããå§ãããŸãããã®å Žåãæ»æè ãå¹æçãªãã§ãŒã³ãæ§ç¯ããŠæ»æãè¡ãããšã¯ããå°é£ã«ãªããŸãã
çŸåšã®ã»ãã¥ãªãã£ã®è åšãç解ããå°æ¥ã®åŸåãäºæž¬ããã«ã¯ãç¹ã«ã»ãã¥ãªãã£ã³ãã¥ããã£ã®ååãåžžã«ææ¡ããŠããå¿ èŠããããŸãã
- ãµãŒãããŒãã£ã®ã»ãã¥ãªãã£å°é家ãšç·å¯ã«é£æºããŸãã
- ããŒãå¥ã®åºçç©ãèªã¿ãäŒè°ã«åºåžããŸãã
- ãã«ãŠã§ã¢ã䜿çšãããã¯ãããžãŒãç 究ããã
- ã»ãã¥ãªãã£ã®åéã«ãããææ°ã®éçºã远跡ããŸãã
- KSPPãsyzbotãLLVMãRustãªã©ã®ãµã€ããããžã§ã¯ãã«åå ããŸã ã
ãã®çµæãå šäœçãªã»ãã¥ãªãã£æŠç¥ãæ¢åã®ãœãªã¥ãŒã·ã§ã³ã®æå¹æ§ãããã³æ¹åã®æ©äŒã«ã€ããŠã®ç解ãæ·±ãŸããŸãã
ãã匷åãªä¿è·ãå¿ èŠãªçç±
ä¿è·ã®åŒ·åãšæ»æã®é²æ¢
ããŒã¿ãåæããããšã§ãå¹æçãªæ»æã®è»œæžã«ãã£ãŠã¯ã©ã¹å šäœã®è匱æ§ã«å¯ŸåŠã§ããé åãç¹å®ã§ããŸããããšãã°ããã©ãããã©ãŒã ã®äžéšã®ã³ã³ããŒãã³ãã§æŽæ°ãªãŒããŒãããŒãšã©ãŒãåå ã§å€ãã®è匱æ§ãçºçããå Žåã¯ãæŽæ°ãªãŒããŒãããŒãµãã¿ã€ã¶ãŒãªã©ã®äžç¹å®ã®åäœãµãã¿ã€ã¶ãŒïŒUBSanïŒã䜿çšããå¿ èŠããããŸã ãã¡ã¢ãªã¢ã¯ã»ã¹ã®è匱æ§ãäžè¬çã§ããå Žå㯠ãã¡ã¢ãªãªãŒããŒãããŒãšäœ¿çšåŸã®è匱æ§ã«èæ§ã®ãã匷åãããã¡ã¢ãªã¢ãã±ãŒã¿ ïŒAndroid 11ã§ã¯ããã©ã«ã㧠æå¹ïŒãšæ»æé²æ¢ããŒã«ïŒ Control Flow Integrityãªã©ïŒã䜿çšããå¿ èŠããããŸããç¡æã
ããŒã¿ã®äœ¿çšã«ã€ããŠèª¬æããåã«ããã©ãããã©ãŒã ã®ã»ãã¥ãªãã£ã匷åããããã®ããŒã«ã®åé¡ãææ¡ããŸãããããã®ããŒã«ãã¹ãŠãåé¡ã§ããäž»ãªã»ã°ã¡ã³ãã¯æ¬¡ã®ãšããã§ãïŒãã ããäžéšã®ããŒã«ãšæ¹æ³ã¯ããããã®ããã€ãã«äžåºŠã«é©çšãããå ŽåããããŸãïŒã
- ãšã¯ã¹ããã€ãé€å»ããŒã«
- 確å®çãªã©ã³ã¿ã€ã 修埩ããŒã«ã¯ ãæªå®çŸ©ãŸãã¯äžèŠãªåäœãæ€åºããããã°ã©ã ã®å®è¡ãäžæããŸããããã«ãããã¡ã¢ãªå ã®ããŒã¿ç Žæãæé€ããã軜埮ãªé害ã®ã¿ãçºçããå¯èœæ§ãç¶æãããŸããå€ãã®å Žåããã®ãããªããŒã«ã¯ç¹ããšã«é©çšã§ããŸãããåã ã®ãšã©ãŒçšã«èšèšãããŠãããããåŒãç¶ãå¹æçã§ããäŸïŒ æŽæ°ãªãŒããŒãããŒãµãã¿ã€ã¶ãŒ ãš BoundsSanitizerã
- . . . . , . : , Control Flow Integrity (CFI), , .
- , . , . : .
-
- . , . , .
ç¹å®ã®åé¡ã«å¿ããŠã説æãããŠããããŒã«ã®ã©ããã©ã®ããã«äœ¿çšãããã決å®ããŸããããšãã°ãä¿¡é Œæ§ã®äœãããŒã¿ã®åŠçãè€éãªè§£æãå«ã倧èŠæš¡ãªããã»ã¹ãæ±ãå Žåã¯ããããããé©ããŠããŸãããã«ãã¡ãã£ã¢ãã©ãããã©ãŒã ã¯ãã¢ãŒããã¯ãã£ã®å解ã䜿çšããŠãšã¯ã¹ããã€ããããå¹æçã«è»œæžããç¹æš©ã®ææ Œãé²ãæ¹æ³ã®åªãããã¢ã³ã¹ãã¬ãŒã·ã§ã³ã§ãã
æŽå²çæèã«ãããã¢ãŒããã¯ãã£ã®å解ãšã¡ãã£ã¢ãã¬ãŒã ã¯ãŒã¯ã®åé¢
ãªã¢ãŒãæ»æã®ã¿ãŒã²ããïŒNFCãBluetoothãWi-Fiãã¡ãã£ã¢ã³ã³ãã³ãïŒã¯ãåŸæ¥ãæãæ·±å»ãªè匱æ§ã«é¢é£ä»ããããŠãããããã»ãã¥ãªãã£ã®åŒ·åãåªå ããå¿ èŠããããŸããéåžžããããã®è匱æ§ã¯VRPããã°ã©ã ã§èŠã€ãã£ãæãäžè¬çãªæ ¹æ¬åå ã«ãã£ãŠåŒãèµ·ããããæè¿ãããããã¹ãŠã«æ¶æ¯å€ãè¿œå ããŸããã
æ»æé²æ¢ããŒã«ã¯ãã»ãã¥ãªãã£å¢çå ã«èšå®ãŸãã¯åžžé§ããã©ã€ãã©ãªãšããã»ã¹ïŒããšãã°ã libbinderãããã³æšæºã©ã€ãã©ãª libuiã libcoreãlibcutilsïŒã« 圹ç«ã¡ãŸããïŒãç¹å®ã®ããã»ã¹ã«é¢é£ä»ããããŠããªãããããã ãããããã®ã©ã€ãã©ãªã¯ã·ã¹ãã ã®å¹ççã§å®å®ããåäœãæ åœãããããç¹å®ã®æ¹æ³ã䜿çšããåã«ãã»ãã¥ãªãã£ã匷åãããããšãçå£ã«ä¿èšŒããå¿ èŠããããŸãã
æåŸã«ãé«ã¬ãã«ã®ç¹æš©ãèãããšãã«ãŒãã«ãä¿è·ããããšãéèŠã§ãããã¹ãŠã®ã³ãŒãããŒã¹ã«ã¯ç°ãªãç¹æ§ãšæ©èœãããããããããã®è匱æ§ã®å¯èœæ§ã¯ç°ãªããŸããããã§ã®äž»ãªåºæºã¯ãå®å®æ§ãšããã©ãŒãã³ã¹ã§ãããŠãŒã¶ãŒã®äœæ¥ã劚ããªãå¹æçãªã»ãã¥ãªãã£å¯Ÿçã®ã¿ã䜿çšããŠãã ããããããã£ãŠãä¿è·ã匷åããããã®æé©ãªæŠç¥ãéžæããåã«ãã«ãŒãã«ã«é¢é£ãããã¹ãŠã®å©çšå¯èœãªããŒã¿ã泚ææ·±ãåæããŸãã
ããŒã¿äž»å°ã®ã¢ãããŒãã¯ãå ·äœçãªçµæããããããŸããã2015幎ã«Stagefrightã®è匱æ§ãçºèŠãããåŸã Androidã¡ãã£ã¢ãã©ãããã©ãŒã ã«ãããä»ã®å€æ°ã®é倧ãªè匱æ§ã®å ±åãåãå§ããŸãã ãåé¡ãè€éã«ããããã«ããããã®å€ãã¯ãªã¢ãŒãã¢ã¯ã»ã¹å¯èœã§ãããæã ãè¡ã£ã ã¢ã³ããã€ããã¬ãŒã·ã¹ãã ã®å€§èŠæš¡ãªå解ããã ãã«ãã¡ãã£ã¢ã³ã³ããŒãã³ãã®è匱æ§ã®å®çãä¿é²ããŸããããããã®å€æŽã®ãããã§ã2020幎ã«ã¯ãã€ã³ã¿ãŒãããçµç±ã§ã¢ã¯ã»ã¹ã§ãããã«ãã¡ãã£ã¢ãã©ãããã©ãŒã ã®é倧ãªè匱æ§ã®å ±åã¯ãããŸããã§ããã
å±éã®æ±ºå®æ¹æ³
åœç¶ã®ããšãªãããæãå¹æçãªæ»æé²æ¢ããŒã«ã«çŠç¹ãåœãŠãããšã¯çã«ããªã£ãŠããŸããããããç¹å®ããããã«ãåããŒã«ãããã©ãŒãã³ã¹ã«ã©ã®ããã«åœ±é¿ããããããŒã«ãå±éããŠãµããŒãããããã«å¿ èŠãªäœæ¥éãããã³ã·ã¹ãã ã®å®å®æ§ã«æªåœ±é¿ãäžãããã©ããã調ã¹ãŸãã
ããã©ãŒãã³ã¹
æ»æé²æ¢ããŒã«ãéžæãããšãã¯ããããããã€ã¹ã®ããã©ãŒãã³ã¹ã«ã©ã®ããã«åœ±é¿ããããç解ããå¿ èŠããããŸããäžéšã®ã³ã³ããŒãã³ããŸãã¯ã·ã¹ãã å šäœãè² è·ãåŠçã§ããªãå ŽåãããããªãŒã®å¯¿åœãšå šäœçãªããã©ãŒãã³ã¹ãäœäžããå¯èœæ§ããããŸããããã¯ãã»ãã¥ãªãã£ã匷åããå¿ èŠããããšã³ããªãŒã¬ãã«ã®ããã€ã¹ã«ç¹ã«åœãŠã¯ãŸããŸãããããã£ãŠãããã€ã¹ã®ããã©ãŒãã³ã¹ã«åœ±é¿ãäžããªãæãå¹æçãªãœãªã¥ãŒã·ã§ã³ãåªå ããŸãã
ããã©ãŒãã³ã¹ãè©äŸ¡ãããšãã¯ãããã»ããµæéã ãã§ãªããã¡ã¢ãªäœ¿çšéãã³ãŒãé·ãããããªå¯¿åœãããã³ã€ã³ã¿ãŒãã§ã€ã¹ã®ããªãŒãºã®ã±ãŒã¹ã«ã泚æãæã ãŸãã..ãããŒã«ãAndroidãšã³ã·ã¹ãã å šäœã§é©åã«æ©èœããŠããããšã確èªããã«ã¯ããªã¹ããããŠãããã©ã¡ãŒã¿ãŒããšã³ããªãŒã¬ãã«ã®ããã€ã¹ã§ãã¹ãããããšãç¹ã«éèŠã§ãã
ã©ã®ã³ã³ããŒãã³ãã«ä¿è·å¯Ÿçãé©çšãããã¯éåžžã«éèŠã§ããããšãã°ããã€ã³ãã£ã³ã°ã¯ããã»ã¹ééä¿¡ã«æãäžè¬çã«äœ¿çšãããŸãããããã£ãŠãé床ã®è² è·ã¯å³åº§ã«ããã€ã¹ã®åäœã«åœ±é¿ãäžããŸããå ã®ã¬ãŒãã§ãã¬ãŒã ã®ã¿ãåŠçããã¡ãã£ã¢ãã¬ãŒã€ãŒã®å Žåãç¶æ³ã¯ç°ãªããŸãããããªé床ã衚瀺é床ãããã¯ããã«éãå Žåãè¿œå ã®è² è·ã¯ããã»ã©éèŠã§ã¯ãããŸããã
ãã³ãããŒã¯ã䜿çšããŠãç¹å®ã®ãœãªã¥ãŒã·ã§ã³ã®ããã©ãŒãã³ã¹ãžã®åœ±é¿ãå€æããŸããã³ã³ããŒãã³ãã®ãã³ãããŒã¯çµæããªãå Žåã¯ãããšãã°ã圱é¿ãåããã³ãŒããã¯ãåŒã³åºããŠã¡ãã£ã¢ãã¡ã€ã«ããã³ãŒãããããšã«ããããã³ãããŒã¯çµæãååŸããå¿ èŠããããŸãããã¹ãã§èš±å®¹ã§ããªãè² è·ã瀺ãããå Žåãããã€ãã®ãªãã·ã§ã³ããããŸãã
- ããã©ãŒãã³ã¹ã«å€§ããªåœ±é¿ãäžããæ©èœã®æ»æé²æ¢ãéžæçã«ç¡å¹ã«ããŸããéåžžãå®è¡æã«ãªãœãŒã¹ãæ¶è²»ããé¢æ°ã¯ãããããã§ãããããã«æ»æ軜æžãé©çšããªãããšã§ãããã©ãŒãã³ã¹ãç¶æããã»ãã¥ãªãã£ãžã®åœ±é¿ãæ倧åã§ããŸãã ããã¯ãã¡ãã£ã¢ã³ãŒããã¯ã®1ã€ã«å¯Ÿãããã®ã¢ãããŒãã®äŸã§ãããªã¹ã¯ãæé€ããããã«ãåè¿°ã®æ©èœã«ãšã©ãŒããªããäºåã«ç¢ºèªããå¿ èŠããããŸãã
- æ»æé²æ¢ã®äœ¿çšãæé©åããŸããå€ãã®å Žåãããã«ã¯ã³ã³ãã€ã©ã®å€æŽãå¿ èŠã§ããããšãã°ãç§ãã¡ã®ããŒã ã䜿çšããŠã«åãæ¿ã æŽæ° ãªãŒããŒãããŒã® æ¶æ¯ã å¢ç æ¶æ¯ãã
- Scudoã«çµã¿èŸŒãŸããŠããããŒãã®åŸ©å åãªã©ãäžéšã®æ»æ軜æžãªãã·ã§ã³ã¯ã ããã©ãŒãã³ã¹ãåäžãããããã«èª¿æŽã§ããŸãã
ãããã®æ¹åã®å€ãã¯ãLLVMèšèšã®å€æŽãå¿ èŠãšããŸãããã®çµæãAndroidãã©ãããã©ãŒã ã ãã§ãªããLLVMã³ãã¥ããã£ã®ä»ã®ã¡ã³ããŒãåã¡ãŸãã
å±éãšãµããŒã
æ»æé²æ¢ããŒã«ãéžæãããšãã¯ãã»ãã¥ãªãã£ãšããã©ãŒãã³ã¹ã®èæ ®äºé ã ãã§ãªããå±éãšé·æçãªãµããŒãã®ã³ã¹ããèæ ®ããå¿ èŠããããŸãã
ã·ã¹ãã ã®å®å®éçšã«å¯Ÿããã»ãã¥ãªãã£å¯Ÿçã®åœ±é¿
ç¹å®ã®æ»æé²æ¢ããŒã«ã誀ã£ãŠããªã¬ãŒããå¯èœæ§ããããã©ãããç解ããããšãéèŠã§ããããšãã°ãBoundsãµãã¿ã€ã¶ãŒããšã©ãŒãã¹ããŒããå Žåãããã¯ééããªãæåŠãããã¢ã¯ã»ã¹ã§ãïŒäœ¿çšãããŠããªãå¯èœæ§ããããŸãïŒãæŽæ°ãªãŒããŒãããŒãµãã¿ã€ã¶ãŒã®å ŽåãæŽæ°ãªãŒããŒãããŒã¯å®å šã«æ£åžžã§ç¡å®³ãªããã»ã¹ã§ããããšãå€ãããã誀æ€ç¥ãçºçããå¯èœæ§ããããŸãã
ãããã£ãŠãæ»æé²æ¢ããŒã«ãã·ã¹ãã ã®å®å®æ§ã«äžãã圱é¿ãèæ ®ããããšãéèŠã§ãã誀æ€ç¥ããã£ãããå®éã®ã»ãã¥ãªãã£è åšããã£ããã¯é¢ä¿ãããŸããããããã«ããããŠãŒã¶ãŒã¯äžäŸ¿ãæããŸããããã§ããã©ã®ã³ã³ããŒãã³ãã«1ã€ãŸãã¯å¥ã®ã»ãã¥ãªãã£å¯Ÿçã䜿çšããå¿ èŠãããããæ確ã«ç解ããå¿ èŠãããããšã«æ³šæããŠãã ãããäžéšã®ã³ã³ããŒãã³ãã®é害ã¯ãã·ã¹ãã ã®å®å®æ§ã«å€§ããªåœ±é¿ãäžããããã§ããæ»æé²æ¢ãã¡ãã£ã¢ã³ãŒããã¯ãã¯ã©ãã·ã¥ãããå Žåããããªã¯åã«åçãåæ¢ããŸãããã ããããã»ã¹ã§ãšã©ãŒãçºçããå Žå
netd
ã¢ããããŒããã€ã³ã¹ããŒã«ãããšãããã€ã¹ã®é»æºãå ¥ããªããªãå ŽåããããŸãã誀æ€ç¥ã«ãã£ãŠäžéšã®æ»æé²æ¢ããŒã«ã§åé¡ãçºçããªãå Žåã§ãïŒããšãã°ãBoundsãµãã¿ã€ã¶ãŒã®å Žåã®ããã«ïŒãããã€ã¹ãå®å®ããŠããããšã確èªããããã«åºç¯ãªãã¹ããå®æœããŠããŸããããšãã°ããã€ã¢ã¹ãšã©ãŒã1ã€ã§ãæ£åžžã«ã¯ã©ãã·ã¥ããªãå¯èœæ§ããããBoundsãµãã¿ã€ã¶ãŒãããã»ã¹ãäžæããŠã·ã¹ãã ã®å®å®æ§ãæãªããŸãã
ãŸããæ»æé²æ¢ããŒã«ã§ç¡å¹ã«ã§ãããã¹ãŠã®ã³ã³ããŒãã³ããäºåã«ç¹å®ã§ãããã©ãããç解ããããšãéèŠã§ããããšãã°ãæŽæ°ãªãŒããŒãããŒãµãã¿ã€ã¶ãŒã®å Žåãã©ã®æŽæ°ãªãŒããŒãããŒãæå³çïŒèš±å¯ïŒã§ãããã©ã®æŽæ°ãªãŒããŒãããŒãè匱æ§ãåŒãèµ·ããå¯èœæ§ãããããå€æããããšãé£ãããããåºç¯ãªãã¹ããè¡ããã«ãªã¹ã¯ãäºæž¬ããããšã¯éåžžã«å°é£ã§ãã
ãµããŒã
æ»æé²æ¢ããŒã«ã®å±éã§èµ·ããããåé¡ã ãã§ãªããé·æçãªãµããŒãã®è©³çŽ°ãèæ ®ããå¿ èŠããããŸããããŒã«ãæ¢åã®ã·ã¹ãã ãšçµ±åããã¢ã¯ãã£ãåããŠãããã°ããããã€ã¹ã«å±éããŠãããèµ·ååŸã«ãµãŒãã¹ãæäŸããã®ã«ãããæéãèŠç©ãããŸãã SELinuxãã¯ãããžãŒã¯è¯ãäŸã§ããäžé£ã®ã«ãŒã«ãäœæããã«ã¯ãå€ãã®æéãšåŽåãããããŸãããŸãããã®ã»ããã¯ãã³ãŒãã®å€æŽãåã ã®æ©èœã®è¿œå ãŸãã¯åé€ã«é¢ä¿ãªããäœå¹Žãç¶æããå¿ èŠããããŸãã
æ»æé²æ¢ããŒã«ãå®å®æ§ã«äžãã圱é¿ãæå°éã«æããéçºè ãå¿ èŠãªãã¹ãŠã®æ å ±ãå ¥æã§ããããã«åªããŠããŸãããããã®ç®æšãéæããããã«ãçŸåšã®ã¢ã«ãŽãªãºã ãæ¹åããŠèª€æ€ç¥ã®æ°ãæžãããsource.android.comã§ããã¥ã¡ã³ããå ¬éããŠããŸã ãé害çºçæã®ãããã°ã容æã«ããããšã§ãéçºè ã®ã¡ã³ããã³ã¹è² æ ã軜æžã§ããŸããããšãã°ãUBSanãµãã¿ã€ã¶ãŒã®ãã°ãèŠã€ããããããããã«ã ããã©ã«ãã§UBSanã®æå°ã©ã³ã¿ã€ã ãµããŒããAndroidãã«ãã·ã¹ãã ã«è¿œå ããŸãã ãæåã«æå°å®è¡æéã è¿œå ãããŸãã ç¹ã«ãã®ç®çã®ããã®ä»ã®Googleéçºè ãæŽæ°ãªãŒããŒãããŒãµãã¿ã€ã¶ãŒãåå ã§ããã°ã©ã ãã¯ã©ãã·ã¥ããå Žåã次ã®ã¹ãããããSIGABRTãšã©ãŒã¡ãã»ãŒãžã«è¿œå ãããŸãã
Abort message: 'ubsan: sub-overflow'
ãã®ã¡ãã»ãŒãžãèŠãåŸãéçºè ã¯ãé害ã«é¢ããæ å ±ãåºåããããã«èšºæã¢ãŒããæå¹ã«ããå¿ èŠãããããšãç解ã ãŸãã
frameworks/native/services/surfaceflinger/SurfaceFlinger.cpp:2188:32: runtime error: unsigned integer overflow: 0 - 1 cannot be represented in type 'size_t' (aka 'unsigned long')
åæã«ãSELinuxã«ã¯audit2allowããŒã«ããããç¹å®ã®ãããã¯ãããæäœãèš±å¯ããã«ãŒã«ãææ¡ã§ããŸãã
adb logcat -d | audit2allow -p policy
#============= rmt ==============
allow rmt kmem_device:chr_file { read write };
audit2allowãåžžã«æ£ãããªãã·ã§ã³ãææ¡ãããšã¯éããŸããããSELinuxãåããŠäœ¿çšããéçºè ã«ãšã£ãŠã¯éåžžã«åœ¹ç«ã¡ãŸãã
çµè«
AndroidããªãªãŒã¹ããããã³ã«ããšã³ã·ã¹ãã å šäœãä¿è·ããæ°ããããŒã«ãæäŸãããå¿ èŠãªããã©ãŒãã³ã¹ãšå®å®æ§ã確ä¿ãããŸããããã«ã¯ããŒã¿åæãéèŠãªåœ¹å²ãæãããŸãããã®èšäºããæ°ããæ»æé²æ¢ããŒã«ã®å®è£ ã®èª²é¡ãšãã®å¯ŸåŠæ¹æ³ãããããç解ããã®ã«åœ¹ç«ã€ããšãé¡ã£ãŠããŸãã
ååãšäœè ã«æè¬ããŸãïŒKevin DeusãJoel GalensonãBilly LauãIvanLozano-Androidã®ã»ãã¥ãªãã£ãšãã©ã€ãã·ãŒã®å°é家ããã®èšäºã®äœæã«ååããŠãããZviadKardavaãšJeffVan DerStupã«ç¹ã«æè¬ããŸãã