search

ITh4cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Samsung seiren kernel driver buffer overflow #491

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is 
accessible by either the system user or the audio group (such as the 
mediaserver). It was found that the write() implementation for this driver 
contains a buffer overflow vulnerability that overflow a static global buffer:

static ssize_t esa_write(struct file *file, const char *buffer,
                                        size_t size, loff_t *pos)
{
        struct esa_rtd *rtd = file->private_data;
        unsigned char *ibuf;
…
        ibuf = rtd->ibuf0;
...
        /* receive stream data from user */
        if (copy_from_user(ibuf, buffer, size)) {
                esa_err("%s: failed to copy_from_user\n", __func__);
                goto err;
        }

Note that the user supplied buffer and size parameters are not adequately 
bounds checked. The destination buffer is fixed size, so memory corruption can 
occur. A simple proof-of-concept from a privileged shell can be used to trigger 
the issue (tested on a Samsung S6 Edge):

# dd if=/dev/zero of=/dev/seiren count=5000000

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 29 Jul 2015 at 10:05

GoogleCodeExporter commented 8 years ago

Original comment by scvi...@google.com on 30 Jul 2015 at 2:11

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 23 Oct 2015 at 6:15

GoogleCodeExporter commented 8 years ago 
Fixed in October MR.

Original comment by natashe...@google.com on 27 Oct 2015 at 6:38

GoogleCodeExporter commented 8 years ago

Original comment by natashe...@google.com on 27 Oct 2015 at 6:40

GoogleCodeExporter commented 8 years ago 
I want to ask you a question :
  How can I triggle the issue as a user without privilege? Is there any API that finally call that ioctl?  I tried to find the way but failed . Thank you very much~

Original comment by huahuais...@gmail.com on 13 Nov 2015 at 8:14

GoogleCodeExporter commented 8 years ago 
oh ,not ioctl but this write...

Original comment by huahuais...@gmail.com on 13 Nov 2015 at 8:16