oss-sec mailing list archives
CVE request - samsumg android phone msm_sensor_config function write some range kernel address with any value
From: Berry <throber3 () gmail com>
Date: Mon, 18 Apr 2016 01:23:12 +0800
The v4l-subdev driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_sensor_config function uses the user-supplied value gpio_config.gpio_name as an index to a buffer for write operations without any boundary checks. code: // kernel/SM-G9008V_CHN_KK_Opensource/Kernel/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c int msm_sensor_config(struct msm_sensor_ctrl_t *s_ctrl, void __user *argp){ struct sensorb_cfg_data *cdata = (struct sensorb_cfg_data *)argp; case CFG_SET_GPIO_STATE: { //case 12: struct msm_sensor_gpio_config gpio_config; struct msm_camera_power_ctrl_t *data = &s_ctrl->sensordata->power_info; if (copy_from_user(&gpio_config, (void*)cdata->cfg.setting, sizeof(gpio_config))) { pr_err("%s:%d failed\n", __func__, __LINE__); rc = -EFAULT; break; } pr_info("%s: setting gpio: %d to %d\n", __func__, data->gpio_conf->gpio_num_info->gpio_num[gpio_config.gpio_name], gpio_config.config_val); gpio_set_value_cansleep( data->gpio_conf->gpio_num_info->gpio_num[gpio_config.gpio_name], gpio_config.config_val); //control gpio_config.gpio_name and gpio_config.config_val break; } default: rc = -EFAULT; break; } Affected versions: KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset fix: http://security.samsungmobile.com/smrupdate.html#SMR-JAN-2016 SVE-2015-4958: msm_sensor_config security issues we report this to samsung, samsung reply to us if we want to get cve request it by ourself. Best regards, Berry Cheng
Current thread:
- CVE request - samsumg android phone msm_sensor_config function write some range kernel address with any value Berry (Apr 17)