Samsung - m2m1shot Kernel Driver Buffer Overflow

2015-10-28T00:00:00
ID EXPLOITPACK:AE953C097B91C9AC8432B7D3BE5CD99A
Type exploitpack
Reporter Google Security Research
Modified 2015-10-28T00:00:00

Description

Samsung - m2m1shot Kernel Driver Buffer Overflow

                                        
                                            Source: https://code.google.com/p/google-security-research/issues/detail?id=493

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server

The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot:

static long m2m1shot_compat_ioctl32(struct file *filp,
                                unsigned int cmd, unsigned long arg)
{
...
        switch (cmd) {
        case COMPAT_M2M1SHOT_IOC_PROCESS:
        {
                struct compat_m2m1shot data;
                struct m2m1shot_task task;
                int i, ret;

                memset(&task, 0, sizeof(task));

                if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) {
                        dev_err(m21dev->dev,
                                "%s: Failed to read userdata\n", __func__);
                        return -EFAULT;
                }

                ...
                for (i = 0; i < data.buf_out.num_planes; i++) {
                        task.task.buf_out.plane[i].len =
                                                data.buf_out.plane[i].len;
                        ...
                }

In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above.

Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c).

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38555.zip