Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Android maxdsm Driver Kernel Information Disclosure Vulnerability

🗓️ 06 Jan 2017 00:00:00Reported by laginimainebType 
zdt
 zdt🔗 0day.today👁 32 Views

Android "maxdsm_read" Driver Kernel Info Disclosur

Code
Android: Kernel information disclosure in "maxdsm_read" 

The "maxdsm" driver exposes several character devices which can be used to control and calibrate the device. One such device is the "control device", exposed under: "/dev/dsm_ctrl_dev".

The character device provides several file operations, including a "read" operation, which is implemented using the function "maxdsm_read". The code for the "maxdsm_read" function is as follows:

1. static ssize_t maxdsm_read(struct file *filep, char __user *buf,
2.    size_t count, loff_t *ppos)
3. {
4.   int ret;
5.
6.  mutex_lock(&dsm_fs_lock);
7.
8.  maxdsm_read_all();
9.
10.  /* copy params to user */
11.  ret = copy_to_user(buf, maxdsm.param, count);
12.  if (ret)
13.    pr_err("%s: copy_to_user failed - %d\n", __func__, ret);
14.
15.  mutex_unlock(&dsm_fs_lock);
16.
17.  return ret;
18. }

This function fails to validate the "count" argument, passed in by the caller. This means that calling "read" with a large count (i.e., larger than maxdsm.param_size) would copy in additional bytes which reside after  the maxdsm.param buffer. 

I've statically verified this issue on an SM-G935F device, using the open-source kernel package "SM-G935F_MM_Opensource".

The "/dev/dsm_ctrl_dev" file is owned by root, and has an SELinux context of "u:object_r:device:s0".

According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
   allow icd device : file { write append open } ; 
   allow system_app device : dir { read getattr search open } ; 
   allow device device : filesystem associate ; 
   allow kiesexe device : file { ioctl read getattr lock open } ; 
   allow oneseg_mw device : sock_file write ; 
   allow llk_untrusted_app device : sock_file { ioctl read write getattr lock append open } ; 
   allow ddexe device : file { ioctl read getattr lock open } ; 
   allow ueventd device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow qti_init_shell device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow radio device : sock_file write ; 
   allow init device : chr_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow init device : file { ioctl read write create getattr setattr lock relabelfrom append unlink rename open } ; 
   allow rild device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow nfc device : lnk_file read ; 
   allow mpdecision device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow charge device : dir { read write open } ; 
   allow vold device : chr_file { ioctl create setattr lock append link rename execute } ; 
   allow rild device : lnk_file { create unlink } ; 
   allow rtcc device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow dhcp device : file { ioctl read getattr lock open } ; 
   allow debuggerd device : dir { write add_name remove_name } ; 
   allow domain device : dir search ; 
   allow bootchecker device : sock_file write ; 
   allow rild device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow ffu device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow felica_app device : dir { read write setattr open } ; 
   allow vold device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow ext_symlink device : dir { write add_name remove_name } ; 
   allow domain device : file read ; 
   allow servicemanager device : file { ioctl read getattr lock open } ; 
   allow init device : lnk_file unlink ; 
   allow sdcardd device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow llk_untrusted_app device : fifo_file { ioctl read write getattr lock append open } ; 
   allow bugreport device : sock_file write ; 
   allow wpa device : file { ioctl read getattr lock open } ; 
   allow kernel device : chr_file { create getattr setattr unlink } ; 
   allow kernel device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow system_server device : sock_file { ioctl read write getattr lock append open } ; 
   allow tbased device : dir { write create add_name } ; 
   allow qti_init_shell device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow untrusteddomain device : dir { read write setattr open } ; 
   allow system_app device : file { ioctl read getattr lock open } ; 
   allow cnd device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow ext_symlink device : lnk_file { create unlink } ; 
   allow thermal-engine device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow mpdecision device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow qlogd device : dir { ioctl read getattr search open } ; 
   allow kernel device : blk_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow p2p_supplicant device : file { ioctl read getattr lock open } ; 
   allow slideshow device : dir { ioctl read getattr search open } ; 
   allow charge device : chr_file { create unlink } ; 
   allow ueventd device : chr_file { ioctl read write getattr lock append open } ; 
   allow healthd device : dir { write add_name remove_name search open } ; 
   allow fsck device : dir write ; 
   allow mmb_mw device : sock_file write ; 
   allow init device : dir { write relabelto mounton add_name remove_name } ; 
   allow cbd device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow tee device : dir { ioctl read getattr search open } ; 
   allow system_app device : sock_file write ; 
   allow ueventd device : lnk_file { ioctl read getattr lock unlink link rename open } ; 
   allow system_server device : dir { ioctl read getattr search open } ; 
   allow dumpstate device : sock_file write ; 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.


Found by: laginimaineb

#  0day.today [2018-01-08]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
06 Jan 2017 00:00Current
6.8Medium risk
Vulners AI Score6.8
androidmaxdsm_readdriverkernelinformation disclosurecontrol deviceselinuxsm-g935fvalidationcharacter devicefile operationsopen-sourcepackagecontextaccess rules
32