New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 964 link

Starred by 1 user

Issue metadata

Status: Fixed
Owner:
Last visit > 30 days ago
Closed: Jan 2017
Cc:



Sign in to add a comment

Samsung: Kernel information disclosure in "maxdsm_read"

Reported by laginimaineb@google.com, Oct 7 2016

Issue description

The "maxdsm" driver exposes several character devices which can be used to control and calibrate the device. One such device is the "control device", exposed under: "/dev/dsm_ctrl_dev".

The character device provides several file operations, including a "read" operation, which is implemented using the function "maxdsm_read". The code for the "maxdsm_read" function is as follows:

1. static ssize_t maxdsm_read(struct file *filep, char __user *buf,
2.		size_t count, loff_t *ppos)
3. {
4. 	int ret;
5.
6.	mutex_lock(&dsm_fs_lock);
7.
8.	maxdsm_read_all();
9.
10.	/* copy params to user */
11.	ret = copy_to_user(buf, maxdsm.param, count);
12.	if (ret)
13.		pr_err("%s: copy_to_user failed - %d\n", __func__, ret);
14.
15.	mutex_unlock(&dsm_fs_lock);
16.
17.	return ret;
18. }

This function fails to validate the "count" argument, passed in by the caller. This means that calling "read" with a large count (i.e., larger than maxdsm.param_size) would copy in additional bytes which reside after  the maxdsm.param buffer. 

I've statically verified this issue on an SM-G935F device, using the open-source kernel package "SM-G935F_MM_Opensource".

The "/dev/dsm_ctrl_dev" file is owned by root, and has an SELinux context of "u:object_r:device:s0".

According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
   allow icd device : file { write append open } ; 
   allow system_app device : dir { read getattr search open } ; 
   allow device device : filesystem associate ; 
   allow kiesexe device : file { ioctl read getattr lock open } ; 
   allow oneseg_mw device : sock_file write ; 
   allow llk_untrusted_app device : sock_file { ioctl read write getattr lock append open } ; 
   allow ddexe device : file { ioctl read getattr lock open } ; 
   allow ueventd device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow qti_init_shell device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow radio device : sock_file write ; 
   allow init device : chr_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow init device : file { ioctl read write create getattr setattr lock relabelfrom append unlink rename open } ; 
   allow rild device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow nfc device : lnk_file read ; 
   allow mpdecision device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow charge device : dir { read write open } ; 
   allow vold device : chr_file { ioctl create setattr lock append link rename execute } ; 
   allow rild device : lnk_file { create unlink } ; 
   allow rtcc device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow dhcp device : file { ioctl read getattr lock open } ; 
   allow debuggerd device : dir { write add_name remove_name } ; 
   allow domain device : dir search ; 
   allow bootchecker device : sock_file write ; 
   allow rild device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow ffu device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow felica_app device : dir { read write setattr open } ; 
   allow vold device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow ext_symlink device : dir { write add_name remove_name } ; 
   allow domain device : file read ; 
   allow servicemanager device : file { ioctl read getattr lock open } ; 
   allow init device : lnk_file unlink ; 
   allow sdcardd device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow llk_untrusted_app device : fifo_file { ioctl read write getattr lock append open } ; 
   allow bugreport device : sock_file write ; 
   allow wpa device : file { ioctl read getattr lock open } ; 
   allow kernel device : chr_file { create getattr setattr unlink } ; 
   allow kernel device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow system_server device : sock_file { ioctl read write getattr lock append open } ; 
   allow tbased device : dir { write create add_name } ; 
   allow qti_init_shell device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow untrusteddomain device : dir { read write setattr open } ; 
   allow system_app device : file { ioctl read getattr lock open } ; 
   allow cnd device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow ext_symlink device : lnk_file { create unlink } ; 
   allow thermal-engine device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow mpdecision device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow qlogd device : dir { ioctl read getattr search open } ; 
   allow kernel device : blk_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow p2p_supplicant device : file { ioctl read getattr lock open } ; 
   allow slideshow device : dir { ioctl read getattr search open } ; 
   allow charge device : chr_file { create unlink } ; 
   allow ueventd device : chr_file { ioctl read write getattr lock append open } ; 
   allow healthd device : dir { write add_name remove_name search open } ; 
   allow fsck device : dir write ; 
   allow mmb_mw device : sock_file write ; 
   allow init device : dir { write relabelto mounton add_name remove_name } ; 
   allow cbd device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow tee device : dir { ioctl read getattr search open } ; 
   allow system_app device : sock_file write ; 
   allow ueventd device : lnk_file { ioctl read getattr lock unlink link rename open } ; 
   allow system_server device : dir { ioctl read getattr search open } ; 
   allow dumpstate device : sock_file write ; 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
Labels: -Restrict-View-Commit SVE-2016-7340
Deadline exceeded -- automatically derestricting.
Status: Fixed (was: New)
Fixed in January SMR, verification pending.
Summary: Samsung: Kernel information disclosure in "maxdsm_read" (was: Android: Kernel information disclosure in "maxdsm_read")
Project Member

Comment 4 by hawkes@google.com, Mar 27 2018

Labels: Deadline-Exceeded

Sign in to add a comment