Android fps sysfs Entry Buffer Overflow
CVE
Category
Price
Severity
CVE-2021-12345
CWE-119
$5000
Critical
Author
Risk
Exploitation Type
Date
Anonymous
Critical
Local
2017-01-19
CVSS vector description
Metric
Value
Metric Description
Value Description
Attack vector Network AV The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230). Attack Complexity Low AC The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system. Privileges Required None PR The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack. User Interaction None UI The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges Scope Unchanged S An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances. Confidentiality High C There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data. Integrity High I There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system. Availability High A There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017010150 Below is a copy:
Android fps sysfs Entry Buffer Overflow Android: Buffer overflow in "fps" sysfs entry
The GPU driver on Exynos SoCs exposes several sysfs entries. One such entry, "fps", allows the user to overwrite or query to global FPS string.
The "fps" sysfs entry is present under:
/sys/devices/platform/gpusysfs/fps
Writes to this entry are handled by the function "fps_show", under:
drivers/gpu/gpu_sysfs/gpu_sysfs_target_exynos<VERSION>.c
This function fails to validate the length of the user-supplied string, before copying it into a static global variable, "global_fps_string".
ssize_t fps_write(struct device *dev, struct device_attribute *attr, const char *buf, size_t count)
{
pr_info("SRUK ----------- %s -- %d", __FUNCTION__, __LINE__);
if (buf != NULL)
sprintf(global_fps_string,"%s", buf);
else
sprintf(global_fps_string,"0");
/* Return success status. */
return count;
}
The "buf" argument contains the user-supplied data.
Supplying a string larger than the static buffer (i.e., larger than 32 bytes), will allow an attacker to trigger the overflow.
I've statically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource".
The sysfs entry mentioned above is owned by the "root" user and group and has an SELinux context of: "u:object_r:sysfs:s0".
According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
allow ipm sysfs : file { write setattr } ;
allow netd sysfs : file write ;
allow perfd sysfs : file { ioctl read write getattr lock append open } ;
allow qti_init_shell sysfs : dir write ;
allow rtcc sysfs : file { write setattr } ;
allow nfc sysfs : file write ;
allow mm-pp-daemon sysfs : file { ioctl read write getattr lock append open } ;
allow geomagneticd sysfs : file { write append open } ;
allow qti_init_shell sysfs : file { write setattr append open } ;
allow sysfs tmpfs : filesystem associate ;
allow energyawareness sysfs : file { write append open } ;
allow mfgloader sysfs : file write ;
allow eeh sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow lmkd sysfs : file write ;
allow sec-ril sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow cellgeofenced sysfs : dir { ioctl read write getattr add_name remove_name search open } ;
allow connfwexe sysfs : file { ioctl read write getattr lock append open } ;
allow mm-qcamerad sysfs : file { ioctl read write getattr lock append open } ;
allow surfaceflinger sysfs : file { ioctl read write getattr setattr lock append open } ;
allow mediaserver sysfs : file { ioctl read write getattr lock append open } ;
allow fstman sysfs : file write ;
allow mdm_helper sysfs : file { ioctl read write getattr lock append open } ;
allow sprd_res_monitor sysfs : file { ioctl read write getattr lock append open } ;
allow sysfs_type sysfs : filesystem associate ;
allow domain sysfs : lnk_file { ioctl read getattr lock open } ;
allow debuggerd sysfs : file { write append open } ;
allow bintvoutservice sysfs : file { write append open } ;
allow dumpstate sysfs : file { write append open } ;
allow mlexe sysfs : file { write append open } ;
allow configfs sysfs : filesystem associate ;
allow diag sysfs : file { write append open } ;
allow qmuxd sysfs : file { write append open } ;
allow vmwared sysfs : file write ;
allow lpm sysfs : file { ioctl read write getattr lock append open } ;
allow domain sysfs : dir { ioctl read getattr search open } ;
allow init sysfs : dir { write getattr relabelfrom mounton } ;
allow zygote sysfs : file write ;
allow rtcc sysfs : dir setattr ;
allow ueventd sysfs : file { ioctl read write getattr lock relabelfrom relabelto append open } ;
allow phasecheckserver sysfs : file write ;
allow vm_bms sysfs : file { write append open } ;
allow modem_control sysfs : file write ;
allow tbased sysfs : file write ;
allow jackservice sysfs : file write ;
allow radio sysfs : file { append open } ;
allow cnd sysfs : file { write append open } ;
allow sswap sysfs : file { write append open } ;
allow factorytest sysfs : file { write open } ;
allow hvdcp sysfs : file { ioctl read write getattr lock append open } ;
allow marvelltel sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow cbd sysfs : file { write append open } ;
allow batterysrv sysfs : file write ;
allow sensors sysfs : file { write append open } ;
allow bauthserver sysfs : file { ioctl read write getattr lock append open } ;
allow netmgrd sysfs : file { write append open } ;
allow init sysfs : file { getattr relabelfrom } ;
allow domain sysfs : file { ioctl read getattr lock open } ;
allow kiesexe sysfs : file { write append open } ;
allow lhd sysfs : file { ioctl read write getattr lock append open } ;
allow at_distributor sysfs : file { write append open } ;
allow mmb_mw sysfs : file { write append open } ;
allow FMRadiod sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow gpsd sysfs : file { ioctl read write getattr lock append open } ;
allow oneseg_mw sysfs : file { write append open } ;
allow mmi sysfs : file { write append open } ;
allow sensorhubservice sysfs : file write ;
allow kernel sysfs : file setattr ;
allow rootfs sysfs : filesystem associate ;
allow system_server sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow qcks sysfs : file { write append open } ;
allow qosmgr sysfs : file write ;
allow surfaceflinger sysfs : lnk_file { ioctl read write getattr lock append open } ;
allow smdexe sysfs : file { ioctl read write getattr lock append open } ;
allow zram sysfs : file write ;
allow wcnss_service sysfs : file { write append open } ;
allow phservice sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow sysfs sysfs : filesystem associate ;
allow ssr_setup sysfs : file { write append open } ;
allow mwirelessd sysfs : file write ;
allow macloader sysfs : file { ioctl read write getattr lock append open } ;
allow bluetooth sysfs : file { ioctl read write getattr lock append open } ;
allow RIDL sysfs : file write ;
allow autotest sysfs : file { write open } ;
allow bootanim sysfs : file { ioctl read write getattr lock append open } ;
allow vold sysfs : file { ioctl read write getattr lock append open } ;
allow ueventd sysfs : dir { setattr relabelfrom relabelto } ;
allow charger_monitor sysfs : file { write append open } ;
allow mpdecision sysfs : file { ioctl read write getattr lock append open } ;
allow engpc sysfs : file write ;
allow rild sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow thermal-engine sysfs : file { write append open } ;
allow init sysfs : lnk_file { getattr setattr relabelfrom } ;
allow rmt_storage sysfs : file { write append open } ;
allow healthd sysfs : file write ;
allow cellgeofenced sysfs : file { ioctl read write getattr lock append open } ;
allow system_server sysfs : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ;
allow efsks sysfs : file { write append open } ;
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: laginimaineb
Copyright ©2024 Exploitalert.
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum