Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 18 Apr 2016 01:23:12 +0800
From: Berry <throber3@...il.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: cve-assign@...re.org
Subject: CVE request - samsumg android phone msm_sensor_config function write
 some range kernel address with any value

            The v4l-subdev driver provides an ioctl system call
interface to user space clients for communication. When processing
this communication, the msm_sensor_config function uses the
user-supplied value gpio_config.gpio_name as an index to a buffer for
write operations without any boundary checks.


              code:
              //
kernel/SM-G9008V_CHN_KK_Opensource/Kernel/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c

             int msm_sensor_config(struct msm_sensor_ctrl_t *s_ctrl,
void __user *argp){
                struct sensorb_cfg_data *cdata = (struct
sensorb_cfg_data *)argp;

                case CFG_SET_GPIO_STATE: {    //case 12:
                  struct msm_sensor_gpio_config gpio_config;
                  struct msm_camera_power_ctrl_t *data =
&s_ctrl->sensordata->power_info;
                  if (copy_from_user(&gpio_config,
                         (void*)cdata->cfg.setting,
                         sizeof(gpio_config))) {
                    pr_err("%s:%d failed\n", __func__, __LINE__);
                    rc = -EFAULT;
                    break;
                  }
                  pr_info("%s: setting gpio: %d to %d\n", __func__,

data->gpio_conf->gpio_num_info->gpio_num[gpio_config.gpio_name],
                    gpio_config.config_val);

                  gpio_set_value_cansleep(

data->gpio_conf->gpio_num_info->gpio_num[gpio_config.gpio_name],
                    gpio_config.config_val);  //control
gpio_config.gpio_name and gpio_config.config_val
                  break;
                }
                default:
                  rc = -EFAULT;
                  break;
              }


            Affected versions:
            KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset

             fix:
             http://security.samsungmobile.com/smrupdate.html#SMR-JAN-2016
             SVE-2015-4958: msm_sensor_config security issues

             we report this to samsung, samsung reply  to us if we
want to get cve  request it by ourself.

              Best regards,
              Berry Cheng

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ