Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Jan 2017 00:19:34 +0800
From: "idl3r" <>
To: <>
Cc: "'Anarcheuz Fritz'" <>,
Subject: RE: CVE Request - Samsung Exynos GPU driver OOB read

Unfortunately, there is no official git for tracking from Samsung, so I
can't give a pointer to the particular commit.

The bug itself resides in
<root>/drivers/gpu/arm/t7xx/r5p0/mali_kbase_core_linux.c of the src tree, in
function kbase_dispatch which is the main ioctl dispatcher of the driver:

static mali_error kbase_dispatch(struct kbase_context *kctx, void * const
args, u32 args_size)
    /* setup complete, perform normal operation */

    switch (id) {
			struct kbase_uk_tmu_skip *tskip = args;
			int thermistor = sec_therm_get_ap_temperature();
			u32 i, t_index = tskip->num_ratiometer;

			for (i = 0; i < tskip->num_ratiometer; i++)
<== missing of boundary check
				if (thermistor >= tskip->temperature[i])
					t_index = i;

tskip->temperature is a uint32 array of static size(10 elements) and
tskip->num_ratiometer a uint32 which is user controlled. Since the boundary
check is missing, OOB read may happen leading to possible memory corruption.

-----Original Message-----
From: Greg KH [] 
Sent: Thursday, January 19, 2017 10:37 PM
Cc: Anarcheuz Fritz <>;
Subject: Re: [oss-security] CVE Request - Samsung Exynos GPU driver OOB read

On Thu, Jan 19, 2017 at 02:38:31PM +0800, Idler wrote:
> Hello,
> I'd like to request CVE for the following security issue:
> Security bulletin: 
> SVE-2016-6362: out of bound read in gpu driver
> Severity: Low
> Affected versions: M(6.0), N(7.0) devices with Exynos AP chipsets 
> Reported on: May 31, 2016 Disclosure status: Privately disclosed.
> Vulnerability in gpu driver does not properly check the boundary of 
> buffers leading to a possible memory corruption.
> The applied patch avoids an illegal access to memory by checking the
> Source code:
> Source code of the affected GPU drivers (as part of the Linux kernel
> source) can be downloaded from Samsung Opensource Resource center:
> The particular model of phone we used to reproduce this issue is:
> =F&searchValue=SM-G9200

Any pointer to the commit(s) that happened to resolve this issue?


greg k-h

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ