Android: Kernel information disclosure in "maxdsm_read" The "maxdsm" driver exposes several character devices which can be used to control and calibrate the device. One such device is the "control device", exposed under: "/dev/dsm_ctrl_dev". The character device provides several file operations, including a "read" operation, which is implemented using the function "maxdsm_read". The code for the "maxdsm_read" function is as follows: 1. static ssize_t maxdsm_read(struct file *filep, char __user *buf, 2. size_t count, loff_t *ppos) 3. { 4. int ret; 5. 6. mutex_lock(&dsm_fs_lock); 7. 8. maxdsm_read_all(); 9. 10. /* copy params to user */ 11. ret = copy_to_user(buf, maxdsm.param, count); 12. if (ret) 13. pr_err("%s: copy_to_user failed - %d\n", __func__, ret); 14. 15. mutex_unlock(&dsm_fs_lock); 16. 17. return ret; 18. } This function fails to validate the "count" argument, passed in by the caller. This means that calling "read" with a large count (i.e., larger than maxdsm.param_size) would copy in additional bytes which reside after the maxdsm.param buffer. I've statically verified this issue on an SM-G935F device, using the open-source kernel package "SM-G935F_MM_Opensource". The "/dev/dsm_ctrl_dev" file is owned by root, and has an SELinux context of "u:object_r:device:s0". According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files: allow icd device : file { write append open } ; allow system_app device : dir { read getattr search open } ; allow device device : filesystem associate ; allow kiesexe device : file { ioctl read getattr lock open } ; allow oneseg_mw device : sock_file write ; allow llk_untrusted_app device : sock_file { ioctl read write getattr lock append open } ; allow ddexe device : file { ioctl read getattr lock open } ; allow ueventd device : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow qti_init_shell device : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow radio device : sock_file write ; allow init device : chr_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow init device : file { ioctl read write create getattr setattr lock relabelfrom append unlink rename open } ; allow rild device : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow nfc device : lnk_file read ; allow mpdecision device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow charge device : dir { read write open } ; allow vold device : chr_file { ioctl create setattr lock append link rename execute } ; allow rild device : lnk_file { create unlink } ; allow rtcc device : dir { ioctl read write getattr add_name remove_name search open } ; allow dhcp device : file { ioctl read getattr lock open } ; allow debuggerd device : dir { write add_name remove_name } ; allow domain device : dir search ; allow bootchecker device : sock_file write ; allow rild device : dir { ioctl read write getattr add_name remove_name search open } ; allow ffu device : dir { ioctl read write getattr add_name remove_name search open } ; allow felica_app device : dir { read write setattr open } ; allow vold device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; allow ext_symlink device : dir { write add_name remove_name } ; allow domain device : file read ; allow servicemanager device : file { ioctl read getattr lock open } ; allow init device : lnk_file unlink ; allow sdcardd device : dir { ioctl read write getattr add_name remove_name search open } ; allow llk_untrusted_app device : fifo_file { ioctl read write getattr lock append open } ; allow bugreport device : sock_file write ; allow wpa device : file { ioctl read getattr lock open } ; allow kernel device : chr_file { create getattr setattr unlink } ; allow kernel device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; allow system_server device : sock_file { ioctl read write getattr lock append open } ; allow tbased device : dir { write create add_name } ; allow qti_init_shell device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; allow untrusteddomain device : dir { read write setattr open } ; allow system_app device : file { ioctl read getattr lock open } ; allow cnd device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow ext_symlink device : lnk_file { create unlink } ; allow thermal-engine device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow mpdecision device : dir { ioctl read write getattr add_name remove_name search open } ; allow qlogd device : dir { ioctl read getattr search open } ; allow kernel device : blk_file { ioctl read write create getattr setattr lock append unlink rename open } ; allow p2p_supplicant device : file { ioctl read getattr lock open } ; allow slideshow device : dir { ioctl read getattr search open } ; allow charge device : chr_file { create unlink } ; allow ueventd device : chr_file { ioctl read write getattr lock append open } ; allow healthd device : dir { write add_name remove_name search open } ; allow fsck device : dir write ; allow mmb_mw device : sock_file write ; allow init device : dir { write relabelto mounton add_name remove_name } ; allow cbd device : dir { ioctl read write getattr add_name remove_name search open } ; allow tee device : dir { ioctl read getattr search open } ; allow system_app device : sock_file write ; allow ueventd device : lnk_file { ioctl read getattr lock unlink link rename open } ; allow system_server device : dir { ioctl read getattr search open } ; allow dumpstate device : sock_file write ; This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: laginimaineb