Android: Kernel information disclosure in "maxdsm_read"
The "maxdsm" driver exposes several character devices which can be used to control and calibrate the device. One such device is the "control device", exposed under: "/dev/dsm_ctrl_dev".
The character device provides several file operations, including a "read" operation, which is implemented using the function "maxdsm_read". The code for the "maxdsm_read" function is as follows:
1. static ssize_t maxdsm_read(struct file *filep, char __user *buf,
2. size_t count, loff_t *ppos)
3. {
4. int ret;
5.
6. mutex_lock(&dsm_fs_lock);
7.
8. maxdsm_read_all();
9.
10. /* copy params to user */
11. ret = copy_to_user(buf, maxdsm.param, count);
12. if (ret)
13. pr_err("%s: copy_to_user failed - %d\n", __func__, ret);
14.
15. mutex_unlock(&dsm_fs_lock);
16.
17. return ret;
18. }
This function fails to validate the "count" argument, passed in by the caller. This means that calling "read" with a large count (i.e., larger than maxdsm.param_size) would copy in additional bytes which reside after the maxdsm.param buffer.
I've statically verified this issue on an SM-G935F device, using the open-source kernel package "SM-G935F_MM_Opensource".
The "/dev/dsm_ctrl_dev" file is owned by root, and has an SELinux context of "u:object_r:device:s0".
According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
allow icd device : file { write append open } ;
allow system_app device : dir { read getattr search open } ;
allow device device : filesystem associate ;
allow kiesexe device : file { ioctl read getattr lock open } ;
allow oneseg_mw device : sock_file write ;
allow llk_untrusted_app device : sock_file { ioctl read write getattr lock append open } ;
allow ddexe device : file { ioctl read getattr lock open } ;
allow ueventd device : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow qti_init_shell device : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow radio device : sock_file write ;
allow init device : chr_file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow init device : file { ioctl read write create getattr setattr lock relabelfrom append unlink rename open } ;
allow rild device : file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow nfc device : lnk_file read ;
allow mpdecision device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow charge device : dir { read write open } ;
allow vold device : chr_file { ioctl create setattr lock append link rename execute } ;
allow rild device : lnk_file { create unlink } ;
allow rtcc device : dir { ioctl read write getattr add_name remove_name search open } ;
allow dhcp device : file { ioctl read getattr lock open } ;
allow debuggerd device : dir { write add_name remove_name } ;
allow domain device : dir search ;
allow bootchecker device : sock_file write ;
allow rild device : dir { ioctl read write getattr add_name remove_name search open } ;
allow ffu device : dir { ioctl read write getattr add_name remove_name search open } ;
allow felica_app device : dir { read write setattr open } ;
allow vold device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ;
allow ext_symlink device : dir { write add_name remove_name } ;
allow domain device : file read ;
allow servicemanager device : file { ioctl read getattr lock open } ;
allow init device : lnk_file unlink ;
allow sdcardd device : dir { ioctl read write getattr add_name remove_name search open } ;
allow llk_untrusted_app device : fifo_file { ioctl read write getattr lock append open } ;
allow bugreport device : sock_file write ;
allow wpa device : file { ioctl read getattr lock open } ;
allow kernel device : chr_file { create getattr setattr unlink } ;
allow kernel device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ;
allow system_server device : sock_file { ioctl read write getattr lock append open } ;
allow tbased device : dir { write create add_name } ;
allow qti_init_shell device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ;
allow untrusteddomain device : dir { read write setattr open } ;
allow system_app device : file { ioctl read getattr lock open } ;
allow cnd device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow ext_symlink device : lnk_file { create unlink } ;
allow thermal-engine device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow mpdecision device : dir { ioctl read write getattr add_name remove_name search open } ;
allow qlogd device : dir { ioctl read getattr search open } ;
allow kernel device : blk_file { ioctl read write create getattr setattr lock append unlink rename open } ;
allow p2p_supplicant device : file { ioctl read getattr lock open } ;
allow slideshow device : dir { ioctl read getattr search open } ;
allow charge device : chr_file { create unlink } ;
allow ueventd device : chr_file { ioctl read write getattr lock append open } ;
allow healthd device : dir { write add_name remove_name search open } ;
allow fsck device : dir write ;
allow mmb_mw device : sock_file write ;
allow init device : dir { write relabelto mounton add_name remove_name } ;
allow cbd device : dir { ioctl read write getattr add_name remove_name search open } ;
allow tee device : dir { ioctl read getattr search open } ;
allow system_app device : sock_file write ;
allow ueventd device : lnk_file { ioctl read getattr lock unlink link rename open } ;
allow system_server device : dir { ioctl read getattr search open } ;
allow dumpstate device : sock_file write ;
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: laginimaineb