Home / exploitsPDF  

Android fps sysfs Entry Buffer Overflow

Posted on 30 November -0001

<HTML><HEAD><TITLE>Android fps sysfs Entry Buffer Overflow</TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Android: Buffer overflow in "fps" sysfs entry The GPU driver on Exynos SoCs exposes several sysfs entries. One such entry, "fps", allows the user to overwrite or query to global FPS string. The "fps" sysfs entry is present under: /sys/devices/platform/gpusysfs/fps Writes to this entry are handled by the function "fps_show", under: drivers/gpu/gpu_sysfs/gpu_sysfs_target_exynos<VERSION>.c This function fails to validate the length of the user-supplied string, before copying it into a static global variable, "global_fps_string". ssize_t fps_write(struct device *dev, struct device_attribute *attr, const char *buf, size_t count) { pr_info("SRUK ----------- %s -- %d", __FUNCTION__, __LINE__); if (buf != NULL) sprintf(global_fps_string,"%s", buf); else sprintf(global_fps_string,"0"); /* Return success status. */ return count; } The "buf" argument contains the user-supplied data. Supplying a string larger than the static buffer (i.e., larger than 32 bytes), will allow an attacker to trigger the overflow. I've statically verified this issue on an SM-G935F device. The open-source kernel package I analysed was "SM-G935F_MM_Opensource". The sysfs entry mentioned above is owned by the "root" user and group and has an SELinux context of: "u:object_r:sysfs:s0". According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files: allow ipm sysfs : file { write setattr } ; allow netd sysfs : file write ; allow perfd sysfs : file { ioctl read write getattr lock append open } ; allow qti_init_shell sysfs : dir write ; allow rtcc sysfs : file { write setattr } ; allow nfc sysfs : file write ; allow mm-pp-daemon sysfs : file { ioctl read write getattr lock append open } ; allow geomagneticd sysfs : file { write append open } ; allow qti_init_shell sysfs : file { write setattr append open } ; allow sysfs tmpfs : filesystem associate ; allow energyawareness sysfs : file { write append open } ; allow mfgloader sysfs : file write ; allow eeh sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow lmkd sysfs : file write ; allow sec-ril sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow cellgeofenced sysfs : dir { ioctl read write getattr add_name remove_name search open } ; allow connfwexe sysfs : file { ioctl read write getattr lock append open } ; allow mm-qcamerad sysfs : file { ioctl read write getattr lock append open } ; allow surfaceflinger sysfs : file { ioctl read write getattr setattr lock append open } ; allow mediaserver sysfs : file { ioctl read write getattr lock append open } ; allow fstman sysfs : file write ; allow mdm_helper sysfs : file { ioctl read write getattr lock append open } ; allow sprd_res_monitor sysfs : file { ioctl read write getattr lock append open } ; allow sysfs_type sysfs : filesystem associate ; allow domain sysfs : lnk_file { ioctl read getattr lock open } ; allow debuggerd sysfs : file { write append open } ; allow bintvoutservice sysfs : file { write append open } ; allow dumpstate sysfs : file { write append open } ; allow mlexe sysfs : file { write append open } ; allow configfs sysfs : filesystem associate ; allow diag sysfs : file { write append open } ; allow qmuxd sysfs : file { write append open } ; allow vmwared sysfs : file write ; allow lpm sysfs : file { ioctl read write getattr lock append open } ; allow domain sysfs : dir { ioctl read getattr search open } ; allow init sysfs : dir { write getattr relabelfrom mounton } ; allow zygote sysfs : file write ; allow rtcc sysfs : dir setattr ; allow ueventd sysfs : file { ioctl read write getattr lock relabelfrom relabelto append open } ; allow phasecheckserver sysfs : file write ; allow vm_bms sysfs : file { write append open } ; allow modem_control sysfs : file write ; allow tbased sysfs : file write ; allow jackservice sysfs : file write ; allow radio sysfs : file { append open } ; allow cnd sysfs : file { write append open } ; allow sswap sysfs : file { write append open } ; allow factorytest sysfs : file { write open } ; allow hvdcp sysfs : file { ioctl read write getattr lock append open } ; allow marvelltel sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow cbd sysfs : file { write append open } ; allow batterysrv sysfs : file write ; allow sensors sysfs : file { write append open } ; allow bauthserver sysfs : file { ioctl read write getattr lock append open } ; allow netmgrd sysfs : file { write append open } ; allow init sysfs : file { getattr relabelfrom } ; allow domain sysfs : file { ioctl read getattr lock open } ; allow kiesexe sysfs : file { write append open } ; allow lhd sysfs : file { ioctl read write getattr lock append open } ; allow at_distributor sysfs : file { write append open } ; allow mmb_mw sysfs : file { write append open } ; allow FMRadiod sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow gpsd sysfs : file { ioctl read write getattr lock append open } ; allow oneseg_mw sysfs : file { write append open } ; allow mmi sysfs : file { write append open } ; allow sensorhubservice sysfs : file write ; allow kernel sysfs : file setattr ; allow rootfs sysfs : filesystem associate ; allow system_server sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow qcks sysfs : file { write append open } ; allow qosmgr sysfs : file write ; allow surfaceflinger sysfs : lnk_file { ioctl read write getattr lock append open } ; allow smdexe sysfs : file { ioctl read write getattr lock append open } ; allow zram sysfs : file write ; allow wcnss_service sysfs : file { write append open } ; allow phservice sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow sysfs sysfs : filesystem associate ; allow ssr_setup sysfs : file { write append open } ; allow mwirelessd sysfs : file write ; allow macloader sysfs : file { ioctl read write getattr lock append open } ; allow bluetooth sysfs : file { ioctl read write getattr lock append open } ; allow RIDL sysfs : file write ; allow autotest sysfs : file { write open } ; allow bootanim sysfs : file { ioctl read write getattr lock append open } ; allow vold sysfs : file { ioctl read write getattr lock append open } ; allow ueventd sysfs : dir { setattr relabelfrom relabelto } ; allow charger_monitor sysfs : file { write append open } ; allow mpdecision sysfs : file { ioctl read write getattr lock append open } ; allow engpc sysfs : file write ; allow rild sysfs : file { ioctl read write create getattr setattr lock append unlink rename open } ; allow thermal-engine sysfs : file { write append open } ; allow init sysfs : lnk_file { getattr setattr relabelfrom } ; allow rmt_storage sysfs : file { write append open } ; allow healthd sysfs : file write ; allow cellgeofenced sysfs : file { ioctl read write getattr lock append open } ; allow system_server sysfs : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; allow efsks sysfs : file { write append open } ; This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public. Found by: laginimaineb </BODY></HTML>

 

TOP