Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAODc34+BJ7bSmCJfe7g6jjAj+xDfj0ZyZCrUuiM7f_Gs1+XbYQ@mail.gmail.com>
Date: Mon, 18 Apr 2016 01:23:12 +0800
From: Berry <throber3@...il.com>
To: oss-security <oss-security@...ts.openwall.com>
Cc: cve-assign@...re.org
Subject: CVE request - samsumg android phone msm_sensor_config function write
 some range kernel address with any value

            The v4l-subdev driver provides an ioctl system call
interface to user space clients for communication. When processing
this communication, the msm_sensor_config function uses the
user-supplied value gpio_config.gpio_name as an index to a buffer for
write operations without any boundary checks.


              code:
              //
kernel/SM-G9008V_CHN_KK_Opensource/Kernel/drivers/media/platform/msm/camera_v2/sensor/msm_sensor.c

             int msm_sensor_config(struct msm_sensor_ctrl_t *s_ctrl,
void __user *argp){
                struct sensorb_cfg_data *cdata = (struct
sensorb_cfg_data *)argp;

                case CFG_SET_GPIO_STATE: {    //case 12:
                  struct msm_sensor_gpio_config gpio_config;
                  struct msm_camera_power_ctrl_t *data =
&s_ctrl->sensordata->power_info;
                  if (copy_from_user(&gpio_config,
                         (void*)cdata->cfg.setting,
                         sizeof(gpio_config))) {
                    pr_err("%s:%d failed\n", __func__, __LINE__);
                    rc = -EFAULT;
                    break;
                  }
                  pr_info("%s: setting gpio: %d to %d\n", __func__,

data->gpio_conf->gpio_num_info->gpio_num[gpio_config.gpio_name],
                    gpio_config.config_val);

                  gpio_set_value_cansleep(

data->gpio_conf->gpio_num_info->gpio_num[gpio_config.gpio_name],
                    gpio_config.config_val);  //control
gpio_config.gpio_name and gpio_config.config_val
                  break;
                }
                default:
                  rc = -EFAULT;
                  break;
              }


            Affected versions:
            KK(4.4) and L with APQ8084, MSM8974, and MSM8974pro chipset

             fix:
             http://security.samsungmobile.com/smrupdate.html#SMR-JAN-2016
             SVE-2015-4958: msm_sensor_config security issues

             we report this to samsung, samsung reply  to us if we
want to get cve  request it by ourself.

              Best regards,
              Berry Cheng

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.