Source: https://code.google.com/p/google-security-research/issues/detail?id=493
The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server
The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot:
static long m2m1shot_compat_ioctl32(struct file *filp,
unsigned int cmd, unsigned long arg)
{
...
switch (cmd) {
case COMPAT_M2M1SHOT_IOC_PROCESS:
{
struct compat_m2m1shot data;
struct m2m1shot_task task;
int i, ret;
memset(&task, 0, sizeof(task));
if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) {
dev_err(m21dev->dev,
"%s: Failed to read userdata\n", __func__);
return -EFAULT;
}
...
for (i = 0; i < data.buf_out.num_planes; i++) {
task.task.buf_out.plane[i].len =
data.buf_out.plane[i].len;
...
}
In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above.
Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c).
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38555.zip
