###########################

# Android maxdsm Driver Kernel Information Disclosure Vulnerability

###########################

Android: Kernel information disclosure in "maxdsm_read" 




The "maxdsm" driver exposes several character devices which can be used to control and calibrate the device. One such device is the "control device", exposed under: "/dev/dsm_ctrl_dev".

The character device provides several file operations, including a "read" operation, which is implemented using the function "maxdsm_read". The code for the "maxdsm_read" function is as follows:

1. static ssize_t maxdsm_read(struct file *filep, char __user *buf,
2.    size_t count, loff_t *ppos)
3. {
4.   int ret;
5.
6.  mutex_lock(&dsm_fs_lock);
7.
8.  maxdsm_read_all();
9.
10.  /* copy params to user */
11.  ret = copy_to_user(buf, maxdsm.param, count);
12.  if (ret)
13.    pr_err("%s: copy_to_user failed - %d\n", __func__, ret);
14.
15.  mutex_unlock(&dsm_fs_lock);
16.
17.  return ret;
18. }

This function fails to validate the "count" argument, passed in by the caller. This means that calling "read" with a large count (i.e., larger than maxdsm.param_size) would copy in additional bytes which reside after  the maxdsm.param buffer. 

I've statically verified this issue on an SM-G935F device, using the open-source kernel package "SM-G935F_MM_Opensource".

The "/dev/dsm_ctrl_dev" file is owned by root, and has an SELinux context of "u:object_r:device:s0".

According to the default SELinux rules as present on the SM-G935F (version XXS1APG3), the following contexts may access these files:
   allow icd device : file { write append open } ; 
   allow system_app device : dir { read getattr search open } ; 
   allow device device : filesystem associate ; 
   allow kiesexe device : file { ioctl read getattr lock open } ; 
   allow oneseg_mw device : sock_file write ; 
   allow llk_untrusted_app device : sock_file { ioctl read write getattr lock append open } ; 
   allow ddexe device : file { ioctl read getattr lock open } ; 
   allow ueventd device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow qti_init_shell device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow radio device : sock_file write ; 
   allow init device : chr_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow init device : file { ioctl read write create getattr setattr lock relabelfrom append unlink rename open } ; 
   allow rild device : file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow nfc device : lnk_file read ; 
   allow mpdecision device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow charge device : dir { read write open } ; 
   allow vold device : chr_file { ioctl create setattr lock append link rename execute } ; 
   allow rild device : lnk_file { create unlink } ; 
   allow rtcc device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow dhcp device : file { ioctl read getattr lock open } ; 
   allow debuggerd device : dir { write add_name remove_name } ; 
   allow domain device : dir search ; 
   allow bootchecker device : sock_file write ; 
   allow rild device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow ffu device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow felica_app device : dir { read write setattr open } ; 
   allow vold device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow ext_symlink device : dir { write add_name remove_name } ; 
   allow domain device : file read ; 
   allow servicemanager device : file { ioctl read getattr lock open } ; 
   allow init device : lnk_file unlink ; 
   allow sdcardd device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow llk_untrusted_app device : fifo_file { ioctl read write getattr lock append open } ; 
   allow bugreport device : sock_file write ; 
   allow wpa device : file { ioctl read getattr lock open } ; 
   allow kernel device : chr_file { create getattr setattr unlink } ; 
   allow kernel device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow system_server device : sock_file { ioctl read write getattr lock append open } ; 
   allow tbased device : dir { write create add_name } ; 
   allow qti_init_shell device : dir { ioctl read write create getattr setattr rename add_name remove_name reparent search rmdir open } ; 
   allow untrusteddomain device : dir { read write setattr open } ; 
   allow system_app device : file { ioctl read getattr lock open } ; 
   allow cnd device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow ext_symlink device : lnk_file { create unlink } ; 
   allow thermal-engine device : sock_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow mpdecision device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow qlogd device : dir { ioctl read getattr search open } ; 
   allow kernel device : blk_file { ioctl read write create getattr setattr lock append unlink rename open } ; 
   allow p2p_supplicant device : file { ioctl read getattr lock open } ; 
   allow slideshow device : dir { ioctl read getattr search open } ; 
   allow charge device : chr_file { create unlink } ; 
   allow ueventd device : chr_file { ioctl read write getattr lock append open } ; 
   allow healthd device : dir { write add_name remove_name search open } ; 
   allow fsck device : dir write ; 
   allow mmb_mw device : sock_file write ; 
   allow init device : dir { write relabelto mounton add_name remove_name } ; 
   allow cbd device : dir { ioctl read write getattr add_name remove_name search open } ; 
   allow tee device : dir { ioctl read getattr search open } ; 
   allow system_app device : sock_file write ; 
   allow ueventd device : lnk_file { ioctl read getattr lock unlink link rename open } ; 
   allow system_server device : dir { ioctl read getattr search open } ; 
   allow dumpstate device : sock_file write ; 

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: laginimaineb

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2017-01-08]

###########################