<--

Google Android Synaptics Touchscreen Heap Overflow

Aleph Research Advisory

Identifier

Severity

High

Products

  1. Nexus 9
  2. Android One

Vulnerable Version

Verified on Nexus 9 6.0.1/MOB30W, 7.0/NRD90M, 7.0/NRD90R

Mitigation

Apply the December 2016 Android Security Patches.

Technical Details

Due to lenient SELinux and DAC policy, vulnerable Synaptics DSX (touchscreen driver) sysfs file entires are exposed to an attacker that executes code within the mediaserver context on Android M 6.0.1 and system_server, bluetooth, nfc contexts on Android N 7.0 (or any other SELinux domain that has target type sysfs with the open and write permissions on file class).

The vulnerability has been found in the synaptics_dsx_fw_update.c.

On module initialization, a fixed-size heap buffer is created:

static int synaptics_rmi4_fwu_init(struct synaptics_rmi4_data *rmi4_data)
{
    [...]
    fwu->image_name = kzalloc(MAX_IMAGE_NAME_LEN, GFP_KERNEL);
    if (!fwu->image_name) {
        dev_err(rmi4_data->pdev->dev.parent,
               "%s: Failed to alloc mem for image name\n",
             __func__);
        retval = -ENOMEM;
        goto exit_free_fwu;
    }
    [...]
}

Where MAX_IMAGE_NAME_LEN equals 256. The imagename sysfs device attribute is defined:

static struct device_attribute attrs[] = {
    [...]
    __ATTR(imagename, S_IWUGO,
           synaptics_rmi4_show_error,
           fwu_sysfs_image_name_store),
    [...]
};

On a write() syscall, fwu_sysfs_image_name_store(), allows an attacker to overrun the previously allocated heap buffer from userspace.

static ssize_t fwu_sysfs_image_name_store(struct device *dev,
struct device_attribute *attr, const char *buf, size_t count)
{
    memcpy(fwu->image_name, buf, count);
    return count;
}

Timeline

Credit

External References