header-logo
Suggest Exploit
vendor:
m2m1shot Driver Framework
by:
Google Security Research
7,8
CVSS
HIGH
Stack Buffer Overflow
119
CWE
Product Name: m2m1shot Driver Framework
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: Yes
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2015

Samsung m2m1shot Driver Framework Stack Buffer Overflow

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server. There is a stack buffer overflow in the compat ioctl for m2m1shot, where the data.buf_out.num_planes value is attacker-controlled 'u8' value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop.

Mitigation:

Update to the latest version of the Samsung m2m1shot driver framework.
Source

Exploit-DB raw data:

Source: https://code.google.com/p/google-security-research/issues/detail?id=493

The Samsung m2m1shot driver framework is used to provide hardware acceleration for certain media functions, such as JPEG decoding and scaling images. The driver endpoint (/dev/m2m1shot_jpeg) is accessible by the media server

The Samsung S6 Edge is a 64-bit device, so a compatibility layer is used to allow 32-bit processes to provide structures that are expected by the 64-bit driver. There is a stack buffer overflow in the compat ioctl for m2m1shot:

static long m2m1shot_compat_ioctl32(struct file *filp,
                                unsigned int cmd, unsigned long arg)
{
...
        switch (cmd) {
        case COMPAT_M2M1SHOT_IOC_PROCESS:
        {
                struct compat_m2m1shot data;
                struct m2m1shot_task task;
                int i, ret;

                memset(&task, 0, sizeof(task));

                if (copy_from_user(&data, compat_ptr(arg), sizeof(data))) {
                        dev_err(m21dev->dev,
                                "%s: Failed to read userdata\n", __func__);
                        return -EFAULT;
                }

                ...
                for (i = 0; i < data.buf_out.num_planes; i++) {
                        task.task.buf_out.plane[i].len =
                                                data.buf_out.plane[i].len;
                        ...
                }

In this code snippet, the data.buf_out.num_planes value is attacker-controlled "u8" value, and is not bounds checked. However, task.task.buf_out.plane array is fixed in size (three elements), so a buffer overflow can occur during the loop shown above.

Proof-of-concept code to trigger this issue (from a privileged shell) is attached (m2m1shot_compat.c).

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38555.zip

Navigation

Suggest Exploit

Services By CQR