We have identified a new stack buffer overflow vulnerability in Mediatek’s Linux Kernel driver implementation of cellular-to-application processor communication interface (CCCI). The vulnerability can be exploited by a malicious (compromised) baseband runtime to achieve arbitrary code execution in the Linux Kernel. The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21766. Vulnerability Details There is a kernel stack buffer overflow vulnerability in the implementation of the modem-kernel communication interface. The stack overflow can be used to overwrite the return address of a kernel function, with attacker controlled data.

We have identified a new heap buffer overflow vulnerability in Mediatek’s baseband implementation. The vulnerability can be exploited to achieve arbitrary code execution in the baseband runtime. The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21744. Vulnerability Details The GPRS Packet Neighbour Cell Data (PNCD) message is an optional message sent by the network on the PACCH to provide system information required for initial access in a neighbouring cell. In the case of the MediaTek baseband firmware, this message is processed in the FDD_rmpc_mac_rmpc_pncd_ind_hdlr function.

We have identified a new out-of-bound write vulnerability in Mediatek’s Linux Kernel driver implementation of cellular-to-application processor communication interface (CCCI). The vulnerability can be exploited by a malicious (compromised) baseband runtime to achieve arbitrary code execution in the Linux Kernel. The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21765. Vulnerability Details There is a vmalloc out-of-bound write vulnerability in the kernel implementation of the modem-kernel communication interface. The out-of-bound write can be used to write controlled data, with controlled size, at a controlled location within the kernel’s vmalloc memory region.

We have identified a new out-of-bound read vulnerability in Mediatek’s Linux Kernel driver implementation of cellular-to-application processor communication interface (CCCI). The vulnerability can be exploited by a malicious (compromised) baseband runtime to leak information from the kernel runtime and break the kernel’s entropy-based mitigations such as KASLR and stack smashing protection. The vulnerability we are disclosing in this advisory affected a wide range of Mediatek devices, including phones on the newest chipsets (Dimensity 700, 1000, etc). The July 2022 issue of the Mediatek Security Bulletin contains this vulnerability as CVE-2022-21769. Vulnerability Details There is a vmalloc out-of-bound read vulnerability in the kernel implementation of the modem-kernel communication interface.

In this advisory we are disclosing a vulnerability in the Huawei log device that allows any unprivileged process to learn the value of randomized kernel pointers. The vulnerability can be used to defeat KASLR mitigation. Huawei kernels are shipped with custom log devices (/dev/hwlog_dubai, /dev/hwlog_exception and /dev/hwlog_jank) that facilitate better system diagnostics through a series of ioctl calls. One of these diagnostics module is referred to as memcheck, and it provides detailed statistics about the system memory usage. These statistics can disclose randomized kernel pointers to an attacker, enabling them to defeat the KASLR security mitigation. Due to an access control configuration error, these ioctls are exposed to untrusted and isolated application contexts, as a result any unprivileged process can exploit this vulnerability.

In this advisory we are disclosing a vulnerability in the Huawei log device that allows any unprivileged process to disclose sensitive information from the kernel. Huawei kernels are shipped with custom log devices (/dev/hwlog_dubai, /dev/hwlog_exception and /dev/hwlog_jank) that facilitate better system diagnostics through a series of ioctl calls. One of these diagnostics module is referred to as zrhung, and it provides information and configuration options to monitor hung processes. The implementation of the config set ioctl contains a race condition vulnerability that allows an attacker to free the underlying buffer that holds the configuration data. Consecutive config get ioctl calls use the dangling pointers to read and disclose, potentially sensitive, dynamically allocated kernel data.

In this advisory we are disclosing a memory corruption vulnerability in the Huawei log device that allows any unprivileged process to trigger a kernel crash and reboot the device. Huawei kernels are shipped with custom log devices (/dev/hwlog_dubai, /dev/hwlog_exception and /dev/hwlog_jank) that facilitate better system diagnostics through a series of ioctl calls. One of these diagnostics module is referred to as memcheck, and it provides detailed statistics about the system memory usage, including the allocations made by the SLAB kernel allocator. The implementation of this SLAB tracer contains a series of race condition vulnerabilities that could lead to kernel memory corruption and kernel deadlocks.

There is a memory management and a path traversal vulnerability in the vision DSP kernel driver of Exynos S20 devices. These vulnerabilities can be leveraged by a malicious untrusted application to permanently disable the device until it is factory reset. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of names of the graph binaries to be loaded. The dsp_kernel_alloc function appends the “.elf” extension to the user-supplied name then uses the kernel’s request firmware API to load it from the file system.

There is a sensitive information disclosure vulnerability in the vision DSP kernel driver of S20 Exynos devices. The vulnerability can be used by malicious privileged applications to read the kernel’s and other application’s memory. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of Unix paths of the graph files to be loaded. This array has a complex structure, it begins with an array of integers that contains the length of each path. The array of lengths is followed by the actual path strings, one after the other, delimited by the length values.

There is a kernel virtual memory mapped IO buffer overflow vulnerability in the vision DSP kernel driver of S20 Exynos devices. The vulnerability could potentially be used by a malicious system application to compromise the kernel and gain further privileges. The vulnerability is only triggerable via compromised system applications due to a second access control bypass issue. In addition to achieving code execution in the kernel, the access control bypass issue itself may also be used by compromised system applications to directly take complete control over the DSP device itself. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device.