Samsung Kernel Arbitrary /dev/vipx / /dev/vertex kfree

Posted by deepcore on February 29, 2020 – 8:19 am

This function, reached through ioctl VS4L_VERTEXIOC_QBUF in the Samsung kernel, has an error case that cannot function correctly. It reads in an array of pointers from userspace and in-place replaces each userspace pointer with a kernel pointer allocated with kzalloc(). Unfortunately, in the error case it will iterate over all the pointers in the array (regardless of how many, if any, were converted to kernel pointers) and call kfree() on each of them. Thus, all it takes to call kfree() on an arbitrary number of controlled pointers is to make the second copy_from_user() fail after successfully copying in the desired number of pointers to free.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Chrome DesktopMediaPickerController::WebContentsDestroyed Use-After-Free XNU tcp_input Use-After-Free »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Samsung Kernel Arbitrary /dev/vipx / /dev/vertex kfree

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL