CVE-2024-27371: Samsung Exynos Processor Heap Overwrite Vulnerability in SLSI_NAN_FOLLOWUP_GET_NL_PARAMS() Function

A newly discovered vulnerability (CVE-2024-27371) has been found in Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 128, Exynos 138, and Exynos 133. The function involved, slsi_nan_followup_get_nl_params(), does not have the necessary input validation check for the hal_req->service_specific_info_len parameter originating from userspace. This weakness could potentially lead to a heap overwrite, allowing an attacker to execute arbitrary code or cause a crash.

Details

The vulnerability was discovered during a code analysis of the Samsung Exynos processor's implementation. The function slsi_nan_followup_get_nl_params() is responsible for managing the input parameters that come from userspace, specifically for processing and parsing follow-up messages in the NAN (Neighbor Awareness Networking) subsystem.

Here is a snippet of the vulnerable function

static int slsi_nan_followup_get_nl_params(struct slsi_dev *sdev, struct net_device *dev, int *index, struct slsi_hal_nan_followup_req *hal_req)
{
    // ... (other code)
    u16 data_len;

    // ... (other code)
    // Userspace-to-kernelspace assignment
    data_len = hal_req->service_specific_info_len;

    // ... (other code)
    // Heap allocation with 'data_len' as input
    u8 *data = kmalloc(data_len, GFP_KERNEL);

    // ... (other code)
    // Copy of 'data_len' bytes into 'data' from user-supplied buffer
    memcpy(data, userspace_buf, data_len);

    // ... (rest of function)
}

Notice that there is no validation check for the data_len variable after it is assigned from the hal_req->service_specific_info_len, which comes from userspace. As a result, it is possible for an attacker to supply a maliciously crafted value for this variable, which may cause a heap overwrite during the kmalloc() call and subsequent memcpy().

Exploit

To exploit this vulnerability, an attacker could potentially craft a malicious application that interacts with the Exynos processor's NAN subsystem. By providing an carefully crafted value for the service_specific_info_len field of the hal_req structure, the attacker could cause the vulnerable function to allocate memory with an inappropriate size and then overwrite adjacent heap areas during the subsequent memcpy() operation. This heap overwrite may subsequently lead to arbitrary code execution or denial-of-service (crash).

It should be noted that exploiting this vulnerability requires a target device to run a malicious application, thus elevating the potential impact if the attacker could deploy their malicious application on a victim's device.

Mitigation

Currently, there are no official patches or updates to mitigate this vulnerability. However, a possible temporary workaround could be to incorporate an input validation check for the hal_req->service_specific_info_len parameter within the slsi_nan_followup_get_nl_params() function before it is used in memory allocation and data copy operations.

Original References

1. CVE - CVE-2024-27371
2. Samsung Exynos Processors List

Conclusion

The CVE-2024-27371 vulnerability is an important security issue in the Samsung Exynos mobile processor series, allowing potential attackers to exploit heap overwrite possibilities. Developers and users of devices utilizing these processors should be aware of this issue and look forward to official security updates and patches from Samsung. In the meantime, developers could implement additional input validation checks as a temporary workaround.

Timeline

Published on: 06/05/2024 19:15:12 UTC
Last modified on: 08/21/2024 16:35:04 UTC