SVE-2018-12029

1. Details 2018.05.20 06:25 AM (GMT -7)
2.  
3. NEWEST firmware obtained for G920FXXU5EQH7 from http://opensource.samsung.com
4.  
5. We are performing a targeted fuzzing of target-to-host interrupt handlers present in Broadcomm's WiFi driver (bcmdhd4358) to find potential vulnerabilities reachable from a compromised WiFi SoC. Given the proliferation of a recent class of attacks [1, 2] successfully launched on peripheral processors, we assume an attacker capable of compromising the WiFi SoC to the extent that he can influence the response data sent from the WiFi firmware to the application processor (HLOS driver).
6.  
7. For each ringbuffer (6 in total) there is a shared MMIO region, which holds among other the read and write pointers to the ringbuffer.
8.  
9.  
10. void
11. dhd_bus_cmn_readshared(dhd_bus_t *bus, void* data, uint8 type, uint16 ringid)
12. {
13. pciedev_shared_t *sh;
14. ulong tcm_offset;
15.  
16. sh = (pciedev_shared_t*)bus->shared_addr;
17.  
18. switch (type) {
19. case RING_WRITE_PTR :
20. tcm_offset = bus->ring_sh[ringid].ring_state_w;
21. *(uint16*)data = LTOH16(dhdpcie_bus_rtcm16(bus, tcm_offset));
22. break;
23. case RING_READ_PTR :
24. tcm_offset = bus->ring_sh[ringid].ring_state_r;
25. *(uint16*)data = LTOH16(dhdpcie_bus_rtcm16(bus, tcm_offset));
26. break;
27. case TOTAL_LFRAG_PACKET_CNT :
28. *(uint16*)data = LTOH16(dhdpcie_bus_rtcm16(bus,
29. (ulong) &sh->total_lfrag_pkt_cnt));
30. break;
31. case HTOD_MB_DATA:
32. *(uint32*)data = LTOH32(dhdpcie_bus_rtcm32(bus, bus->h2d_mb_data_ptr_addr));
33. break;
34. case DTOH_MB_DATA:
35. *(uint32*)data = LTOH32(dhdpcie_bus_rtcm32(bus, bus->d2h_mb_data_ptr_addr));
36. break;
37. case MAX_HOST_RXBUFS :
38. *(uint16*)data = LTOH16(dhdpcie_bus_rtcm16(bus,
39. (ulong) &sh->max_host_rxbufs));
40. break;
41. default :
42. break;
43. }
44. }
45.  
46. When the host posts packets to the device it
47. 1) reads the ringbuffer read ptr
48. 2) checks if there is space to write with the following function
49. d: number of elements in rb
50. w: write index
51. r: read index
52.  
53. #define NTXPACTIVE(r, w, d) (((r) <= (w)) ? ((w)-(r)) : ((d)-(r)+(w)))
54. #define WRITE_SPACE_AVAIL_CONTINUOUS(r, w, d) ((w >= r) ? (d - w) : (r - w))
55. #define WRITE_SPACE_AVAIL(r, w, d) (d - (NTXPACTIVE(r, w, d)) - 1)
56. #define CHECK_WRITE_SPACE(r, w, d) \
57. MIN(WRITE_SPACE_AVAIL(r, w, d), WRITE_SPACE_AVAIL_CONTINUOUS(r, w, d))
58.  
59. which is if r > w: MIN( d - (d-r+w) - 1 , r - w )
60. MIN( r-w - 1 , r - w )
61.  
62. This implicitly assumes that r < d
63. However, the WiFi firmware can return a value for r which is much higher then d and therefore cause the driver to write over the end of the ringbuffer.
64. The function which checks and allocates space on the ringbuffer is shown below:
65.  
66. ===============
67. Vulnerable source
68. ===============
69. /* Assumes only one index is updated ata time */
70. static void *BCMFASTPATH
71. prot_get_ring_space(msgbuf_ring_t *ring, uint16 nitems, uint16 * alloced)
72. {
73. void *ret_ptr = NULL;
74. uint16 ring_avail_cnt;
75.  
76. ASSERT(nitems <= RING_MAX_ITEM(ring));
77.  
78. ring_avail_cnt = CHECK_WRITE_SPACE(RING_READ_PTR(ring), RING_WRITE_PTR(ring),
79. RING_MAX_ITEM(ring)); // XXX this will return a very high number
80.  
81. if (ring_avail_cnt == 0) {
82. return NULL;
83. }
84. *alloced = MIN(nitems, ring_avail_cnt);
85.  
86. /* Return next available space */
87. ret_ptr = (char*)HOST_RING_BASE(ring) + (RING_WRITE_PTR(ring) * RING_LEN_ITEMS(ring));
88.  
89. /* Update write pointer */
90. if ((RING_WRITE_PTR(ring) + *alloced) == RING_MAX_ITEM(ring))
91. RING_WRITE_PTR(ring) = 0;
92. else if ((RING_WRITE_PTR(ring) + *alloced) < RING_MAX_ITEM(ring))
93. RING_WRITE_PTR(ring) += *alloced;
94. else {
95. /* Should never hit this */
96. ASSERT(0);
97. return NULL;
98. }
99.  
100. return ret_ptr;
101. }
102. Attach
103.  
104. Activity
105.  
106. Samsung Mobile Security 2018.05.20 06:25 AM (GMT -7)
107. Dear Fel***,
108.  
109. We would like to thank you for sharing a potential security issue for Samsung mobile device.
110. Your report is registered normally and we will assign a proper engineer soon.
111. We respectfully ask to hold off disclosing this information until the analysis is complete and an adequate remedy is in place in order to reduce risks to the end consumers.
112. Thank you.
113.  
114. NOTE: Please note that we may ask you to report it a different channel if our analysis concludes that there is no security impact.
115.  
116. Very Respectfully,
117. Samsung Mobile Security
118.  
119. Samsung Mobile Security 2018.05.21 11:05 PM (GMT -7)
120. Dear Fel***,
121.  
122. A developer is assigned for this issue and the developer is looking into the issue. We will keep you updated on our progress soon.
123.  
124. Thank you.
125.  
126. Very Respectfully,
127.  
128. Samsung Mobile Security
129.  
130. Samsung Mobile Security 2018.05.29 09:18 PM (GMT -7)
131. We appreciate you for submitting the report through our Security Reporting page.
132.  
133. However, as mentioned in the instructions page, please provide the Proof-of-Concept to help us determine the security impact of the vulnerability.
134.  
135. Additionally, we want to get detail information about detail buffer overflow flow.
136.  
137. Please note that if the report does not include a valid Proof-of-Concept, the qualification of rewards will be decided according to reproducibility and severity of the vulnerability,
138.  
139. and the rewards amount may be reduced significantly.
140.  
141. Thank you.
142.  
143. Very Respectfully,
144. Samsung Mobile Security
145.  
146. Fel*** 2018.06.06 02:21 AM (GMT -7)
147. Dear Samsung Mobile Security Team,
148. I understand that I might not be eligible for a reward.
149. In fact, I am mainly interested in the confirmation of the vulnerability irregardless of monetary compensation.
150. As has already been said, the bug exists within the interface between the peripheral device and the WiFi driver.
151. Therefore, the issue can only be triggered from a previously compromised WiFi chip. This is why I am not able to provide a proof-of-concept.
152. However, I am more then happy to provide further information regarding the bug, please let me know which information is required in order to proceed with this issue.
153.  
154. Regards,
155. Felicitas Hetzelt
156.  
157. Samsung Mobile Security 2018.07.03 01:03 AM (GMT -7)
158. Dear Fel***,
159.  
160.  
161.  
162.  
163. We confirmed the vulnerability and we decided the severity of the vulnerability to Low. We will fix the vulnerability as soon as possible.
164.  
165. We respectfully ask to hold off disclosing this information until the analysis is complete and an adequate remedy is in place in order to reduce risks to the end consumers.
166.  
167. Thank you.
168.  
169.  
170.  
171.  
172. Very Respectfully,
173.  
174. Samsung Mobile Security
175.  
176.  
177. Fel*** 2018.07.03 01:31 AM (GMT -7)
178. Dear Samsung Security Team,
179. thank you very much for confirming the vulnerability. Will there be any reference with visibility to the public (like a CVE or a public Bug ID) ?
180. If so it would be great if you could include my collaborators Dokyung Song ( dokyungs@uci.edu) and Dipanjan Das (dipanjan@cs.ucsb.edu).
181.  
182. Regards,
183. Felicitas Hetzelt
184.  
185. Samsung Mobile Security 2018.07.10 01:21 AM (GMT -7)
186. Dear Felicitas Hetzelt,
187.  
188. We issue a SVE number for this vulnerability.
189. We also publish acknowledgment via https://security.samsungmobile.com.
190. And if you want to get CVE of this issue, you can apply directly to MITRE using history of this page.
191.  
192. Thank you.
193.  
194. Very Respectfully,
195. Samsung Mobile Security
196.  
197. Samsung Mobile Security 2018.07.14 08:09 PM (GMT -7)
198. Dear Fel***,
199.  
200.  
201.  
202.  
203. We appreciate your interest and intention to help improve the security of Samsung Mobile products. We take security and privacy issues very seriously; and as an appreciation for helping Samsung Mobile improve the security of our products and minimizing risk to our end-consumers, we are offering a rewards program.
204.  
205. For the rewards payment process, our partner Bugcrowd (www.bugcrowd.com) will contact you soon, when they finalize the list for the next rewards cycle.
206.  
207. While the payment will be handled by Bugcrowd, we need additional information from you for tax purposes.
208.  
209. In order to begin the process, we kindly as you to provide below information to our bounty team (m.sec.bounty@samsung.com):
210.  
211. - Full Name (*required)
212.  
213. - Address (*required)
214.  
215. - Postal code (*required)
216.  
217. - Phone number (*required)
218.  
219. - FAX number
220.  
221.  
222.  
223.  
224. Note that the rewards payment process can start only after we receive all required information above, and delays may occur with missing or incomplete information.
225.  
226. Also, please note that withholding tax may be deducted from the monetary reward in accordance to the laws of applicable jurisdiction, and the tax rate may differ by applicable countries.
227.  
228.  
229.  
230.  
231. Thank you.
232.  
233.  
234.  
235.  
236. Very Respectfully,
237.  
238. Samsung Mobile Security
239.  
240.  
241.  
242.  
243. Fel*** 2018.07.14 11:04 PM (GMT -7)
244. Dear Samsung Mobile Security Team,
245. I am very happy to head that, it was a pleasure working with you!
246.  
247. Regards,
248. Felicitas
249.  
250. Fel*** 2018.07.24 07:16 PM (GMT -7)
251. Dear Samsung Security Team,
252. sorry to bother you again, but would it be possible to get the SVE for this before 11th of August, I would need it as a reference?
253.  
254. Regards,
255. Felicitas
256.  
257. Fel*** 2018.07.24 07:24 PM (GMT -7)
258. ... Actually I just re-checked and I would need the SVE before August 7th! I would be much obliged if you could have issued it by then.
259.  
260. Regards,
261. Felicitas
262.  
263. Samsung Mobile Security LATEST Today 04:13 PM (GMT -7)
264. Dear Felicitas Hetzelt,
265.  
266. The following is a SVE number for this issue.
267. - SVE-2018-12029
268.  
269. Thank you.
270.  
271. Very Respectfully,
272. Samsung Mobile Security