Android suffers from a heap overflow vulnerability in the tlc_server via the LOAD_TUI_RESOURCE command.
86e702bdd1d488d4d30b48a6d40d70980efaf82cea8187080028d215fe150b1f
Android: Heap-overflow in "tlc_server" via LOAD_TUI_RESOURCE command
As a part of the TrustZone framework available on Samsung devices, Samsung provides an Android daemon which enables communication with a selected set of trustlets running in the Secure World.
The daemon is spawned multiple time, once for each supported trustlet. It then registers an Android binder service with a name corresponding to the trustlet with which it may communicate.
Apart from the regular commands which enable communication with the trustlet itself, the daemon also provides a special command called LOAD_TUI_RESOURCE (command code 5) which enables loading a KNOX TUI (Trusted User Interface) resource.
The function handling this command has the following logic:
Parcel data = ...;
...
if (data.readInt32(&numDwords))
goto error;
uint32_t* buffer = (uint32_t*)malloc(numDwords * 4);
if (!buffer)
goto error;
for (uint32_t i=0; i<numDwords; i++) {
if (data.readInt32(&dword))
goto error;
buffer[i] = dword;
}
Since the length field (numDwords) is not validated, it may be arbitrarily large. This means that the calculation a4*numDwordsa may overflow on 32-bit builds of "tlc_server" (i.e., on 32-bit Android devices), resulting in a small value.
The loop would then attempt to copy whatever amount of values written to the parcel (controlled by the attacker) into the allocated buffer, resulting in a heap-overflow.
The tlc_server runs with the asystema UID and GID and has an SELinux context of au:r:tlc_server:s0a.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
Found by: laginimaineb