what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

LG Felica Driver Dangerous set_fs Usage

LG Felica Driver Dangerous set_fs Usage
Posted Feb 9, 2017
Authored by Google Security Research, Mark Brand

The LG Felica driver performs a dangerous set_fs usage.

tags | advisory
SHA-256 | 5f2a0992eeb78e5f0e7011970487e4721cea768002f4fe1d89ffc9765b2c9f11

LG Felica Driver Dangerous set_fs Usage

Change Mirror Download
 LG: Felica driver dangerous set_fs usage 




There are multiple weaknesses in the use of KERNEL_DS in the LG felica drivers,
in /drivers/felica. See for example felica_i2c_open

/*
* Description :
* Input :
* Output :
*/
int felica_i2c_open (void)
{
mm_segment_t old_fs = get_fs();

FELICA_DEBUG_MSG_LOW("[FELICA_I2C] felica_i2c_open\n");

set_fs(KERNEL_DS);
fd = sys_open(FELICA_IC2_NAME, O_RDWR|O_NONBLOCK, 0);

FELICA_DEBUG_MSG_MED("[FELICA] cbal - sys_open fd : %d \n",fd);


if (fd < 0)
{
FELICA_DEBUG_MSG_HIGH("[FELICA_I2C] ERROR - felica_i2c_open : %d \n", fd);

return fd;
}

set_fs(old_fs);

return 0;
}

This code is setting KERNEL_DS, and there is a code-path in which it does not
restore USER_DS before returning; similarly to the other reported issue this can
be exploited to gain read/write access to kernel memory. This should be
triggerable from usermode by simply opening the maximum number of permitted open
files (ulimit -Sn), then opening the felica i2c device. The call to sys_open
will fail, triggering the error path and skipping the set_fs(old_fs) call.

(Every use of set_fs(KERNEL_DS) in the felica code appears to handle error cases
badly, failing to restore the original value).

The fact that this trick works suggests another issue with this code.
Calling sys_open from kernel code will insert the opened file descriptor
into the fd table of the current process. This means that userland can tamper
with this file descriptor while the kernel is expecting to be able to use it
safely; dup'ing it to another fd, closing it, reopening another file in it's
place. This makes it easy for userspace to cause errors at almost any place in
the felica driver's read/write handlers.

I haven't validated this issue on a device as it appears that the felica config options are only set in Japanese builds.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.




Found by: markbrand

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close