A weak spot can be seen on Android smartphones that are powered by the Samsung Exynos 4210 and 4412 CPUs to run code with kernel privileges. Thus, on the one hand owners of the affected smartphones get root rights – on the other hand, the gap is also to inject malicious code from malicious apps.
The user has alephzain documented in Xda-developers forum that all users of the device file / dev / mem-Exynos both read and write access to the whole memory of the smartphone. This also affects the critical kernel memory. According to the report, the device file is used, inter alia, of the camera app and for the HDMI output.
The gap should be easy to exploit. Obviously affected are the Samsung Galaxy S3 device, Galaxy S2 and Galaxy Note 2 and the Meizu MX. Furthermore, could also all other equipment to be affected with the two Exynos processors.
There is already a first app that takes advantage of the memory access within the meaning of smartphone owners: It gives him root privileges and then allows the closing of the gap, however, after which the camera can no longer be used.
/dev/exynos-mem seems to be used for graphic usage like camera, graphic memory allocation, hdmi.
By activating pid display in kmsg, surfaceflinger do mmap on the device (via one of the three shared libraries above ?? I have not see reference in binary to these libraires)
The operations allowed on the device are (from linux/drivers/char/mem.c) :
static const struct file_operations exynos_mem_fops = { .open = exynos_mem_open, .release = exynos_mem_release, .unlocked_ioctl = exynos_mem_ioctl, .mmap = exynos_mem_mmap, }
and the default permissions (from linux/drivers/char/mem.c) :
#ifdef CONFIG_EXYNOS_MEM [14] = {"exynos-mem", S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH, &exynos_mem_fops}, #endif
ioctl request on /dev/exynos-mem permit to clean / flush L1 and L2 cache, set non cacheable page memory and set physical memory address for use with mmap.
Now the interesting part : mmap operation.
The only limit is to restrict access to lowmem (from linux/drivers/char/exynos-mem.c) :
/* TODO: currently lowmem is only available */ if ((phys_to_virt(start) < (void *)PAGE_OFFSET) || (phys_to_virt(start) >= high_memory)) { pr_err("[%s] invalid paddr(0x%08x)\n", __func__, start); return -EINVAL; }
The comment in above code could be frightening.
And an eye in Documentation/arm/memory.txt say :
Start End Use -------------------------------------------------------------------------- PAGE_OFFSET high_memory-1 Kernel direct-mapped RAM region. This maps the platforms RAM, and typically maps all platform RAM in a 1:1 relationship.
In other words, this device only permit to own the physical memory including kernel code.
The question is why permissions are set to read/write for all in kernel AND in ueventd.smdk4x12.rc:
A simple patch for Android Smartphones could be applied to set permissions to 0660 or 0600 in ueventd. smdk4x12.rc, but I don’t know how it would affect samsung applications/services.
Shortlink:
Recent Comments