Allwinner R818 SoC is made for smart speakers with a screen which is a processor for use in Android-based It integrates quad-core 64-bit CortexTM-A53 CPU and Imagination PowerVR GE8300 GPU to ensure response rapidity and running smoothness for daily application, such as on-line video, web browsing, and so on
There is a Out-of-Bound Write in the camera driver "/dev/cedar_dev". An third-app could cause a system crash or EoP.
Soc: Allwinner R818
System: R818 Android Q
SDK Version: V1.0
You can see that the data copied from the user mode is ve_info, which is defined as follows:
Therefore, the user mode can pass in a channel_id and proc_info_len The implementation problem here is that it only judges whether the channel_id is legal, but does not judge the proc_info_len, so the maximum proc_info_len is 0xFFFFFFFF (64 bits). Of course, it will not trigger a crash.
What really triggers the security problem is the following part:
It can be seen that ve_debug_proc_info.proc_len[channel_id] is the proc_info_len we controlled above (maximum is 0xFFFFFFFF (64 bits)). The length check is not performed here and it is directly copied to proc_buf, and arg is controllable in user mode, which will cause Write out of bounds, and the size of proc_buf
which will cause OOB Write
Allwinner will update the corresponding patch on the corresponding chip
Lewei Qu and Dongxiang Ke
https://www.cnvd.org.cn/flaw/show/CNVD-2021-49168
https://vul.wangan.com/a/CNVD-2021-49168
https://www.allwinnertech.com/index.php?c=product&a=index&id=92