CVE-2024-27380

Vulnerability

In Samsung Mobile Processor Exynos 980, Exynos 850, Exynos 1280, Exynos 1380, and Exynos 1330, the function slsi_set_delayed_wakeup_type() in the S.LSI Wi-Fi driver does not validate the length of ioctl_args->args[i] supplied from userspace. This missing input validation enables a heap over-read condition. The vulnerability affects devices using these specific Exynos chipsets [1].

Exploitation

An attacker requires local access to the device and the ability to invoke the vulnerable ioctl call. By crafting an ioctl command with a specially sized ioctl_args->args[i] value that exceeds the expected buffer length, the attacker can trigger a heap over-read. The exact sequence involves sending a malicious ioctl to the affected driver function, exploiting the lack of bounds checking on the user-controlled length parameter.

Impact

Successful exploitation results in reading memory beyond the intended heap buffer, potentially disclosing sensitive information (information disclosure). The attacker gains access to adjacent heap data, which may include cryptographic keys, passwords, or other confidential data processed by the system. The over-read does not directly provide code execution but can leak sensitive kernel or driver memory.

Mitigation

Samsung has released security updates addressing this vulnerability. Affected users should apply the latest firmware and driver updates from Samsung's product security portal [1]. No workarounds are available; updating the device firmware is the only mitigation.