Android: Heap-overflow in "tlc_server" via LOAD_TUI_RESOURCE command 




As a part of the TrustZone framework available on Samsung devices, Samsung provides an Android daemon which enables communication with a selected set of trustlets running in the Secure World.

The daemon is spawned multiple time, once for each supported trustlet. It then registers an Android binder service with a name corresponding to the trustlet with which it may communicate.

Apart from the regular commands which enable communication with the trustlet itself, the daemon also provides a special command called LOAD_TUI_RESOURCE (command code 5) which enables loading a KNOX TUI (Trusted User Interface) resource.

The function handling this command has the following logic:

Parcel data = ...;
...
if (data.readInt32(&numDwords))
    goto error;
uint32_t* buffer = (uint32_t*)malloc(numDwords * 4);
if (!buffer)
    goto error;
for (uint32_t i=0; i<numDwords; i++) {
    if (data.readInt32(&dword))
        goto error;
    buffer[i] = dword;
}

Since the length field (numDwords) is not validated, it may be arbitrarily large. This means that the calculation a4*numDwordsa may overflow on 32-bit builds of "tlc_server" (i.e., on 32-bit Android devices), resulting in a small value.

The loop would then attempt to copy whatever amount of values written to the parcel (controlled by the attacker) into the allocated buffer, resulting in a heap-overflow.

The tlc_server runs with the asystema UID and GID and has an SELinux context of au:r:tlc_server:s0a.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.



Found by: laginimaineb