FPII-2520 : Elevation of privilege vulnerability in Synaptics touchscreen driver CVE-2016-6743 A-30937462
High
An elevation of privilege vulnerability in the Synaptics touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process.
Additional technical details:
A-30937462
In the fwu_sysfs_store_image function, there is no validation of the count variable leading to a potential heap overflow.
The fix is designed to add additional bounds checks to prevent the potential heap overflow.
Code snippet provided in bulletin patches zip file in the Downloads section: https://support.google.com/androidpartners_security/answer/7169146?hl=en&ref_topic=6353496#downloads
Change-Id: I21619de1d5b18f0f7a4d1514c6f5c65860f1303e
diff --git a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c
index bf735e8..7caf76c 100644
--- a/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c
+++ b/drivers/input/touchscreen/synaptics_dsx/synaptics_dsx_fw_update.c
@@ -3272,6 +3272,13 @@
if (!mutex_trylock(&fwu_sysfs_mutex))
return -EBUSY;
+ if (count > (fwu->image_size - fwu->data_pos)) {
+ dev_err(fwu->rmi4_data->pdev->dev.parent,
+ "%s: Not enough space in buffer\n",
+ __func__);
+ return -EINVAL;
+ }
+
retval = secure_memcpy(&fwu->ext_data_source[fwu->data_pos],
fwu->image_size - fwu->data_pos, buf, count, count);
if (retval < 0) {