One year ago, we found some security issues in the Samsung S4 (GT-I9500) version I9500XXUEMK8. After several emails with the Samsung security team, these issues are still unpatched on the JB and KK family. This blog post details these issues and provides a potential patch. The affected driver is the samsung_extdisp and CVEs assigned are:

1.1 - Kernel Memory Disclosure

1.1.1 - CVE-2015-1800: Video driver samsung_extdisp (1 bug)

The s3cfb_extdsp_ioctl() function, located in the drivers/video/samsung_extdisp/s3cfb_extdsp_ops.c file, contains a stack kernel memory disclosure. The structure s3cfb_extdsp_time_stamp is allocated on the stack frame. This structure contains these following attributes:

struct s3cfb_extdsp_time_stamp { int y_fd ; int uv_fd ; struct timeval time_marker ; };

In the same function, inside the ioctl 's switch case, we can find the S3CFB_EXTDSP_GET_FB_PHY_ADDR request.

case S3CFB_EXTDSP_GET_FB_PHY_ADDR : time_stamp2 . y_fd = - 1 ; time_stamp2 . uv_fd = - 1 ; /* ... */ if ( copy_to_user (( struct s3cfb_extdsp_time_stamp __user * ) arg , & time_stamp2 , sizeof ( time_stamp2 ))) { dev_err ( fbdev -> dev , "copy_to error

" ); return - EFAULT ; }