Show Notes

230 - Samsung Baseband and GPU Vulns

The root cause of the vulnerability is a buffer overflow error in the CdmaSmsParser::CdmaSmsParser function. This function copies incoming IPC messages from the baseband processor into a fixed-size buffer on the stack without first validating the length of the message. Since there is no length check, a very long message could overflow the buffer and overwrite adjacent memory.

Specifically, the vulnerability occurs at line [1] of the code snippet, where memcpy copies the entire IPC data payload into the fixed-size stack buffer. This can allow an attacker to overwrite the stack if the payload is larger than the buffer.

By sending an overly long IPC message, a compromised baseband processor could potentially exploit this to corrupt stack data and achieve things like code execution or denial of service. The vulnerability is caused by the lack of input validation on the length of IPC messages before copying them to the stack.