Security probe of Qualcomm MSM data services
First goes into some background details on QMI, what kinds of services it provides, and details on how they fuzzed the interface (used QEMU hexagon to emulate the modem in conjunction with AFL). They talk about one of the vulns the fuzzer dug up, which was a heap overflow in the voice service’s call_config_req
handler. This handler takes two fields from an attacker-provided payload, being the number of calls to make and an array of call contexts which are 0x160 bytes per call. There’s no limit on the number of calls you can make, you can provide 0xFF. They don’t state what the limit should be, just the fact that this leads to an out-of-bounds write on the heap. Given the circumstances, this could probably be taken to code execution since you control how far OOB you write and a lot of data that gets written there.
Though that could also be a curse, might end up smashing too much data and just cause an unavoidable crash too.