This post covers an infoleak in Microsoft’s Azure Sphere Security Monitor, which is a linux-based operating system for IOT devices. They focus on the SMSyscallPeripheralAcquire system call, which is used for switching the mux mode on a given pin, and change the layout of how the pins are configured. It takes an input and output buffer.

The output consists of how many input entries were processed, how many entries have an output object, then an array of the output objects themselves, which contain metadata information for the pin. One of the fields in this object (a uint16_t) is left uninitialized, and leaks 2 bytes of kernel heap memory to userspace. It’s worth noting this system call is locked behind the AZURE_SPHERE_CAP_PERIPHERAL_PIN_MAPPING capability, and thus this bug can’t be exploited from a completely unprivileged context.