Userland Buffer Overflow due to Mediatek WLAN Driver via /proc Filesystem

We discussed this vulnerability during Episode 242 on 13 February 2024

The Mediatek wlan driver on Android has several files exposed under the /proc virtual filesystem. Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer. As such it may overflow the caller’s buffer. The most obvious case of this would just result in a sort of self-exploitation but given the ability to share file descriptors across processes, one may be able to abuse this overflow to exploit a privileged process. It is a pretty interesting primitive to have, and not necessarily well controlled in-terms of what data is written, but feels like it could be a pretty cool exploit to pull-off.