Original Post: Several wlan VFS read handlers don't check buffer size leading to userland memory corruption
This vulnerability was analyzed during Episode 242 on 13 February 2024
The Mediatek wlan driver on Android has several files exposed under the /proc
virtual filesystem. Some of these read handles do not check the caller-provided buffer size before copying data out into the user buffer. As such it may overflow the caller’s buffer. The most obvious case of this would just result in a sort of self-exploitation but given the ability to share file descriptors across processes, one may be able to abuse this overflow to exploit a privileged process. It is a pretty interesting primitive to have, and not necessarily well controlled in-terms of what data is written, but feels like it could be a pretty cool exploit to pull-off.