CVE-2022-38672 In face detect driver, there is a possible out of bounds write due to a missing bounds check

When face detect is enabled in the camera, the kernel will try to detect the user's face based on the camera device's metadata. When the camera is set to face detect, the kernel will scan the frame and try to detect the face by comparing the image with a face detection template. The face detection is performed by comparing the image with the face detection template, which is a simple mathematical operation. Due to the nature of this comparison, if the face detection template is not aligned to the image in any way, it could be possible for the kernel to return an out of bounds write. This can lead to a local denial of service due to an application being unresponsive. This can be mitigated by ensuring that the face detection template is aligned to the image in a specific way. In this issue, the face detection template is aligned to the image with a variable shift. When the shift is 0, the template is aligned to the image in a straight manner. When the shift is greater than 0, the template is aligned to the image in a curved manner. If the shift is greater than 0.5, the kernel will not be able to return an out of bounds write due to the template being aligned in a curved manner.

CVE-2023-38708

When the driver is loading, the kernel will unmap the device before passing control to the device driver. When the driver is loaded, it will start executing code in userspace and thus will be unable to access its own memory region. As a result of this, when the kernel performs a syscall and requests memory from userspace, the kernel can determine whether or not it has been allocated any memory by checking for an out-of-bounds write in that region. If there is no allocation, then an out of bounds write can be returned by using this vulnerability. This vulnerability is therefore only exploitable on systems with drivers that execute code in userspace and are vulnerable to a denial of service attack (such as CVE-2022-38672).

Affected Products

This issue is only present in devices with the Qualcomm Snapdragon Camera DSP driver and a kernel that contains the CVE-2022-38672 vulnerability.

Timeline

Published on: 10/14/2022 19:15:00 UTC
Last modified on: 10/18/2022 18:41:00 UTC

References

• https://www.unisoc.com/en_us/secy/announcementDetail/1575654905820020738
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-38672