When face detect is enabled in the camera, the kernel will try to detect the user's face based on the camera device's metadata. When the camera is set to face detect, the kernel will scan the frame and try to detect the face by comparing the image with a face detection template. The face detection is performed by comparing the image with the face detection template, which is a simple mathematical operation. Due to the nature of this comparison, if the face detection template is not aligned to the image in any way, it could be possible for the kernel to return an out of bounds write. This can lead to a local denial of service due to an application being unresponsive. This can be mitigated by ensuring that the face detection template is aligned to the image in a specific way. In this issue, the face detection template is aligned to the image with a variable shift. When the shift is 0, the template is aligned to the image in a straight manner. When the shift is greater than 0, the template is aligned to the image in a curved manner. If the shift is greater than 0.5, the kernel will not be able to return an out of bounds write due to the template being aligned in a curved manner.
CVE-2023-38665
When the kernel is notified that a new process has been created, it will try to determine the identity of the process by looking at environment variables. Some of these environment variables include:
PID: Process ID
NAME: Name of the executable file (used for disambiguation)
MAJOR: Major function in the process
MINOR: Minor function in the process
GID: Group identifier of the executable file
Owner UID: Owner UID of the executable file
Project name: Project name of a project associated with an executable file
CVSSv3 Scores
CVSSv3:
Base Score: 5.0
Access Vector: Network
Authentication Required: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
Overview of the issue
Attackers can exploit a flaw in Face detect to trigger an out of bounds write in the kernel. This may result in a local denial of service due to an application being unresponsive.
Details CVE-2022-38673
When face detect is enabled in the camera, the kernel will try to detect the user's face based on the camera device's metadata. When the camera is set to face detect, the kernel will scan the frame and try to detect the face by comparing the image with a face detection template. The face detection is performed by comparing the image with the face detection template, which is a simple mathematical operation. Due to the nature of this comparison, if the face detection template is not aligned to the image in any way, it could be possible for the kernel to return an out of bounds write. This can lead to a local denial of service due to an application being unresponsive. This can be mitigated by ensuring that the face detection template is aligned to his image in a specific way. In this issue, when positioning of a variable shift for aligning a face detection template with an image changes from 0 (straight) to >0 (in curved manner), it could cause an out of bounds write due to alignment differences and potential NULL pointer dereference later on.
Test Setup
A kernel was built with a pass through feature enabled. This enabled the camera to be used as a monitor by passing a buffer containing the frame to an application. This buffer is then passed back to the camera when needed. The hardware platform that this kernel was built on was a Samsung Galaxy S5 smartphone with Android 4.4.3 and Exynos 5433 chipset, running Linux 3.10.77 and kernels compiled with GCC 4.8.2
The face detection template used in this test setup is stored on the device's RAM and loaded in at runtime for each request for face detection processing.
Timeline
Published on: 10/14/2022 19:15:00 UTC
Last modified on: 10/18/2022 18:43:00 UTC