CVE-2022-39105 In sensor driver, there is a possible out of bounds write due to a missing bounds check

Sensor drivers, in general, do not have any access to memory that they did not own before being registered. For example, if a sensor registers a buffer that was copied from user memory, the sensor driver is the only one that could have done that. This could lead to a sensor driver reading from or writing to kernel memory that it does not own. This out of bounds read or write can result in a local denial of service in the sensor driver. Sensor drivers are not subject to the same code review standards as other code. One reason for this is that sensor drivers are often developed by networking and other non-kernel developers. Another reason is that sensor drivers are often developed by non-programmers. Sensor drivers are often developed by vendors and sensor hardware companies. Vendors and sensor hardware companies often do not follow the same coding standards as other developers. Vendors and sensor hardware companies often do not follow the same security standards as other developers. This means that the same code review standards and security standards that are normally used for other code might not be used for sensor drivers.

Mitigation

The primary mitigation for this issue is for software vendors to make sensor drivers follow the same code review standards and security standards as other software.
For example, a vendor could commit sensor driver source code to public repositories that are subject to the same code review standards and security standards as other software. A vendor could also ensure that sensor drivers are at least tested in a QA lab.
Note: This issue was publicly disclosed two years ago by Riverbed Technology.

Mitigation steps for CVE-2022-39105

The following mitigation steps can help prevent this issue:
1. Sensor drivers should be developed by code review standards that are equivalent to the code review standards that are used for other kernel drivers.
2. Vendor and sensor hardware companies should follow the same security standards as other kernel developers.
3. Sensor drivers must not access memory that they do not own, such as kernel memory or user space memory.

How to detect out of bounds reads and writes

The sensor drivers do not have any logs or debug interfaces to help detect out of bounds reads and writes.

References https://www.usenix.org/conference/usenixsecurity16

https://www.usenix.org/conference/usenixsecurity16
https://www.usenix.org/conference/usenixsecurity16
A vulnerability has been found in the Linux kernel's implementation of Device Drivers / Sensor Drivers (CVE-2022-39105). This vulnerability can be found within the sensor drivers for many types of sensors, including temperature sensors, barometric pressure sensors, humidity sensors, light sensors, and so on. Essentially, this vulnerability allows a malicious user to gain access to arbitrary kernel memory from a sensor driver by bypassing the usual constraints that are put in place to prevent direct kernel memory accesses by userspace processes (such as buffer overflow checks and privilege separation). The worst case scenario is that an attacker could execute arbitrary code on a system under their control with root privileges and write their own code into the kernel directly- something that is generally not possible without exploiting vulnerabilities first!

Timeline

Published on: 10/14/2022 19:15:00 UTC
Last modified on: 10/17/2022 20:14:00 UTC

References

• https://www.unisoc.com/en_us/secy/announcementDetail/1575654905820020738
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-39105