CVE CyberSecurity Database News

CVE-2024-27381 - Samsung Exynos Wi-Fi Heap Over-Read Vulnerability Explained

Poster -

In early 2024, security researchers uncovered a critical vulnerability in several Samsung Exynos mobile processors. This bug, tracked as CVE-2024-27381, involves the Wi-Fi driver improperly handling user-supplied input, exposing devices to potential attacks that could leak sensitive memory data. In this long read, we’ll explain what the vulnerability is, how it works, and show simple code snippets to help you understand the exploit. We’ll also point you to the official references and patch details.

Exynos 138

These chips are found in various Samsung Galaxy phones and tablets, especially mid-range and some flagship devices released from 202 through 2024.

Where’s the Problem? The slsi_send_action_frame_ut() Function

The vulnerability sits in Samsung’s Wi-Fi driver code, specifically the slsi_send_action_frame_ut() function. This function is responsible for constructing and sending custom Wi-Fi management frames. Unfortunately, it fails to properly check the length (len) of user-supplied data. This missing input validation could let attackers _over-read_ data from the heap, potentially leaking kernel memory.

The vulnerable code, simplified, might look like this (C language for kernel modules)

long slsi_send_action_frame_ut(struct slsi_dev *sdev, void *buf, size_t len)
{
    void *frame;

    frame = kmalloc(len, GFP_KERNEL);
    if (!frame)
        return -ENOMEM;

    // No check if 'len' is smaller than an upper reasonable bound!
    if (copy_from_user(frame, buf, len)) {
        kfree(frame);
        return -EFAULT;
    }

    // Imagine frame crafting and sending happens here

    kfree(frame);
    return ;
}

Missing Validation

The bug? There is no max check on len! The user can specify an arbitrarily large value, triggering the kernel to allocate big heap memory, or small values that make frame parsing over-read memory areas, possibly exposing information outside the legitimate buffer.

1. Heap Over-read

If an attacker from user space sends a malformed frame with a bogus length, the kernel may over-read from the heap, returning unintended data (like recent passwords, cryptographic secrets, or kernel pointers) into user-accessible regions or over network interfaces.

2. Local Privilege Escalation

Attackers could craft exploits to gain sensitive kernel memory info, which is often the first stage of a local privilege escalation attack—the kind needed to break Android's security and get root.

3. Possible Remote Exploit

A less likely but plausible scenario is that specially crafted Wi-Fi frames could be injected over the air to exploit the flaw remotely, depending on how the function is triggered.

Proof of Concept: Exploitation Example

Suppose an attacker in user space writes a custom userland program that calls the vulnerable ioctl (simplified example):

int fd = open("/dev/slsi_wlan", O_RDWR);
struct fake_frame {
    char frame_data[100];
}; 
struct fake_frame data;
memset(&data, 'A', sizeof(data));

// Maliciously large length!
size_t malicious_len = 1024 * 1024;

// Imagine IOCTL_SLSI_SEND_ACTION_FRAME is the opcode to trigger the bug
ioctl(fd, IOCTL_SLSI_SEND_ACTION_FRAME, &data, malicious_len);

This userland call tricks the kernel into copying/reading more bytes than intended, potentially leaking data from before/after the frame_data buffer.

Attack Complexity: Low (local user or app with access)

- Impact: Leaks kernel heap memory, threatens device integrity, weakens Android/KNOX sandbox

Official References

- Samsung Security Bulletin - March 2024
- CVE-2024-27381 Details at MITRE
- Project Zero (related Wi-Fi issues with Exynos)

The official patch adds proper length validation. Here’s a safe version of the code

#define MAX_ACTION_FRAME_LEN 256

long slsi_send_action_frame_ut(struct slsi_dev *sdev, void *buf, size_t len)
{
    if (len > MAX_ACTION_FRAME_LEN)
        return -EINVAL;

    void *frame = kmalloc(len, GFP_KERNEL);
    if (!frame)
        return -ENOMEM;

    if (copy_from_user(frame, buf, len)) {
        kfree(frame);
        return -EFAULT;
    }

    // rest of code
}

Always check that len is reasonable and never blindly trust input from user space!

What Should You Do?

If you own a Samsung Galaxy phone with Exynos:
Update your phone’s firmware as soon as possible. March and April 2024 security updates include this fix. See Settings > Software update.

If you are a developer:
Follow secure coding practices! Always validate user-controlled input in kernel or driver code.

Conclusion

CVE-2024-27381 highlights how a small missing check in driver code can potentially compromise millions of devices. Heap over-read bugs are especially dangerous since they break the kernel’s privacy boundaries and make further exploits easier. Always keep your device up to date, and support security best practices wherever you code.

References & Further Reading

- Samsung Security Updates
- Official CVE at MITRE
- Project Zero Exploits Wi-Fi Stack

Timeline

Published on: 06/05/2024 19:15:14 UTC
Last modified on: 06/27/2024 15:54:29 UTC