MediaTek Frame Buffer Debugging Interface Memory Disclosure

Product Mediatek 6735
Severity Medium
CVE Reference N/A
Type Information Disclosure

Description

MediaTek is a company that provides system-on-chip solutions for wireless communications, HDTV, DVD and Blu-ray. A number of MediaTek clients including Huawei, and Neffos were found to be affected by a vulnerability in the MediaTek Frame Buffer Debugging Interface code.

The ‘/d/fbconfig’ file was found to leak kernel memory via one of the supported command types (FB_LAYER_GET_INFO) handled by a MediaTek IOCTL interface. In the example described below both stack and heap data were leaked. It is possible that other segments could be leaked as well.

Impact

The Android Shell user can exploit this vulnerability to leak kernel memory. However, standard Android applications would be limited by SELinux.

Cause

This vulnerability is due to insufficient input validation of user supplied data.

Solution

MediaTek clients can receive the security fix directly from the vendor.

Technical details

Please refer to the attached advisory.

Disclosure Timeline

Date

Summary

2016-10-22

Issue reported to MediaTek.

2016-11-16

MediaTek responded with confirmation of the issue.

2016-11-25

MWR queried MediaTek for the issue status and patch release plan.

2017-03-30

MWR queried MediaTek for the issue status and patch release plan.

2017-03-30

MediaTek confirmed that issue was fixed and a patch was available to its customers.