MediaTek M4U Driver Arbitrary Memory Overwrite

    Type

  • Memory Corruption

    • Severity

  • High

    • Affected products

  • Mediatek 6735

    • CVE Reference

  • N/A
Timeline

2016-10-22

Issue reported to MediaTek.

2016-11-16

MediaTek responded with confirmation of the issue.

2016-11-25

MWR queried MediaTek for the issue status and patch release plan.

2017-03-30

MWR queried MediaTek for the issue status and patch release plan.

2017-03-30

MediaTek confirmed that issue was fixed and a patch was available to its customers.

Description

MediaTek is a company that provides system-on-chip solutions for wireless communications, HDTV, DVD and Blu-ray. A number of MediaTek clients including Huawei, and Neffos were found to be affected by a vulnerability in the MediaTek M4U driver code.

The ‘/proc/m4u’ file provides an IOCTL interface which is vulnerable to a one-byte kernel memory overwrite while processing the 'MTK_M4U_T_CONFIG_TF' command.

Impact

Local attackers can exploit this issue to gain root privileges or achieve kernel mode code execution.

Cause

This vulnerability is due to lack of input validation of user supplied data.

Solution

MediaTek clients can receive the security fix directly from the vendor.

Technical details

Please refer to the attached advisory.