From: Saifuddin Kaijar <mailtokaijar@gmail.com>
To: security@kernel.org
Cc: linux-samsung-soc@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [SECURITY] Samsung Exynos SROM: Out-of-bounds write via unchecked device tree bank parameter
Date: Fri, 24 Apr 2026 04:47:17 +0530 [thread overview]
Message-ID: <CAD7tK9au2fRaeX_sBq72dL-yTAJ3JAqNxmsoLW_Pjm-fFJ3t7Q@mail.gmail.com> (raw)
Dear Linux Kernel Security Team,
I am reporting a security vulnerability in the Samsung Exynos SROM driver.
SUMMARY:
Out-of-bounds MMIO write due to missing validation of device tree bank
parameter.
COMPONENT:
File: drivers/memory/samsung/exynos-srom.c
Function: exynos_srom_configure_bank()
Lines: 74-100
AFFECTED VERSIONS:
All kernels since 3.15 (2015) up to current mainline (6.12.1)
SEVERITY:
HIGH (CVSS 7.8: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE-787: Out-of-bounds Write
DESCRIPTION:
The driver reads 'bank' parameter from device tree without validation,
then uses it as an offset for MMIO register writes:
static int exynos_srom_configure_bank(struct exynos_srom *srom,
struct device_node *np)
{
u32 bank, width, pmc = 0;
if (of_property_read_u32(np, "reg", &bank))
return -EINVAL;
/* ❌ NO VALIDATION - bank can be 0-4294967295 */
bank *= 4; /* Unchecked multiplication */
/* ❌ Out-of-bounds write */
writel_relaxed(..., srom->reg_base + EXYNOS_SROM_BC0 + bank);
}
Valid range: bank = 0-3 (only 4 banks: BC0, BC1, BC2, BC3)
Mapped region: 20 bytes (0x14)
Attack example: bank=255 → offset=1020 → 1000 bytes out-of-bounds
IMPACT:
- Kernel memory corruption
- Privilege escalation (CAP_SYS_ADMIN → root)
- Denial of service (kernel panic)
PROOF OF CONCEPT:
Malicious device tree triggers crash:
srom-controller@12570000 {
compatible = "samsung,exynos4210-srom";
reg = <0x12570000 0x14>;
bank@255 { reg = <255>; }; /* Out of bounds */
};
Result: Kernel writes to reg_base+1020 (only 20 bytes mapped) → panic
TESTED ON:
- Linux mainline 6.12.1
- Samsung Galaxy S23 (Exynos 2200)
- Android kernel 6.6.x (android14-6.6-lts)
PROPOSED FIX:
Add bounds check after line 76:
+ /* Validate bank number is within hardware limits */
+ if (bank > 3) {
+ dev_err(dev, "Invalid bank number %u (maximum is 3)\n", bank);
+ return -EINVAL;
+ }
ADDITIONAL ISSUE:
Device tree node reference leak at lines 139-146 (missing of_node_put).
DISCLOSURE STATUS:
- Reported to Samsung Mobile Security on April 24, 2026
- Samsung is developing patch
- Coordinated disclosure planned
I can provide complete PoC, crash logs, and patch if needed.
Best regards,
Saifuddin Kaijar
Email: mailtokaijar@gmail.com
Date: April 24, 2026
next reply other threads:[~2026-04-23 23:17 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-23 23:17 Saifuddin Kaijar [this message]
[not found] <CAD7tK9b8VFPan6tMmOv+_juaYc1Ycfy6t4DoioKDeLGE7ECqeg@mail.gmail.com>
2026-04-24 4:01 ` [SECURITY] Samsung Exynos SROM: Out-of-bounds write via unchecked device tree bank parameter Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAD7tK9au2fRaeX_sBq72dL-yTAJ3JAqNxmsoLW_Pjm-fFJ3t7Q@mail.gmail.com \
--to=mailtokaijar@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).