Re: [SECURITY] Samsung Exynos SROM: Out-of-bounds write via unchecked device tree bank parameter

Re: [SECURITY] Samsung Exynos SROM: Out-of-bounds write via unchecked device tree bank parameter

[Greg KH]

On Fri, Apr 24, 2026 at 04:40:47AM +0530, Saifuddin Kaijar wrote:
> Dear Linux Kernel Security Team,
> 
> I am reporting a security vulnerability in the Samsung Exynos SROM driver.
> 
> SUMMARY:
> Out-of-bounds MMIO write due to missing validation of device tree bank
> parameter.
> 
> COMPONENT:
> File: drivers/memory/samsung/exynos-srom.c
> Function: exynos_srom_configure_bank()
> Lines: 74-100
> 
> AFFECTED VERSIONS:
> All kernels since 3.15 (2015) up to current mainline (6.12.1)
> 
> SEVERITY:
> HIGH (CVSS 7.8: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
> CWE-787: Out-of-bounds Write
> 
> DESCRIPTION:
> The driver reads 'bank' parameter from device tree without validation,
> then uses it as an offset for MMIO register writes:

device tree is trusted, so this isn't a valid security issue, or
probably even a bug at all, sorry.

If you wish to fix this, please just send a patch to the developer and
mailing list.

thanks,

greg k-h

[SECURITY] Samsung Exynos SROM: Out-of-bounds write via unchecked device tree bank parameter

[Saifuddin Kaijar]

Dear Linux Kernel Security Team,

I am reporting a security vulnerability in the Samsung Exynos SROM driver.

SUMMARY:
Out-of-bounds MMIO write due to missing validation of device tree bank
parameter.

COMPONENT:
File: drivers/memory/samsung/exynos-srom.c
Function: exynos_srom_configure_bank()
Lines: 74-100

AFFECTED VERSIONS:
All kernels since 3.15 (2015) up to current mainline (6.12.1)

SEVERITY:
HIGH (CVSS 7.8: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE-787: Out-of-bounds Write

DESCRIPTION:
The driver reads 'bank' parameter from device tree without validation,
then uses it as an offset for MMIO register writes:

static int exynos_srom_configure_bank(struct exynos_srom *srom,
                                      struct device_node *np)
{
    u32 bank, width, pmc = 0;

    if (of_property_read_u32(np, "reg", &bank))
        return -EINVAL;
    /* ❌ NO VALIDATION - bank can be 0-4294967295 */

    bank *= 4;  /* Unchecked multiplication */

    /* ❌ Out-of-bounds write */
    writel_relaxed(..., srom->reg_base + EXYNOS_SROM_BC0 + bank);
}

Valid range: bank = 0-3 (only 4 banks: BC0, BC1, BC2, BC3)
Mapped region: 20 bytes (0x14)
Attack example: bank=255 → offset=1020 → 1000 bytes out-of-bounds

IMPACT:
- Kernel memory corruption
- Privilege escalation (CAP_SYS_ADMIN → root)
- Denial of service (kernel panic)

PROOF OF CONCEPT:
Malicious device tree triggers crash:

srom-controller@12570000 {
    compatible = "samsung,exynos4210-srom";
    reg = <0x12570000 0x14>;
    bank@255 { reg = <255>; };  /* Out of bounds */
};

Result: Kernel writes to reg_base+1020 (only 20 bytes mapped) → panic

TESTED ON:
- Linux mainline 6.12.1
- Samsung Galaxy S23 (Exynos 2200)
- Android kernel 6.6.x (android14-6.6-lts)

PROPOSED FIX:
Add bounds check after line 76:

+       /* Validate bank number is within hardware limits */
+       if (bank > 3) {
+               dev_err(dev, "Invalid bank number %u (maximum is 3)\n", bank);
+               return -EINVAL;
+       }

ADDITIONAL ISSUE:
Device tree node reference leak at lines 139-146 (missing of_node_put).

DISCLOSURE STATUS:
- Reported to Samsung Mobile Security on April 24, 2026
- Samsung is developing patch
- Coordinated disclosure planned

I can provide complete PoC, crash logs, and patch if needed.

Best regards,
Saifuddin Kaijar
Email: mailtokaijar@gmail.com
Date: April 24, 2026