In /SM8250_Q_Master/android/vendor/oppo_charger/oppo/oppo_vooc.c, the function proc_fastchg_fw_update_write in proc_fastchg_fw_update_write does not check the parameter len, resulting in a vulnerability.
A critical vulnerability exists in the Oppo VOOC fast-charging firmware update process, allowing for potential arbitrary code execution. This flaw, stemming from a missing length check, could be exploited to overwrite critical memory regions. Successful exploitation could lead to device compromise, including data theft and system control.
Step 1: Trigger Preparation: The attacker identifies a vulnerable Oppo device and prepares a malicious firmware update package.
Step 2: Payload Delivery: The attacker crafts a specially crafted firmware update file with a payload designed to overwrite critical memory regions when written through the proc_fastchg_fw_update_write function.
Step 3: Update Initiation: The attacker initiates the firmware update process, likely through a USB connection or a custom application that interacts with the fast-charging update mechanism.
Step 4: Vulnerability Trigger: The malicious firmware update package is sent to the vulnerable function proc_fastchg_fw_update_write.
Step 5: Buffer Overflow: Due to the missing length check, the function writes the malicious payload beyond the allocated buffer.
Step 6: Code Execution: The buffer overflow overwrites critical memory, potentially including function pointers. When the system attempts to execute the overwritten code, the attacker's payload is executed, achieving arbitrary code execution within the kernel.
Step 7: System Compromise: The attacker gains control of the device, potentially allowing for data exfiltration, device bricking, or further exploitation of the device's resources.
The vulnerability lies within the proc_fastchg_fw_update_write function in oppo_vooc.c. The function, responsible for handling firmware updates for Oppo's VOOC fast-charging technology, fails to validate the len parameter, which specifies the size of the data being written. This lack of bounds checking allows an attacker to write data beyond the allocated buffer, leading to a buffer overflow. This overflow can overwrite adjacent memory regions, potentially including critical data structures, function pointers, or even the kernel stack. The root cause is a missing input validation step, a common programming error. The impact is significant, as it allows for arbitrary code execution within the kernel context, granting the attacker a high degree of control over the device.