CVE-2020-11835

Step 1: Trigger the Vulnerable Function: The attacker must first interact with the vulnerable proc_work_mode_write function. This likely involves writing to a specific /proc file associated with the Oppo charger IC. Step 2: Craft a Malicious Payload: The attacker crafts a payload designed to overflow the buf buffer. This payload will contain malicious code or overwrite critical data in memory. Step 3: Write the Payload: The attacker writes the crafted payload to the /proc file, triggering the proc_work_mode_write function with the malicious input. Step 4: Buffer Overflow: The proc_work_mode_write function, lacking proper bounds checking, writes the attacker's payload beyond the allocated buffer. Step 5: Code Execution/System Compromise: The overflow overwrites critical memory regions, such as function pointers or control data. This allows the attacker to redirect program execution to their malicious code, gaining control of the device and potentially escalating privileges.

The vulnerability lies within the proc_work_mode_write function in oppo_da9313.c. The root cause is a missing bounds check on the buf parameter passed to the function. This allows an attacker to write data beyond the allocated buffer, leading to a buffer overflow. This overflow can overwrite adjacent memory regions, potentially including function pointers or other critical data structures. By carefully crafting the input, an attacker can overwrite these structures and redirect program execution to arbitrary code, achieving remote code execution (RCE). The lack of input validation makes the vulnerability easily exploitable.