[SECURITY] Samsung Exynos SROM: Out-of-bounds write via unchecked device tree bank parameter

[Saifuddin Kaijar]

Dear Linux Kernel Security Team,

I am reporting a security vulnerability in the Samsung Exynos SROM driver.

SUMMARY:
Out-of-bounds MMIO write due to missing validation of device tree bank
parameter.

COMPONENT:
File: drivers/memory/samsung/exynos-srom.c
Function: exynos_srom_configure_bank()
Lines: 74-100

AFFECTED VERSIONS:
All kernels since 3.15 (2015) up to current mainline (6.12.1)

SEVERITY:
HIGH (CVSS 7.8: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE-787: Out-of-bounds Write

DESCRIPTION:
The driver reads 'bank' parameter from device tree without validation,
then uses it as an offset for MMIO register writes:

static int exynos_srom_configure_bank(struct exynos_srom *srom,
                                      struct device_node *np)
{
    u32 bank, width, pmc = 0;

    if (of_property_read_u32(np, "reg", &bank))
        return -EINVAL;
    /* ❌ NO VALIDATION - bank can be 0-4294967295 */

    bank *= 4;  /* Unchecked multiplication */

    /* ❌ Out-of-bounds write */
    writel_relaxed(..., srom->reg_base + EXYNOS_SROM_BC0 + bank);
}

Valid range: bank = 0-3 (only 4 banks: BC0, BC1, BC2, BC3)
Mapped region: 20 bytes (0x14)
Attack example: bank=255 → offset=1020 → 1000 bytes out-of-bounds

IMPACT:
- Kernel memory corruption
- Privilege escalation (CAP_SYS_ADMIN → root)
- Denial of service (kernel panic)

PROOF OF CONCEPT:
Malicious device tree triggers crash:

srom-controller@12570000 {
    compatible = "samsung,exynos4210-srom";
    reg = <0x12570000 0x14>;
    bank@255 { reg = <255>; };  /* Out of bounds */
};

Result: Kernel writes to reg_base+1020 (only 20 bytes mapped) → panic

TESTED ON:
- Linux mainline 6.12.1
- Samsung Galaxy S23 (Exynos 2200)
- Android kernel 6.6.x (android14-6.6-lts)

PROPOSED FIX:
Add bounds check after line 76:

+       /* Validate bank number is within hardware limits */
+       if (bank > 3) {
+               dev_err(dev, "Invalid bank number %u (maximum is 3)\n", bank);
+               return -EINVAL;
+       }

ADDITIONAL ISSUE:
Device tree node reference leak at lines 139-146 (missing of_node_put).

DISCLOSURE STATUS:
- Reported to Samsung Mobile Security on April 24, 2026
- Samsung is developing patch
- Coordinated disclosure planned

I can provide complete PoC, crash logs, and patch if needed.

Best regards,
Saifuddin Kaijar
Email: mailtokaijar@xxxxxxxxx
Date: April 24, 2026