Experimenting With Patch Diffing Cve 2022 39848

Experimenting with patch diffing (CVE-2022-39848)

To experiment with patch diffing, I take a look at CVE-2022-39848, “Exposure of sensitive information in AT_Distributor prior to SMR Oct-2022 Release 1 allows local attacker to access SerialNo via log.”.

On Samfw.com I grab A125F_PHN_A125FXXS2CVK2 and A125F_PHN_A125FXXS2CVH2 for comparison and extracted them with https://github.com/srlabs/extractor.

at_distributor in both versions have the same filesize, but different md5, so seems to be on the right path:

# ls -la SM-A125F_PHN_A125FXXS2CV*/bin/at_distributor
-rwxr-xr-x 1 root 2000 141264 Dec 31  2008 SM-A125F_PHN_A125FXXS2CVH2/bin/at_distributor
-rwxr-xr-x 1 root 2000 141264 Dec 31  2008 SM-A125F_PHN_A125FXXS2CVK2/bin/at_distributor
# md5sum SM-A125F_PHN_A125FXXS2CV*/bin/at_distributor
795ce0c330ebf8798963fa5eb57470bf  SM-A125F_PHN_A125FXXS2CVH2/bin/at_distributor
57593b0d85114cbc60ed328de0b49811  SM-A125F_PHN_A125FXXS2CVK2/bin/at_distributor

Both files were uploaded to https://dogbolt.org/ and I took the hex-rays decompiled results.

A125FXXS2CVH2 has 10 results for “SERIALNO” and A125FXXS2CVK2 has 6 results for “SERIALNO”.

Comparing the main() shows the following difference:

A125FXXS2CVH2:
          if ( atoi((const char *)nptr) >= 28 )
          {
            memset(&readfds, 0, 92);
            sprintf((__int64)&readfds, 92LL, "%s%s", "SEC_SN=", v4);
            v8 = __strlen_chk(&readfds, 92LL);
            __android_log_print(
              3LL,
              "AT_Distributor",
              "SERIALNO: serialNumber = %s, serialLen = %d",
              (const char *)&readfds,
              v8);
            v9 = __strlen_chk(&readfds, 92LL);
            __android_log_buf_print(
              1LL,
              3LL,
              "ATD",
              "SERIALNO: serialNumber = %s, serialLen = %d",
              (const char *)&readfds,
              v9);
            if ( readfds.fds_bits[0] ^ 0x303D4E535F434553LL | readfds.fds_bits[1] ^ 0x3030303030303030LL | *(__fd_mask *)((char *)&readfds.fds_bits[1] + 3) ^ 0x30303030303030LL )
            {
              if ( __strlen_chk(&readfds, 92LL) == 18 )
              {
                __android_log_print(3LL, "AT_Distributor", "SERIALNO: syncBootParam");
                __android_log_buf_print(1LL, 3LL, "ATD", "SERIALNO: syncBootParam");
                v10 = __strlen_chk(&readfds, 92LL);
                syncBootParam((const char *)&readfds, "ro.boot.sn.param.offset", v10);
              }
            }
          }

A125FXXS2CVK2:
          if ( atoi((const char *)nptr) >= 28 )
          {
            memset(&readfds, 0, 92);
            sprintf((__int64)&readfds, 92LL, "%s%s", "SEC_SN=", v4);
            if ( readfds.fds_bits[0] ^ 0x303D4E535F434553LL | readfds.fds_bits[1] ^ 0x3030303030303030LL | *(__fd_mask *)((char *)&readfds.fds_bits[1] + 3) ^ 0x30303030303030LL )
            {
              if ( __strlen_chk(&readfds, 92LL) == 18 )
              {
                __android_log_print(3LL, "AT_Distributor", "SERIALNO: syncBootParam");
                __android_log_buf_print(1LL, 3LL, "ATD", "SERIALNO: syncBootParam");
                v7 = __strlen_chk(&readfds, 92LL);
                syncBootParam((const char *)&readfds, "ro.boot.sn.param.offset", v7);
              }
            }
          }

I was hoping a leakage through AT commands, but it seems like it’s through the android logcat.

But, a useful experiment of comparing binaries through decompilers none-the-less.