Mali kernel device driver QOS bug

Hello

I have found a bug in Mali kernel devices drivers which can cause kernel crash on some android phone devices

the newest mali driver  r5p2-00rel0 still has the problem http://malideveloper.arm.com/resources/drivers/open-source-mali-gpus-linux-kernel-device-drivers/

code file: DX910-SW-99002-r5p2-00rel0/driver/src/devicedrv/mali/common/mali_pp_job.c

target function:

struct mali_pp_job *mali_pp_job_create(struct mali_session_data *session,

                       _mali_uk_pp_start_job_s __user *uargs, u32 id)

Now I will show why this function can cause dos exploits:

==========

struct mali_pp_job *mali_pp_job_create(struct mali_session_data *session,

                       _mali_uk_pp_start_job_s __user *uargs, u32 id)

{

struct mali_pp_job *job;

job = _mali_osk_calloc(1, sizeof(struct mali_pp_job));

u32 num_memory_cookies = 0;

        if (0 != _mali_osk_copy_from_user(&job->uargs, uargs, sizeof(_mali_uk_pp_start_job_s))) {

            goto fail;

        }

if (job->uargs.num_cores > _MALI_PP_MAX_SUB_JOBS) {

            MALI_PRINT_ERROR(("Mali PP job: Too many sub jobs specified in job object\n"));

            goto fail;

        }

.....

fail:

    if (NULL != job) {

        mali_pp_job_delete(job);

    }

===============

job is a local value of type struct mali_pp_job *, the  default value of it's all members would be  zero (you can see  function _mali_osk_calloc)

job->uargs can be controled from user space  because it use copy_from_user . so we can make job->uargs.num_cores  larger than _MALI_PP_MAX_SUB_JOBS , so the driver would goto fail , which will call function mali_pp_job_delete

=====

void mali_pp_job_delete(struct mali_pp_job *job)

{

    MALI_DEBUG_ASSERT_POINTER(job);

    MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->list));

    MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->session_fb_lookup_list));

...

}

MALI_STATIC_INLINE mali_bool _mali_osk_list_empty( _mali_osk_list_t *list )

{

  return list->next == list;

}

=====

function mali_pp_job_delete  will assert 'job->list' empty or not,

because job->list  has not been init , so list->next would be 0, so it does not equals to 'list' , that means _mali_osk_list_empty would returns false , assert fails!!!

=====

#define MALI_DEBUG_ASSERT(condition) do  {if( !(condition)) {MALI_PRINT_ERROR(("ASSERT failed: " #condition )); _mali_osk_break();} } while(0)

void _mali_osk_abort(void)

{

  /* make a simple fault by dereferencing a NULL pointer */

  dump_stack();

  *(int *)0 = 0;

}

void _mali_osk_break(void)

{

  _mali_osk_abort();

}

=====

asserts fail would cause _mali_osk_abort , which cause kernel  to crash !!

My testing device is Huawei P8 ALE-UL00 , android version 5.0 , you can download its kernel code from :   http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144  Download - EMUIhttp://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144  

http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144

bug code: 

                        kernel/drivers/gpu/arm/mali4_64/r5p0_01rel0/common/mali_pp_job.c

                      kernel/drivers/gpu/arm/mali4_32/r4p1_01rel0/common/mali_pp_job.c  

                    kernel/drivers/gpu/arm/mali4_32/r4p0_00rel0/common/mali_pp_job.c

test device:

shell@hwALE-H:/ $ ll /dev/mali

ll /dev/mali

crw-rw-rw- system   graphics  10,  58 2015-09-16 17:14 mali

as you can see, Mali devices in huawei P8 ale-ul00 can be accessed by all users!!!!

so, any users can trigger the phone to  crash  use a simple ioctl to /dev/mali .

I didn't test this bug in other mobile phones , but  I believe there is a huge number of devices can be triggered crash using this bug. I hope you will pay attention to this problem