Hello
I have found a bug in Mali kernel devices drivers which can cause kernel crash on some android phone devices
the newest mali driver r5p2-00rel0 still has the problem http://malideveloper.arm.com/resources/drivers/open-source-mali-gpus-linux-kernel-device-drivers/
code file: DX910-SW-99002-r5p2-00rel0/driver/src/devicedrv/mali/common/mali_pp_job.c
target function:
struct mali_pp_job *mali_pp_job_create(struct mali_session_data *session,
_mali_uk_pp_start_job_s __user *uargs, u32 id)
Now I will show why this function can cause dos exploits:
==========
{
struct mali_pp_job *job;
job = _mali_osk_calloc(1, sizeof(struct mali_pp_job));
u32 num_memory_cookies = 0;
if (0 != _mali_osk_copy_from_user(&job->uargs, uargs, sizeof(_mali_uk_pp_start_job_s))) {
goto fail;
}
if (job->uargs.num_cores > _MALI_PP_MAX_SUB_JOBS) {
MALI_PRINT_ERROR(("Mali PP job: Too many sub jobs specified in job object\n"));
.....
fail:
if (NULL != job) {
mali_pp_job_delete(job);
===============
job is a local value of type struct mali_pp_job *, the default value of it's all members would be zero (you can see function _mali_osk_calloc)
job->uargs can be controled from user space because it use copy_from_user . so we can make job->uargs.num_cores larger than _MALI_PP_MAX_SUB_JOBS , so the driver would goto fail , which will call function mali_pp_job_delete
=====
void mali_pp_job_delete(struct mali_pp_job *job)
MALI_DEBUG_ASSERT_POINTER(job);
MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->list));
MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->session_fb_lookup_list));
...
MALI_STATIC_INLINE mali_bool _mali_osk_list_empty( _mali_osk_list_t *list )
return list->next == list;
function mali_pp_job_delete will assert 'job->list' empty or not,
because job->list has not been init , so list->next would be 0, so it does not equals to 'list' , that means _mali_osk_list_empty would returns false , assert fails!!!
#define MALI_DEBUG_ASSERT(condition) do {if( !(condition)) {MALI_PRINT_ERROR(("ASSERT failed: " #condition )); _mali_osk_break();} } while(0)
void _mali_osk_abort(void)
/* make a simple fault by dereferencing a NULL pointer */
dump_stack();
*(int *)0 = 0;
void _mali_osk_break(void)
_mali_osk_abort();
asserts fail would cause _mali_osk_abort , which cause kernel to crash !!
My testing device is Huawei P8 ALE-UL00 , android version 5.0 , you can download its kernel code from : http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144 Download - EMUIhttp://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144
http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144
bug code:
kernel/drivers/gpu/arm/mali4_64/r5p0_01rel0/common/mali_pp_job.c
kernel/drivers/gpu/arm/mali4_32/r4p1_01rel0/common/mali_pp_job.c
kernel/drivers/gpu/arm/mali4_32/r4p0_00rel0/common/mali_pp_job.c
test device:
shell@hwALE-H:/ $ ll /dev/mali
ll /dev/mali
crw-rw-rw- system graphics 10, 58 2015-09-16 17:14 mali
as you can see, Mali devices in huawei P8 ale-ul00 can be accessed by all users!!!!
so, any users can trigger the phone to crash use a simple ioctl to /dev/mali .
I didn't test this bug in other mobile phones , but I believe there is a huge number of devices can be triggered crash using this bug. I hope you will pay attention to this problem
Hi jjayy,
Once again thank you for reporting this issue with us.
We have identified the problem and have resolved it in our latest driver.
Please remember that we do not control the updates of the OEMs who license us, so although they will receive the latest driver when we release it next, there may be a delay before they decide to push this update to existing devices.
Kind Regards,
Michael McGeagh