Hello
I have found a bug in Mali kernel devices drivers which can cause kernel crash on some android phone devices
the newest mali driver r5p2-00rel0 still has the problem http://malideveloper.arm.com/resources/drivers/open-source-mali-gpus-linux-kernel-device-drivers/
code file: DX910-SW-99002-r5p2-00rel0/driver/src/devicedrv/mali/common/mali_pp_job.c
target function:
struct mali_pp_job *mali_pp_job_create(struct mali_session_data *session,
_mali_uk_pp_start_job_s __user *uargs, u32 id)
Now I will show why this function can cause dos exploits:
==========
{
struct mali_pp_job *job;
job = _mali_osk_calloc(1, sizeof(struct mali_pp_job));
u32 num_memory_cookies = 0;
if (0 != _mali_osk_copy_from_user(&job->uargs, uargs, sizeof(_mali_uk_pp_start_job_s))) {
goto fail;
}
if (job->uargs.num_cores > _MALI_PP_MAX_SUB_JOBS) {
MALI_PRINT_ERROR(("Mali PP job: Too many sub jobs specified in job object\n"));
.....
fail:
if (NULL != job) {
mali_pp_job_delete(job);
===============
job is a local value of type struct mali_pp_job *, the default value of it's all members would be zero (you can see function _mali_osk_calloc)
job->uargs can be controled from user space because it use copy_from_user . so we can make job->uargs.num_cores larger than _MALI_PP_MAX_SUB_JOBS , so the driver would goto fail , which will call function mali_pp_job_delete
=====
void mali_pp_job_delete(struct mali_pp_job *job)
MALI_DEBUG_ASSERT_POINTER(job);
MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->list));
MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->session_fb_lookup_list));
...
MALI_STATIC_INLINE mali_bool _mali_osk_list_empty( _mali_osk_list_t *list )
return list->next == list;
function mali_pp_job_delete will assert 'job->list' empty or not,
because job->list has not been init , so list->next would be 0, so it does not equals to 'list' , that means _mali_osk_list_empty would returns false , assert fails!!!
#define MALI_DEBUG_ASSERT(condition) do {if( !(condition)) {MALI_PRINT_ERROR(("ASSERT failed: " #condition )); _mali_osk_break();} } while(0)
void _mali_osk_abort(void)
/* make a simple fault by dereferencing a NULL pointer */
dump_stack();
*(int *)0 = 0;
void _mali_osk_break(void)
_mali_osk_abort();
asserts fail would cause _mali_osk_abort , which cause kernel to crash !!
My testing device is Huawei P8 ALE-UL00 , android version 5.0 , you can download its kernel code from : http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144 Download - EMUIhttp://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144
http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144
bug code:
kernel/drivers/gpu/arm/mali4_64/r5p0_01rel0/common/mali_pp_job.c
kernel/drivers/gpu/arm/mali4_32/r4p1_01rel0/common/mali_pp_job.c
kernel/drivers/gpu/arm/mali4_32/r4p0_00rel0/common/mali_pp_job.c
test device:
shell@hwALE-H:/ $ ll /dev/mali
ll /dev/mali
crw-rw-rw- system graphics 10, 58 2015-09-16 17:14 mali
as you can see, Mali devices in huawei P8 ale-ul00 can be accessed by all users!!!!
so, any users can trigger the phone to crash use a simple ioctl to /dev/mali .
I didn't test this bug in other mobile phones , but I believe there is a huge number of devices can be triggered crash using this bug. I hope you will pay attention to this problem
It's also worth noting that this should only be hit in a debug build of the kernel, so not sure how widely it will impact released phones.
Again, thanks for reporting - much appreciated.
Kind regards, Pete