This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mali kernel device driver QOS bug

Hello

I have found a bug in Mali kernel devices drivers which can cause kernel crash on some android phone devices

the newest mali driver  r5p2-00rel0 still has the problem http://malideveloper.arm.com/resources/drivers/open-source-mali-gpus-linux-kernel-device-drivers/

code file: DX910-SW-99002-r5p2-00rel0/driver/src/devicedrv/mali/common/mali_pp_job.c

target function:

struct mali_pp_job *mali_pp_job_create(struct mali_session_data *session,

                       _mali_uk_pp_start_job_s __user *uargs, u32 id)

Now I will show why this function can cause dos exploits:

==========

struct mali_pp_job *mali_pp_job_create(struct mali_session_data *session,

                       _mali_uk_pp_start_job_s __user *uargs, u32 id)

{

struct mali_pp_job *job;

job = _mali_osk_calloc(1, sizeof(struct mali_pp_job));

u32 num_memory_cookies = 0;

        if (0 != _mali_osk_copy_from_user(&job->uargs, uargs, sizeof(_mali_uk_pp_start_job_s))) {

            goto fail;

        }

if (job->uargs.num_cores > _MALI_PP_MAX_SUB_JOBS) {

            MALI_PRINT_ERROR(("Mali PP job: Too many sub jobs specified in job object\n"));

            goto fail;

        }

.....

fail:

    if (NULL != job) {

        mali_pp_job_delete(job);

    }

===============

job is a local value of type struct mali_pp_job *, the  default value of it's all members would be  zero (you can see  function _mali_osk_calloc)


job->uargs can be controled from user space  because it use copy_from_user . so we can make job->uargs.num_cores  larger than _MALI_PP_MAX_SUB_JOBS , so the driver would goto fail , which will call function mali_pp_job_delete


=====

void mali_pp_job_delete(struct mali_pp_job *job)

{

    MALI_DEBUG_ASSERT_POINTER(job);

    MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->list));

    MALI_DEBUG_ASSERT(_mali_osk_list_empty(&job->session_fb_lookup_list));

...

}

MALI_STATIC_INLINE mali_bool _mali_osk_list_empty( _mali_osk_list_t *list )

{

  return list->next == list;

}

=====

function mali_pp_job_delete  will assert 'job->list' empty or not,


because job->list  has not been init , so list->next would be 0, so it does not equals to 'list' , that means _mali_osk_list_empty would returns false , assert fails!!!

=====

#define MALI_DEBUG_ASSERT(condition) do  {if( !(condition)) {MALI_PRINT_ERROR(("ASSERT failed: " #condition )); _mali_osk_break();} } while(0)

void _mali_osk_abort(void)

{

  /* make a simple fault by dereferencing a NULL pointer */

  dump_stack();

  *(int *)0 = 0;

}

void _mali_osk_break(void)

{

  _mali_osk_abort();

}

=====

asserts fail would cause _mali_osk_abort , which cause kernel  to crash !!

My testing device is Huawei P8 ALE-UL00 , android version 5.0 , you can download its kernel code from :   http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144  Download - EMUIhttp://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144  

http://emui.huawei.com/cn/plugin.php?id=hwdownload&mod=detail&mid=144

bug code: 

                        kernel/drivers/gpu/arm/mali4_64/r5p0_01rel0/common/mali_pp_job.c

                      kernel/drivers/gpu/arm/mali4_32/r4p1_01rel0/common/mali_pp_job.c  

                    kernel/drivers/gpu/arm/mali4_32/r4p0_00rel0/common/mali_pp_job.c

test device:

shell@hwALE-H:/ $ ll /dev/mali

ll /dev/mali

crw-rw-rw- system   graphics  10,  58 2015-09-16 17:14 mali

as you can see, Mali devices in huawei P8 ale-ul00 can be accessed by all users!!!!


so, any users can trigger the phone to  crash  use a simple ioctl to /dev/mali .

I didn't test this bug in other mobile phones , but  I believe there is a huge number of devices can be triggered crash using this bug. I hope you will pay attention to this problem

Parents Reply Children
  • Hi jjayy,

    Once again thank you for reporting this issue with us.

    We have identified the problem and have resolved it in our latest driver.

    Please remember that we do not control the updates of the OEMs who license us, so although they will receive the latest driver when we release it next, there may be a delay before they decide to push this update to existing devices.

    Kind Regards,

    Michael McGeagh

  • It's also worth noting that this should only be hit in a debug build of the kernel, so not sure how widely it will impact released phones.

    Again, thanks for reporting - much appreciated.

    Kind regards,
    Pete