New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 351855 link

Starred by 2 users

Issue metadata

Status: Verified
Owner:
User never visited
Closed: Mar 2014
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug-Security
GFx

Blocking:
issue 352492



Sign in to add a comment

Pwnium 4: Mali GPU driver does not mask out VM_MAYWRITE

Reported by 70696e6b...@gmail.com, Mar 12 2014

Issue description

UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.74.9 (KHTML, like Gecko) Version/7.0.2 Safari/537.74.9
Platform: Platform: 5116.113.0 (Official Build) stable-channel daisy_spring

Steps to reproduce the problem:
This bug really has nothing to do with Chromium, but it is valid for Pwnium and I was trying to use it for that.

One of the things you can mmap via /dev/mali0 is the trace buffer. mali_kbase_mem_linux.c attempts to make it read only:

	/* map read only, noexec */
	vma->vm_flags &= ~(VM_WRITE | VM_EXEC);

However, it does not mask VM_MAYWRITE, so you can change it back to writable by calling mprotect.

This buffer is used by kbase_device_trace_register_access, which writes to an offset in the buffer based on a word at the beginning.  It assumes the offset was written by itself, so it doesn't do any further check; if you can map the buffer writable, then you can change the offset and write out of bounds to kernel memory.

What is the expected behavior?

What went wrong?
.

Did this work before? N/A 

Chrome version: 33.0.1750.149  Channel: stable
OS Version: 
Flash Version:

 
Cc: olofj@chromium.org
Cc: marc...@chromium.org

Comment 3 by olofj@chromium.org, Mar 12 2014

Cc: seanpaul@chromium.org djkurtz@chromium.org
Definitely needs fixing, and we need to report to ARM since this is code that came from them. Android might be exposed as well.

Adding Stephane, Sean and Dan FYI.

I'll prepare CLs.

Comment 4 by olofj@chromium.org, Mar 12 2014

Cc: wad@chromium.org sumit@chromium.org
3.8 CL up: https://chromium-review.googlesource.com/189686.

Do we want this to go out on 3.4/M33 as well, or is M34+35 sufficient? Sumit, Will?

Comment 5 by k...@google.com, Mar 12 2014

Cc: aelias@chromium.org palmer@chromium.org klo...@chromium.org
Adding some mobile folks to ensure they're aware.
Labels: M-34 M-35
Owner: olofj@chromium.org
Status: Started
Yes it will go in m34, m35
Labels: -Pri-2 Pri-1 M-33 Security_Impact-Stable
And M-33
Cc: jorgelo@chromium.org
Did the attachment get lost?  Here it is again.
shellcode.tar.bz2
21.2 KB Download

Comment 10 by jln@chromium.org, Mar 12 2014

Cc: jln@chromium.org
Is there a Chromium-side workaround available on Android?  (It's generally infeasible to get driver fixes distributed to existing devices there.)
How would that work? Any app can open the device node and send those ioctls.
I'm not sure I fully understood the nature of the vulnerability, so I asked to make sure.  It sounds like it's purely between privileged processes and the kernel, and our renderer sandboxing disallows this category of mmap entirely, so we don't need to take any action on Chrome for Android, correct?
This vulnerability will be exploitable by any app running on the regular android  app sandbox (not our stricter renderer sandbox on Android IIUC). Any Android app can get kernel code execution with this bug, on devices with Mali drivers, but realistically you're correct: there's nothing that Chrome proper can do here.

Comment 16 by olofj@chromium.org, Mar 12 2014

So far it has not been proven to provide arbitrary code execution, just to stomp over kernel memory. Or did I miss something?
I verified it works without Kees' hardening changes.

Comment 18 by olofj@chromium.org, Mar 12 2014

Labels: Merge-Requested
Ok, so not directly exposing us but Android still has exposure.

CLs are marked ready for ToT, waiting on merge instructions from Josafat.

Comment 19 by josa...@google.com, Mar 13 2014

Labels: -Merge-Requested Merge-Approved
please merge to 

R34: release-R34-5500.B
R33: release-R33-5116.B
R33-pwnium: stabilize-5116.115.B

Comment 20 by olofj@chromium.org, Mar 13 2014

Ok, CLs are up. Note that R33/R34 of 3.8 seems to lack the VM_WRITE/VM_READ masking in the second case (in kbase_tracking_page_setup). I didn't add them back.

They were added back in ToT in CL:

https://chromium-review.googlesource.com/180950


CLs for review. I'm not going to add reviewers to avoid spamming everybody, so hopefully people will pick it up from here:

https://chromium-review.googlesource.com/189746
https://chromium-review.googlesource.com/189769
https://chromium-review.googlesource.com/189747
https://chromium-review.googlesource.com/189748
https://chromium-review.googlesource.com/189756
https://chromium-review.googlesource.com/189771

Again, I don't have a reasonable way of testing all of these CLs, but the scope is limited and risk is low (if graphics works, we should be OK).

Note that on R34+, we only ship 3.8 but I still checked in the 3.4 changes to stay consistent.
Cc: arm@chromium.org
Labels: Cr-OS-Kernel-Graphics GFX
FYI:  The original purpose of https://chromium-review.googlesource.com/180950 was "to prepare for the uprev to mali wk04_2014".  wk04_2014 merge is slightly cleaner with this patch applied first, and since this behavior is independent of wk04_2014 we merged it first.  Since we weren't planning to uprev mali on other branches, that patch also wasn't cherry-picked to other branches.

However, it looks like the hunk from that patch that cleared (VM_READ/WRITE/EXEC) in kbase_tracking_page_setup() was a partial but incomplete solution to this same issue.  So, I think we do want this hunk on all branches.

Can you squash the kbase_tracking_page_setup() hunk into these patches:
 189748 release-R34-5500.B-chromeos-3.8
 189756 release-R33-5116.B-chromeos-3.8
 189771 stabilize-5116.115.B-chromeos-3.8

Your patches for chromeos-kernel (3.4) already do have the kbase_tracking_page_setup() hunk:
 189746 stabilize-5116.115.B
 189769 release-R33-5116.B
 189747 release-R34-5500.B

Comment 23 by olofj@chromium.org, Mar 13 2014

@djkurtz: I'm not on corp and able to push new changes up until I'm back in the office tomorrow, so given time zone differences you might be better off doing that yourself? :)
Project Member

Comment 24 by bugdroid1@chromium.org, Mar 13 2014

Project: chromiumos/third_party/kernel
Branch : stabilize-5116.115.B
Author : Olof Johansson <olofj@chromium.org>
Commit : 0e01f999c61156cca010c22c3046fd90c37eafe6

Code-Review  0 : chrome-internal-fetch
Code-Review  +2: Daniel Kurtz, Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Daniel Kurtz
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Daniel Kurtz
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189746

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Project Member

Comment 25 by bugdroid1@chromium.org, Mar 13 2014

Project: chromiumos/third_party/kernel
Branch : release-R33-5116.B
Author : Olof Johansson <olofj@chromium.org>
Commit : 1526274a226023f28ad9cd1f8a85f98c21c1b020

Code-Review  0 : chrome-internal-fetch
Code-Review  +2: Daniel Kurtz, Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Daniel Kurtz
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Daniel Kurtz
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189769

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Project Member

Comment 26 by bugdroid1@chromium.org, Mar 13 2014

Project: chromiumos/third_party/kernel
Branch : release-R34-5500.B
Author : Olof Johansson <olofj@chromium.org>
Commit : b7a57a1023bc72b102088303a8a3c3837c015d5d

Code-Review  0 : chrome-internal-fetch
Code-Review  +2: Daniel Kurtz, Jorge Lucangeli Obes
Commit-Queue 0 : Jorge Lucangeli Obes, chrome-internal-fetch
Commit-Queue +1: Daniel Kurtz
Verified     0 : Jorge Lucangeli Obes, chrome-internal-fetch
Verified     +1: Daniel Kurtz
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189747

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Project Member

Comment 27 by bugdroid1@chromium.org, Mar 13 2014

Project: chromiumos/third_party/kernel
Branch : chromeos-3.4
Author : Olof Johansson <olofj@chromium.org>
Commit : 499071b08002a83e25d59c36990d6fc39f29bc49

Code-Review  0 : Olof Johansson, chrome-internal-fetch
Code-Review  +1: Jorge Lucangeli Obes
Code-Review  +2: Daniel Kurtz, Kees Cook
Commit-Queue 0 : Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch
Commit-Queue +1: Daniel Kurtz, Olof Johansson
Verified     0 : Daniel Kurtz, Jorge Lucangeli Obes, Kees Cook, chrome-internal-fetch
Verified     +1: Olof Johansson
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189723

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Project Member

Comment 28 by bugdroid1@chromium.org, Mar 13 2014

Project  : chromiumos/third_party/kernel-next
Branch   : release-R34-5500.B-chromeos-3.8
Author   : Daniel Kurtz <djkurtz@chromium.org>
Committer: Olof Johansson <olofj@chromium.org>
Commit   : a4b0bbf6a3e81ca470fd8afccab456e636599c75

Code-Review  0 : Daniel Kurtz, Jorge Lucangeli Obes
Code-Review  +2: Olof Johansson
Commit-Queue 0 : Daniel Kurtz, Jorge Lucangeli Obes
Commit-Queue +1: Olof Johansson
Verified     0 : Daniel Kurtz, Jorge Lucangeli Obes
Verified     +1: Olof Johansson
Commit Queue   : Chumped
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189748

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

Signed-off-by: Olof Johansson <olofj@chromium.org>
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Project Member

Comment 29 by bugdroid1@chromium.org, Mar 13 2014

Project  : chromiumos/third_party/kernel-next
Branch   : stabilize-5116.115.B-chromeos-3.8
Author   : Daniel Kurtz <djkurtz@chromium.org>
Committer: Olof Johansson <olofj@chromium.org>
Commit   : 234c9eab02a7be9e5be893960b6d74e9869c0008

Code-Review  0 : Daniel Kurtz, Jorge Lucangeli Obes
Code-Review  +2: Olof Johansson
Commit-Queue 0 : Daniel Kurtz, Jorge Lucangeli Obes
Commit-Queue +1: Olof Johansson
Verified     0 : Daniel Kurtz, Jorge Lucangeli Obes
Verified     +1: Olof Johansson
Commit Queue   : Chumped
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189771

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

Signed-off-by: Olof Johansson <olofj@chromium.org>
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Project Member

Comment 30 by bugdroid1@chromium.org, Mar 13 2014

Project  : chromiumos/third_party/kernel-next
Branch   : release-R33-5116.B-chromeos-3.8
Author   : Daniel Kurtz <djkurtz@chromium.org>
Committer: Olof Johansson <olofj@chromium.org>
Commit   : 69ea13f2a356393b952d7ffb276823957824134e

Code-Review  0 : Daniel Kurtz, Jorge Lucangeli Obes
Code-Review  +2: Olof Johansson
Commit-Queue 0 : Daniel Kurtz, Jorge Lucangeli Obes
Commit-Queue +1: Olof Johansson
Verified     0 : Daniel Kurtz, Jorge Lucangeli Obes
Verified     +1: Olof Johansson
Commit Queue   : Chumped
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189756

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

Signed-off-by: Olof Johansson <olofj@chromium.org>
Signed-off-by: Daniel Kurtz <djkurtz@chromium.org>

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Labels: CVE-2014-1710
Project Member

Comment 32 by bugdroid1@chromium.org, Mar 14 2014

Project: chromiumos/third_party/kernel-next
Branch : chromeos-3.8
Author : Olof Johansson <olofj@chromium.org>
Commit : 8c598a23678ca0f749d2a5e2dc21106e1bbcc92a

Code-Review  0 : David Garbett, Olof Johansson, Sean Paul, Stéphane Marchesin, Will Drewry, chrome-internal-fetch
Code-Review  +1: Jorge Lucangeli Obes
Code-Review  +2: Daniel Kurtz, Kees Cook
Commit-Queue 0 : Daniel Kurtz, David Garbett, Jorge Lucangeli Obes, Kees Cook, Sean Paul, Stéphane Marchesin, Will Drewry, chrome-internal-fetch
Commit-Queue +1: Olof Johansson
Verified     0 : Daniel Kurtz, David Garbett, Jorge Lucangeli Obes, Kees Cook, Sean Paul, Stéphane Marchesin, Will Drewry, chrome-internal-fetch
Verified     +1: Olof Johansson
Change-Id      : I720fdb2fd59f7ba07a760f5b9dae3dce1d8c565e
Reviewed-at    : https://chromium-review.googlesource.com/189686

CHROMIUM: gpu: mali: Mark mapped pages ~VM_MAY* as well as VM_*

Unmask VM_MAY* for the permissions that are removed, so that mprotect() can't
be used later to upgrade them.

BUG= chromium:351855 
TEST=regular kernel regression testing

drivers/gpu/arm/t6xx/kbase/src/linux/mali_kbase_mem_linux.c
Labels: -Merge-Approved Merge-Merged

Comment 34 by k...@google.com, Mar 14 2014

Cc: kamakshi@chromium.org
Labels: Release-3-M33
Status: Fixed
Summary: Pwnium 4: Mali GPU driver does not mask out VM_MAYWRITE (was: Mali GPU driver does not mask out VM_MAYWRITE)
Labels: Security_Impact-Beta
Labels: Security_Severity-Critical
Kernel code execution from chronos.
Blocking: chromium:352492
Labels: -CVE-2014-1710 CVE-2014-1711

Comment 40 Deleted

Well, Android definitely has the issue on nexus 10, but Chrome can't do much about it since it's in the kernel.
Cc: nnk@google.com
Oops, sorry. (Commented too soon.) Has anyone contacted Android team?
Hey Stéphane, wouldn't all T604 SoCs have this problem?
Well, N10 is the only android device with T604 I could think of :) But all SoCs using the mali driver would have this (T604, T628, even the T7xx if you got a hold of one already).
Labels: -Security_Severity-Critical Security_Severity-High
Thanks for raising this issue with us. We have reviewed the bug and are compiling a series of patches for different releases and customers. If there are any additional fixes that we identify are required on the Chromium kernel we will ensure they are pushed shortly. We will also ensure a patch is provided to the Android team for the Manta/Nexus 10 engagement.
Status: Verified
Re: c#46, David, could you provide a link to the upstream fix?
@48: there is no upstream fix for Linux if that's what you mean -- the fix is in the mali code which isn't upstream.
Are there externally-accessible links to their fixes? We got pings from some Linux distros.
The only externally available drivers from arm.com are from last fall:

http://malideveloper.arm.com/develop-for-mali/drivers/open-source-mali-t6xx-gpu-kernel-device-drivers/


Thanks Olof! So the fix has not been released externally, is that correct?
ARM needs to confirm that, but it doesn't look that way to me.

Our fix is of course already available externally, but that's probably irrelevant with respect to the original question.
Labels: reward-ineligibie
Reward will come via the master Pwnium bug Issue 352492
http://malideveloper.arm.com/develop-for-mali/drivers/open-source-mali-t6xx-gpu-kernel-device-drivers/ shows a release from April 4th. Any ideas if the fixes are included on that release?
To answer my question: checked the new code release and the bug is fixed.
Labels: -reward-ineligibie reward-ineligible
Is Android updated? We're planning on making slides explaining the bugs available publicly shortly.
Project Member

Comment 58 by ClusterFuzz, Jun 20 2014

Labels: -Restrict-View-SecurityTeam
Bulk update: removing view restriction from closed bugs.
Project Member

Comment 59 by sheriffbot@chromium.org, Mar 22 2016

Labels: -security_impact-beta
Project Member

Comment 60 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 61 by sheriffbot@chromium.org, Oct 1 2016

Labels: Restrict-View-SecurityNotify
Project Member

Comment 62 by sheriffbot@chromium.org, Oct 2 2016

Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Labels: CVE_description-submitted

Sign in to add a comment