New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 601801 link

Starred by 1 user

Security: Unsigned wraparound in a multiply in kbasep_vinstr_attach_client leads to a heap overflow.

Project Member Reported by rickyz@chromium.org, Apr 8 2016 
The bug: Unsigned wraparound in a multiply in kbasep_vinstr_attach_client
(drivers/gpu/arm/midgard/mali_kbase_vinstr.c) leads to a heap overflow.

static struct kbase_vinstr_client *kbasep_vinstr_attach_client(
                struct kbase_vinstr_context *vinstr_ctx, u32 buffer_count,
                u32 bitmap[4], void *argp, void *kernel_buffer)
{
        ...
        // Only checked if CONFIG_MALI_DEBUG is enabled. buffer_count is
        // user-controlled.
        KBASE_DEBUG_ASSERT(vinstr_ctx);
        KBASE_DEBUG_ASSERT(buffer_count >= 0);
        KBASE_DEBUG_ASSERT(buffer_count <= MAX_BUFFER_COUNT);
        KBASE_DEBUG_ASSERT(!(buffer_count & (buffer_count - 1)));
        ...
        cli->buffer_count = buffer_count;
        ...
        if (cli->buffer_count) {
                int *fd = (int *)argp;
                size_t tmp;

                /* Allocate area for buffers metadata storage. */
                tmp = sizeof(struct kbase_hwcnt_reader_metadata) *
                        cli->buffer_count;
                cli->dump_buffers_meta = kmalloc(tmp, GFP_KERNEL);
                if (!cli->dump_buffers_meta)
                        goto error;

                /* Allocate required number of dumping buffers. */
                cli->dump_buffers = (char *)__get_free_pages(
                                GFP_KERNEL,
                                get_order(cli->dump_size * cli->buffer_count));
                ...
        }
        ...
}

This bug can be exploited to get kernel code execution. I attached an exploit  (tested against a custom built veyron_minnie-cheets kernel). It's unfortunately not 100% reliable due to some annoying details about the bug.

Added a couple of familiar folks - do you know who else should be looped in on this?
test.c
7.9 KB View Download

Comment 1 by jorgelo@chromium.org, Apr 8 2016

Cc: djkurtz@chromium.org marc...@chromium.org
Adding Stéphane and Daniel.

Comment 2 by jorgelo@chromium.org, Apr 8 2016 

Excellent work BTW =)

Comment 3 by rickyz@chromium.org, Apr 8 2016 

Here's a patch which enforces the limits on buffer_count and zeros cli->dump_buffers. This doesn't address the panic on mmaping the reader fd though - perhaps someone more familiar with kernel code might be more familiar with what the proper API is instead of remap_pfn_range in kbasep_vinstr_hwcnt_reader_mmap.
buffer_count_and_zero.patch
1.0 KB Download

Comment 4 by keescook@chromium.org, Apr 8 2016 

Nice! I wonder if someone has the time to backport CONFIG_CPU_SW_DOMAIN_PAN from either upstream 4.3 or my backport to 4.1 into the 3.18 kernel? It would stop the userspace access and exec part of the PoC. :) Not that it makes the bug less bad -- just means ROP is needed.

Comment 5 by keescook@chromium.org, Apr 8 2016 

It's rather a massive backport...
https://b.corp.google.com/u/0/issues/25672827

Comment 6 by marc...@chromium.org, Apr 8 2016

Cc: dbehr@chromium.org
Project Member

Comment 7 by sheriffbot@chromium.org, Apr 9 2016

Labels: M-49

Comment 8 by djkurtz@chromium.org, Apr 11 2016

Cc: arm@chromium.org
CC arm.

Comment 9 by rickyz@chromium.org, Apr 12 2016

Cc: tfiga@chromium.org
Project Member

Comment 10 by sheriffbot@chromium.org, Apr 14 2016

Labels: -M-49 M-50

Comment 11 by tsepez@chromium.org, Apr 14 2016

Owner: keescook@chromium.org
Status: ExternalDependency (was: Available)

Comment 12 by rickyz@chromium.org, Apr 18 2016

Labels: OS-Android
Friendly ping - any updates on this? Did this bug make it to the right folks at ARM?

Comment 13 by riggle@google.com, Apr 18 2016

Cc: srob@google.com
+Scott for incident response and to file an Android AOSP issue tracker bug to feed it through the triage process.

Comment 14 by riggle@google.com, Apr 18 2016

Cc: quanto@google.com
+Quan for the same reason as #13

Comment 15 by riggle@google.com, Apr 18 2016

Cc: android-security-response@google.com
+android-security-response in case other PMs / Engineers need access

Comment 16 by quanto@google.com, Apr 18 2016 

Bug logged in AOSP Issue tracker for Android Security to review and triage
https://code.google.com/p/android/issues/detail?id=207353

Comment 17 by rickyz@chromium.org, Apr 18 2016 

Mind CCing me on that android bug in case there are any relevant updates there? I'm also rickyz@google.com if that address is preferred.

Comment 18 by quanto@google.com, Apr 18 2016 

Zach just added you.

Comment 19 by rickyz@chromium.org, Apr 26 2016 

Friendly ping - did we get any acknowledgement from ARM that they're received this bug report? Or have we not CCed the right folks on this yet (maybe chrome-os-partner would have been the better tracker)?

Comment 20 by marc...@chromium.org, Apr 29 2016

Cc: salva.cl...@arm.com

Comment 21 by salva.cl...@arm.com, May 2 2016 

ARM Ref: MIDCET-1293

Comment 22 by salva.cl...@arm.com, May 3 2016 

Quick update, got a patch fixing the issue and including the mmaping one as well. Running through testing now.

Comment 23 by salva.cl...@arm.com, May 3 2016 

and btw, thanks a lot for the report :)

Comment 24 by salva.cl...@arm.com, May 4 2016 

Pushed fixes for 3.8 and 3.14:
https://chromium-review.googlesource.com/#/c/342402/
https://chromium-review.googlesource.com/#/c/342403/

Please take a look at them and let us know your thoughts.

Comment 25 by rickyz@chromium.org, May 4 2016

Cc: orjan.e...@arm.com keith.mc...@arm.com
Project Member

Comment 26 by bugdroid1@chromium.org, May 7 2016

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d65f7c158dabbb5b9e89723aceb30e874c2d748a

commit d65f7c158dabbb5b9e89723aceb30e874c2d748a
Author: Ørjan Eide <orjan.eide@arm.com>
Date: Mon May 02 11:29:57 2016

MALI: Fix vinstr issues

Fix issues in vinstr mmap, and vinstr kbasep_vinstr_attach_client().

BUG= chromium:601801 
TEST=build and boot minnie

Change-Id: Ia19c8a8a206a57aa13a6a6a5461f06cf9d6ca2a7
Reviewed-on: https://chromium-review.googlesource.com/343130
Commit-Ready: Stéphane Marchesin <marcheu@chromium.org>
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>

[modify] https://crrev.com/d65f7c158dabbb5b9e89723aceb30e874c2d748a/drivers/gpu/arm/midgard/mali_kbase_vinstr.c
Project Member

Comment 27 by bugdroid1@chromium.org, May 9 2016

Labels: merge-merged-chromeos-3.14
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/febc287de98439a6ad49bf7ff37f7df58fe73120

commit febc287de98439a6ad49bf7ff37f7df58fe73120
Author: Ørjan Eide <orjan.eide@arm.com>
Date: Mon May 02 11:29:57 2016

MALI: Fix vinstr issues

Fix issues in vinstr mmap, and vinstr kbasep_vinstr_attach_client().

BUG= chromium:601801 
TEST=build and boot minnie

Change-Id: Ia19c8a8a206a57aa13a6a6a5461f06cf9d6ca2a7
Reviewed-on: https://chromium-review.googlesource.com/342403
Commit-Ready: Stéphane Marchesin <marcheu@chromium.org>
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>

[modify] https://crrev.com/febc287de98439a6ad49bf7ff37f7df58fe73120/drivers/gpu/arm/midgard/mali_kbase_vinstr.c
Project Member

Comment 28 by bugdroid1@chromium.org, May 13 2016

Labels: merge-merged-chromeos-3.8
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d55e6fc00cc3c0a3a10ffd36c906c99a1b0a2462

commit d55e6fc00cc3c0a3a10ffd36c906c99a1b0a2462
Author: Ørjan Eide <orjan.eide@arm.com>
Date: Mon May 02 11:29:57 2016

MALI: Fix vinstr issues

Fix issues in vinstr mmap, and vinstr kbasep_vinstr_attach_client().

BUG= chromium:601801 
TEST=build and boot daisy

Change-Id: Ia19c8a8a206a57aa13a6a6a5461f06cf9d6ca2a7
Reviewed-on: https://chromium-review.googlesource.com/342402
Commit-Ready: Stéphane Marchesin <marcheu@chromium.org>
Tested-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Stéphane Marchesin <marcheu@chromium.org>
Reviewed-by: Ricky Zhou <rickyz@chromium.org>

[modify] https://crrev.com/d55e6fc00cc3c0a3a10ffd36c906c99a1b0a2462/drivers/gpu/arm/midgard/mali_kbase_vinstr.c
Project Member

Comment 29 by sheriffbot@chromium.org, May 26 2016

Labels: -M-50 M-51

Comment 30 by keescook@chromium.org, Jun 1 2016

Owner: rickyz@chromium.org
Status: Fixed (was: ExternalDependency)
Project Member

Comment 31 by sheriffbot@chromium.org, Jun 1 2016

Labels: -Restrict-View-SecurityTeam Restrict-View-SecurityNotify

Comment 32 by rickyz@chromium.org, Aug 31 2016

Labels: -Restrict-View-SecurityNotify
Project Member

Comment 33 by sheriffbot@chromium.org, Oct 1 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 34 by sheriffbot@chromium.org, Oct 2 2016 

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 35 by mbarbe...@chromium.org, Oct 2 2016

Labels: allpublic

Comment 36 by ka...@chromium.org, Nov 18 2016

Status: Verified (was: Fixed)

Sign in to add a comment