Issue metadata
Sign in to add a comment
|
Security: Unsigned wraparound in a multiply in kbasep_vinstr_attach_client leads to a heap overflow. |
||||||||||||||||||||||
Issue description
The bug: Unsigned wraparound in a multiply in kbasep_vinstr_attach_client
(drivers/gpu/arm/midgard/mali_kbase_vinstr.c) leads to a heap overflow.
static struct kbase_vinstr_client *kbasep_vinstr_attach_client(
struct kbase_vinstr_context *vinstr_ctx, u32 buffer_count,
u32 bitmap[4], void *argp, void *kernel_buffer)
{
...
// Only checked if CONFIG_MALI_DEBUG is enabled. buffer_count is
// user-controlled.
KBASE_DEBUG_ASSERT(vinstr_ctx);
KBASE_DEBUG_ASSERT(buffer_count >= 0);
KBASE_DEBUG_ASSERT(buffer_count <= MAX_BUFFER_COUNT);
KBASE_DEBUG_ASSERT(!(buffer_count & (buffer_count - 1)));
...
cli->buffer_count = buffer_count;
...
if (cli->buffer_count) {
int *fd = (int *)argp;
size_t tmp;
/* Allocate area for buffers metadata storage. */
tmp = sizeof(struct kbase_hwcnt_reader_metadata) *
cli->buffer_count;
cli->dump_buffers_meta = kmalloc(tmp, GFP_KERNEL);
if (!cli->dump_buffers_meta)
goto error;
/* Allocate required number of dumping buffers. */
cli->dump_buffers = (char *)__get_free_pages(
GFP_KERNEL,
get_order(cli->dump_size * cli->buffer_count));
...
}
...
}
This bug can be exploited to get kernel code execution. I attached an exploit (tested against a custom built veyron_minnie-cheets kernel). It's unfortunately not 100% reliable due to some annoying details about the bug.
Added a couple of familiar folks - do you know who else should be looped in on this?
,
Apr 8 2016
Excellent work BTW =)
,
Apr 8 2016
Here's a patch which enforces the limits on buffer_count and zeros cli->dump_buffers. This doesn't address the panic on mmaping the reader fd though - perhaps someone more familiar with kernel code might be more familiar with what the proper API is instead of remap_pfn_range in kbasep_vinstr_hwcnt_reader_mmap.
,
Apr 8 2016
Nice! I wonder if someone has the time to backport CONFIG_CPU_SW_DOMAIN_PAN from either upstream 4.3 or my backport to 4.1 into the 3.18 kernel? It would stop the userspace access and exec part of the PoC. :) Not that it makes the bug less bad -- just means ROP is needed.
,
Apr 8 2016
It's rather a massive backport... https://b.corp.google.com/u/0/issues/25672827
,
Apr 8 2016
,
Apr 9 2016
,
Apr 11 2016
CC arm.
,
Apr 12 2016
,
Apr 14 2016
,
Apr 14 2016
,
Apr 18 2016
Friendly ping - any updates on this? Did this bug make it to the right folks at ARM?
,
Apr 18 2016
+Scott for incident response and to file an Android AOSP issue tracker bug to feed it through the triage process.
,
Apr 18 2016
+Quan for the same reason as #13
,
Apr 18 2016
+android-security-response in case other PMs / Engineers need access
,
Apr 18 2016
Bug logged in AOSP Issue tracker for Android Security to review and triage https://code.google.com/p/android/issues/detail?id=207353
,
Apr 18 2016
Mind CCing me on that android bug in case there are any relevant updates there? I'm also rickyz@google.com if that address is preferred.
,
Apr 18 2016
Zach just added you.
,
Apr 26 2016
Friendly ping - did we get any acknowledgement from ARM that they're received this bug report? Or have we not CCed the right folks on this yet (maybe chrome-os-partner would have been the better tracker)?
,
Apr 29 2016
,
May 2 2016
ARM Ref: MIDCET-1293
,
May 3 2016
Quick update, got a patch fixing the issue and including the mmaping one as well. Running through testing now.
,
May 3 2016
and btw, thanks a lot for the report :)
,
May 4 2016
Pushed fixes for 3.8 and 3.14: https://chromium-review.googlesource.com/#/c/342402/ https://chromium-review.googlesource.com/#/c/342403/ Please take a look at them and let us know your thoughts.
,
May 4 2016
,
May 7 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d65f7c158dabbb5b9e89723aceb30e874c2d748a commit d65f7c158dabbb5b9e89723aceb30e874c2d748a Author: Ørjan Eide <orjan.eide@arm.com> Date: Mon May 02 11:29:57 2016 MALI: Fix vinstr issues Fix issues in vinstr mmap, and vinstr kbasep_vinstr_attach_client(). BUG= chromium:601801 TEST=build and boot minnie Change-Id: Ia19c8a8a206a57aa13a6a6a5461f06cf9d6ca2a7 Reviewed-on: https://chromium-review.googlesource.com/343130 Commit-Ready: Stéphane Marchesin <marcheu@chromium.org> Tested-by: Stéphane Marchesin <marcheu@chromium.org> Reviewed-by: Stéphane Marchesin <marcheu@chromium.org> [modify] https://crrev.com/d65f7c158dabbb5b9e89723aceb30e874c2d748a/drivers/gpu/arm/midgard/mali_kbase_vinstr.c
,
May 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/febc287de98439a6ad49bf7ff37f7df58fe73120 commit febc287de98439a6ad49bf7ff37f7df58fe73120 Author: Ørjan Eide <orjan.eide@arm.com> Date: Mon May 02 11:29:57 2016 MALI: Fix vinstr issues Fix issues in vinstr mmap, and vinstr kbasep_vinstr_attach_client(). BUG= chromium:601801 TEST=build and boot minnie Change-Id: Ia19c8a8a206a57aa13a6a6a5461f06cf9d6ca2a7 Reviewed-on: https://chromium-review.googlesource.com/342403 Commit-Ready: Stéphane Marchesin <marcheu@chromium.org> Tested-by: Stéphane Marchesin <marcheu@chromium.org> Reviewed-by: Stéphane Marchesin <marcheu@chromium.org> [modify] https://crrev.com/febc287de98439a6ad49bf7ff37f7df58fe73120/drivers/gpu/arm/midgard/mali_kbase_vinstr.c
,
May 13 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d55e6fc00cc3c0a3a10ffd36c906c99a1b0a2462 commit d55e6fc00cc3c0a3a10ffd36c906c99a1b0a2462 Author: Ørjan Eide <orjan.eide@arm.com> Date: Mon May 02 11:29:57 2016 MALI: Fix vinstr issues Fix issues in vinstr mmap, and vinstr kbasep_vinstr_attach_client(). BUG= chromium:601801 TEST=build and boot daisy Change-Id: Ia19c8a8a206a57aa13a6a6a5461f06cf9d6ca2a7 Reviewed-on: https://chromium-review.googlesource.com/342402 Commit-Ready: Stéphane Marchesin <marcheu@chromium.org> Tested-by: Stéphane Marchesin <marcheu@chromium.org> Reviewed-by: Stéphane Marchesin <marcheu@chromium.org> Reviewed-by: Ricky Zhou <rickyz@chromium.org> [modify] https://crrev.com/d55e6fc00cc3c0a3a10ffd36c906c99a1b0a2462/drivers/gpu/arm/midgard/mali_kbase_vinstr.c
,
May 26 2016
,
Jun 1 2016
,
Jun 1 2016
,
Aug 31 2016
,
Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Oct 2 2016
,
Nov 18 2016
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by jorgelo@chromium.org
, Apr 8 2016