Three vulnerabilities found in MediaTek’s audio Digital Signal Processor (DSP) firmware. They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the /dev/audio_ipi driver). They dumped and reversed the firmware for it’s IPI (Inter Processor Interrupt) message handlers. Trivial overflows were found in some of these handlers.

Bug 1 - AUDIO_DSP_TASK_MSGA2DSHARDMEM message handler heap overflow The param1 parameter was used for a memcpy() call to the atod_share buffer. There’s no checks on this parameter, it can overflow the size of the destination buffer.

Bug 2 - init_share_mem_core() heap overflow Called when an IPI message with ID 7 is received. Similar to the first bug, param1 is used as a size for a memcpy(). This time they attempted to check the size against 0xE0, but the destination buffer audio_dsp_dram is only 0x20 bytes in size, so an overflow of 0xC0 bytes is still possible.

Bug 3 - AUDIO_DSP_TASK_PCM_PREPARE message handler OOB write Data from a user-provided audio buffer at offset 0x54 is used as an index into a static array. There’s no checking on this index, therefore you can pass an arbitrary index that’ll go out of bounds of the target array for a controlled write, since it writes using user-controlled data.