Two Heap Overflows and an OOB Write in MediaTek's audio DSP
Three vulnerabilities found in MediaTek’s audio Digital Signal Processor (DSP) firmware. They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the /dev/audio_ipi
driver). They dumped and reversed the firmware for it’s IPI (Inter Processor Interrupt) message handlers. Trivial overflows were found in some of these handlers.
Bug 1 - AUDIO_DSP_TASK_MSGA2DSHARDMEM
message handler heap overflow
The param1
parameter was used for a memcpy()
call to the atod_share
buffer. There’s no checks on this parameter, it can overflow the size of the destination buffer.
Bug 2 - init_share_mem_core()
heap overflow
Called when an IPI message with ID 7 is received. Similar to the first bug, param1
is used as a size for a memcpy()
. This time they attempted to check the size against 0xE0, but the destination buffer audio_dsp_dram
is only 0x20 bytes in size, so an overflow of 0xC0 bytes is still possible.
Bug 3 - AUDIO_DSP_TASK_PCM_PREPARE
message handler OOB write
Data from a user-provided audio buffer at offset 0x54 is used as an index into a static array. There’s no checking on this index, therefore you can pass an arbitrary index that’ll go out of bounds of the target array for a controlled write, since it writes using user-controlled data.