Two Heap Overflows and an OOB Write in MediaTek's audio DSP

We discussed this vulnerability during Episode 106 on 07 December 2021

Three vulnerabilities found in MediaTek’s audio Digital Signal Processor (DSP) firmware. They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the /dev/audio_ipi driver). They dumped and reversed the firmware for it’s IPI (Inter Processor Interrupt) message handlers. Trivial overflows were found in some of these handlers.

Bug 1 - AUDIO_DSP_TASK_MSGA2DSHARDMEM message handler heap overflow The param1 parameter was used for a memcpy() call to the atod_share buffer. There’s no checks on this parameter, it can overflow the size of the destination buffer.

Bug 2 - init_share_mem_core() heap overflow Called when an IPI message with ID 7 is received. Similar to the first bug, param1 is used as a size for a memcpy(). This time they attempted to check the size against 0xE0, but the destination buffer audio_dsp_dram is only 0x20 bytes in size, so an overflow of 0xC0 bytes is still possible.

Bug 3 - AUDIO_DSP_TASK_PCM_PREPARE message handler OOB write Data from a user-provided audio buffer at offset 0x54 is used as an index into a static array. There’s no checking on this index, therefore you can pass an arbitrary index that’ll go out of bounds of the target array for a controlled write, since it writes using user-controlled data.