Three vulnerabilities found in MediaTek’s audio Digital Signal Processor (DSP) firmware. They first go into some background on the DSP (which runs on a custom architecture and is interfaced with via the
/dev/audio_ipi driver). They dumped and reversed the firmware for it’s IPI (Inter Processor Interrupt) message handlers. Trivial overflows were found in some of these handlers.
Bug 1 -
AUDIO_DSP_TASK_MSGA2DSHARDMEM message handler heap overflow
param1 parameter was used for a
memcpy() call to the
atod_share buffer. There’s no checks on this parameter, it can overflow the size of the destination buffer.
Bug 2 -
init_share_mem_core() heap overflow
Called when an IPI message with ID 7 is received. Similar to the first bug,
param1 is used as a size for a
memcpy(). This time they attempted to check the size against 0xE0, but the destination buffer
audio_dsp_dram is only 0x20 bytes in size, so an overflow of 0xC0 bytes is still possible.
Bug 3 -
AUDIO_DSP_TASK_PCM_PREPARE message handler OOB write
Data from a user-provided audio buffer at offset 0x54 is used as an index into a static array. There’s no checking on this index, therefore you can pass an arbitrary index that’ll go out of bounds of the target array for a controlled write, since it writes using user-controlled data.