Kernel LPE in the Vision DSP Kernel Driver [CVE-2021-25467]

We discussed this vulnerability during Episode 110 on 11 January 2022

Integer overflows everywhere in this elf loader leading to overflowing kernel memory with controlled content.

The DSP device supports an ioctl for loading custom models for the device. These are elf files that the driver will parse, calculating how much meory the segments need, and then copy into memory. The __dsp_elf32_get_section_list_size is ultimately used to calculate a section’s size, which is a naive implementation, just summing the values read from the EFL without concern for overflowing.

The memory is allocated potentially much smaller value due to the overflow, and later another function does copy of each segment, copying in much more data than expected.

A similar issue exists when processing the data segment and offsets, where the offsets can overflow.

Additionally, these overflows can in-turn learn to other issues, such as underflowing a bounds-check by returning a size smaller than the minimum needed.

Basically, there are just a bunch of silly issues in this code, probably because it is not directly accessible from an unprivileged context. So the developers just treat everything as trusted input, leading to chaos.