Kernel LPE in the Vision DSP Kernel Driver's ELF Linker [CVE-2021-25475]

We discussed this vulnerability during Episode 110 on 11 January 2022

Missing bounds-check leading to out-of-bounds write in Samsung Exynos S20 device’s DSP driver.

There are two ioctls of importance for this issues. DSP_IOC_BOOT which loads the DSP’s firmware images, shared libraries and such, and DSP_IOC_LOAD_GRAPH used load custom graph models (elf libraries) from user-space using a shared memory region.

When these libraries are loaded, the linker will resolve relocations based on the relocation headers in the elf file. However these relocations are not validated or checked, and so can point out of bounds.