Qualcomm Adreno GPU MSM driver perfcounter query heap overflow

[GoogleCodeExporter]

The Adreno GPU driver for the MSM Linux kernel contains a heap
overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. The bug
results from an incorrect conversion to a signed type when calculating
the minimum count value for the query option. This results in a
negative integer being used to calculate the size of a buffer, which
can result in an integer overflow and a small sized allocation on
32-bit systems:

int adreno_perfcounter_query_group(struct adreno_device *adreno_dev,
        unsigned int groupid, unsigned int __user *countables,
        unsigned int count, unsigned int *max_counters)
{
...
        if (countables == NULL || count == 0) {
                kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
                return 0;
        }

        t = min_t(int, group->reg_count, count);

        buf = kmalloc(t * sizeof(unsigned int), GFP_KERNEL);
        if (buf == NULL) {
                kgsl_mutex_unlock(&device->mutex, &device->mutex_owner);
                return -ENOMEM;
        }

        for (i = 0; i < t; i++)
                buf[i] = group->regs[i].countable;

Note that the "count" parameter is fully controlled. Setting count =
0x80000001 will result in min_t returning 0x80000001 for "t", and
kmalloc allocating a buffer of size 0x4. The loop will then overflow
"buf" because "t" is unsigned, i.e. a large positive value.

The bug was added in the following commit:

https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/drivers/gpu/msm/adreno
.c?h=aosp-new/android-msm-angler-3.10-marshmallow-mr1&id=b3b5629aebe98d3eb5ec22e
8321c3cd3fc70f59c

A proof-of-concept that triggers this issue (adreno_perfcnt_query.c)
is attached. On Android devices /dev/kgsl-3d0 is typically accessible
in an untrusted app domain, so if exploited this issue could be used
for local privilege escalation.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by haw...@google.com on 16 Feb 2016 at 8:26

Attachments:

• adreno_perfcnt_query.c

[GoogleCodeExporter]

Original comment by haw...@google.com on 17 Feb 2016 at 5:32

• Added labels: QPSIIR-175

[GoogleCodeExporter]

This issue has been patched here: 
https://codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/drivers/gpu/msm/adren
o_perfcounter.c?id=27c95b64b2e4b5ff1288cbaa6e353dd803d71576

Note that this patch was not applied to all msm branches at the time of the 
patch release (July 2015) and no security bulletin was issued, so the majority 
of Android kernels based on 3.4 or 3.10 are still affected despite the patch 
being available for 6 months.

Original comment by haw...@google.com on 25 Feb 2016 at 9:43

• Changed state: Fixed
• Removed labels: Restrict-View-Commit