CVE-2020-11208
Information
Out of Bound issue in DSP services while processing received arguments due to improper validation of length received as an argument.
Crash Report:
############################### Process on aDSP CRASHED!!!!!!! ########################################
--------------------- Crash Details are furnished below ------------------------------------
process "/frpc/f05658d0 skel_exec" crashed in thread "/frpc/f05658d0 " due to TLBMISS RW occurrence
Crashed Shared Object ./libfastcvadsp_skel.so load address : 0xEE500000
fastrpc_shell_0 load address : E9800000 and size : D6188
Fault PC : 0xEE5653A0
LR : 0xEE5221E0
SP : 0x68F88B48
Bad va : 0x8D637000
FP : 0x68F88BF0
SSR : 0x21F70870
Call trace:
[<EE5221E0>] fastcvadsp_skel_invoke+0x3510: (./libfastcvadsp_skel.so)
[<EE5221E0>] fastcvadsp_skel_invoke+0x3510: (./libfastcvadsp_skel.so)
[<E9876C68>] mod_table_invoke+0x22C: (fastrpc_shell_0)
[<E98958DC>] fastrpc_invoke_dispatch+0x15C: (fastrpc_shell_0)
[<E98712B0>] HAP_proc_adaptive_qos+0x3BC: (fastrpc_shell_0)
[<E9872F8C>] _pl_fastrpc_uprocess+0x794: (fastrpc_shell_0)
----------------------------- End of Crash Report --------------------------------------------------
References:
https://research.checkpoint.com/2021/pwn2own-qualcomm-dsp/
https://www.qualcomm.com/company/product-security/bulletins/november-2020-security-bulletin