There is a memory management and a path traversal vulnerability in the vision DSP kernel driver of Exynos S20 devices. These vulnerabilities can be leveraged by a malicious untrusted application to permanently disable the device until it is factory reset.

Vulnerability Details

The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of names of the graph binaries to be loaded. The dsp_kernel_alloc function appends the “.elf” extension to the user-supplied name then uses the kernel’s request firmware API to load it from the file system. The request firmware API, including the request_firmware_direct function, accepts relative paths and appends them to its predefined list of directories when it searches for an image. The vulnerability is that the dsp kernel load code expects the received name to be a simple filename, however it makes no effort to verify that.

When a kernel name contains a relative path like ../../data/local/tmp/arbitrary-file the request firmware API will first look for it under /vendor/firmware/../../data/local/tmp/arbitrary-file.elf path. If such file exists it will load it correctly. This vulnerability can be used to attempt the loading of arbitrary binary files as graph kernels instead of the predefined set of binaries.

The vulnerability can be reached on the following call path:

  • dsp_ioctl
  • dsp_graph_load
  • __dsp_graph_add_kernel
  • dsp_kernel_alloc
  • dsp_binary_alloc_load
  • request_firmware_direct

One implication of this vulnerability is that a large portion of kernel code can be exercised with user controlled input, significantly increasing the kernel attack surface. An attacker can load maliciously crafted elf files to trigger vulnerabilities in the elf loader, that otherwise would not be reachable. To prove the feasibility of such scenario this report discloses another vulnerability that can be reached through the path traversal file load.

The Exynos DSP driver has a custom allocator called dsp_dl_malloc defined in drivers/vision/dsp/dl/dsp-common.c. This is a simple allocator that adds a bit of metadata to the allocations to keep track of them. The DSP driver uses this allocator while parsing the various input files to request dynamic memory. Most often the memory is allocated for relatively small structures, list nodes and data buffers.

The vulnerability stems from the way the underlying kernel allocator is used. The dsp_dl_malloc relies on vzalloc, a vmalloc family allocator, to request memory. Each allocation request, no matter how small, results in a vzalloc call. Vmalloc and similar allocators (including vzalloc) always return at least a page size allocation even if the requested memory is smaller.

During the elf parsing various components of the file result in multiple allocations. It is possible to craft a relatively concise elf file, only a couple of megabytes in size, that would exhaust all the memory available on the system. When the kernel runs out of memory it produces a memory deadlock panic, causing a system reboot.

These two vulnerabilities combined allow an untrusted, unprivileged application to keep crashing the kernel by loading a maliciously crafted elf file. The device would remain in a crash loop until the malicious application is removed by a factory reset. Furthermore the path traversal vulnerability allows attackers to load custom built elf files as dsp kernels, reaching a rich kernel attack surface. The /dev/dsp character device has a very relaxed permission set, it can be opened and read by anyone due to the DAC permissions. The vendor_dsp_device selinux context allows various application contexts, including untrusted applications to open and issue ioctl to the dsp device.

Affected Devices (Verified)

Samsung S20 Exynos 990, SM-G980F

Fix

Samsung OTA images, released after September 2021, contain the fix for the vulnerability.

Timeline

  • 2021.05.25. Bug reported to Samsung Mobile Security, SVE-2021-21959 is assigned
  • 2021.09.01. Samsung releases security bulletin, CVE-2021-25452 is assigned, OTA firmware update distribution begins