Arm Mali CSF Missing Buffer Size Check
Posted by deepcore on September 21, 2022 – 4:16 am
In the Linux Mali driver, when building with MALI_USE_CSF, the VFS read handler of the main Mali file descriptor (kbase_read()) never looks at its “count” parameter. This means that a simple userspace program that sets up a Mali file descriptor, then calls read(mali_fd, buf, 1), will see read() returning a higher length than requested, and out-of-bounds data in the userspace buffer will be clobbered.
Post a reply
You must be logged in to post a comment.