In this advisory we are disclosing a vulnerability in the Huawei log device that allows any unprivileged process to learn the value of randomized kernel pointers. The vulnerability can be used to defeat KASLR mitigation. Huawei kernels are shipped with custom log devices (/dev/hwlog_dubai, /dev/hwlog_exception and /dev/hwlog_jank) that facilitate better system diagnostics through a series of ioctl calls. One of these diagnostics module is referred to as memcheck, and it provides detailed statistics about the system memory usage. These statistics can disclose randomized kernel pointers to an attacker, enabling them to defeat the KASLR security mitigation. Due to an access control configuration error, these ioctls are exposed to untrusted and isolated application contexts, as a result any unprivileged process can exploit this vulnerability.

In this advisory we are disclosing a vulnerability in the Huawei log device that allows any unprivileged process to disclose sensitive information from the kernel. Huawei kernels are shipped with custom log devices (/dev/hwlog_dubai, /dev/hwlog_exception and /dev/hwlog_jank) that facilitate better system diagnostics through a series of ioctl calls. One of these diagnostics module is referred to as zrhung, and it provides information and configuration options to monitor hung processes. The implementation of the config set ioctl contains a race condition vulnerability that allows an attacker to free the underlying buffer that holds the configuration data. Consecutive config get ioctl calls use the dangling pointers to read and disclose, potentially sensitive, dynamically allocated kernel data.

In this advisory we are disclosing a memory corruption vulnerability in the Huawei log device that allows any unprivileged process to trigger a kernel crash and reboot the device. Huawei kernels are shipped with custom log devices (/dev/hwlog_dubai, /dev/hwlog_exception and /dev/hwlog_jank) that facilitate better system diagnostics through a series of ioctl calls. One of these diagnostics module is referred to as memcheck, and it provides detailed statistics about the system memory usage, including the allocations made by the SLAB kernel allocator. The implementation of this SLAB tracer contains a series of race condition vulnerabilities that could lead to kernel memory corruption and kernel deadlocks.

There is a memory management and a path traversal vulnerability in the vision DSP kernel driver of Exynos S20 devices. These vulnerabilities can be leveraged by a malicious untrusted application to permanently disable the device until it is factory reset. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of names of the graph binaries to be loaded. The dsp_kernel_alloc function appends the “.elf” extension to the user-supplied name then uses the kernel’s request firmware API to load it from the file system.

There is a sensitive information disclosure vulnerability in the vision DSP kernel driver of S20 Exynos devices. The vulnerability can be used by malicious privileged applications to read the kernel’s and other application’s memory. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device. The DSP_IOC_LOAD_GRAPH ioctl handler of the /dev/dsp device receives an array of Unix paths of the graph files to be loaded. This array has a complex structure, it begins with an array of integers that contains the length of each path. The array of lengths is followed by the actual path strings, one after the other, delimited by the length values.

There is a kernel virtual memory mapped IO buffer overflow vulnerability in the vision DSP kernel driver of S20 Exynos devices. The vulnerability could potentially be used by a malicious system application to compromise the kernel and gain further privileges. The vulnerability is only triggerable via compromised system applications due to a second access control bypass issue. In addition to achieving code execution in the kernel, the access control bypass issue itself may also be used by compromised system applications to directly take complete control over the DSP device itself. Vulnerability Details The Exynos DSP driver implements an ioctl call that allows applications to upload a custom model (graph) for the dsp device.

There is a vmalloc out of bounds write vulnerability in the vision DSP kernel driver of Samsung Exynos S20 devices. The vulnerability could potentially be used by a malicious system application to compromise the kernel and gain further privileges. Vulnerability Details The Exynos DSP driver implements two distinct ioctl calls that are used to load images and graphs and boot the device. The DSP_IOC_BOOT ioctl loads the dsp’s firmware images, common libraries, an xml global kernel descriptor file and a linker file for linking libraries. The DSP_IOC_LOAD_GRAPH ioctl is responsible for creating a shared memory region between the dsp device and user space and for loading the custom graph models implemented in elf libraries.

There is an ION memory buffer type confusion vulnerability in the Exynos ION kernel driver. The vulnerability can cause zero initialised memory to be treated as a valid pointer and cause a kernel NULL pointer exception. Untrusted applications can abuse this bug to cause a kernel crash and carry out DOS attacks agains the device. Vulnerability Details The vulnerable code is in ion_iovmm_map in drivers/staging/android/ion/ion_exynos.c, the function is used to map an ion buffer into the bus’s io address space, to make it available for dma capable external devices and returns this dma address. The function has a fast path for buffers marked with ION_FLAG_PROTECTED and returns their associated, preinitialised prot->dma_addr pointers.

There are a series of memory corruption vulnerabilities in Samsung Exynos kernels, due to improper error checks, after dma_buf_vmap calls. These bugs can be abused by various privileged processes to cause NULL pointer accesses and crash the kernel. Vulnerability Details The kernel uses the dma_buf_vmap function if it needs to map a dma buffer into the kernel address space to access its content. This function returns a NULL pointer if it encounters an error during its execution. While some drivers employ a null check on the returned pointer, many call sites incorrectly use the IS_ERR macro which explicitly allows NULL pointers.

Summary In this advisory we are disclosing a vmap/vmalloc use-after-free vulnerability within the Android ION allocator, that impacts most Android devices that utilize ION. The exploitability of the vulnerability depends on how the various kernel drivers use the allocated ION buffers, the version of the kernel and the vendor specific modifications to the ION subsystem. In the most serious cases the vulnerability can be used to corrupt vmallocated kernel buffers, including kernel stacks, to achieve kernel code execution and compromise the integrity of the kernel. The ION allocator went over multiple refactors throughout its evolution, yet the vulnerability persisted within the Android common and the Linux upstream kernel branches.