Summary The NPU device’s kernel driver implements a set of ioctl handlers one of which uses unsanitized user data as an offset to retrieve a kernel structure. Fields of the structure are written with user provided values. A malicious actor can use this vulnerability to overwrite kernel memory with controlled data. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process. Because of these limitations a practical attack would need to target the hiaiserver first. The /dev/davinci0 device exposes a series of ioctl handlers, one of which is devdrv_ioctl_load_stream_buff.

Summary In a previous advisory we disclosed multiple vulnerabilities within the NPU device’s mmap handler and discussed how it exposes sensitive kernel data. This advisory focuses on the implementation errors in the same handler. The mapping function ignores the requested size parameter and fails to back regions of the mapped virtual memory with an actual mapping. Trying to access these holes or requesting an mmap that is smaller than the memory mapped by the kernel driver results in a kernel crash, most likely caused by invalid page accesses. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process.