CVE-2021-22390: Huawei NPU Kernel Driver Use-After-Free

Summary Due to a bug in the way mappings are closed it is possible to free a kmallocated memory chunk arbitrary times. This vulnerability can be used to craft a use after free scenario against any kernel structure that is allocated from the kmalloc-64 cache. There is rich public literature on how such use after free vulnerabilities can be utilized to compromise the kernel, achieve code execution in kernel context, and elevate privileges of user space processes. Even when modern mitigation is deployed. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process.

CVE-2021-22412: Huawei NPU Kernel Driver Shared Memory Out of Bounds Write

Summary The NPU device’s kernel driver implements a set of ioctl handlers one of which uses unsanitized user data as an offset to retrieve a kernel structure. Fields of the structure are written with user provided values. A malicious actor can use this vulnerability to overwrite kernel memory with controlled data. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process. Because of these limitations a practical attack would need to target the hiaiserver first. The /dev/davinci0 device exposes a series of ioctl handlers, one of which is devdrv_ioctl_load_stream_buff.

CVE-2021-22415: Huawei NPU Kernel Driver Use-After-Free

Summary In a previous advisory we disclosed multiple vulnerabilities within the NPU device’s mmap handler and discussed how it exposes sensitive kernel data. This advisory focuses on the implementation errors in the same handler. The mapping function ignores the requested size parameter and fails to back regions of the mapped virtual memory with an actual mapping. Trying to access these holes or requesting an mmap that is smaller than the memory mapped by the kernel driver results in a kernel crash, most likely caused by invalid page accesses. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process.

CVE-2021-22429: Huawei Buffer Overflow in BootROM USB Stack

Summary During the regular boot sequence, Huawei’s BootROM initializes the UFS hardware and the crypto engine in order to load and verify the next stage bootloader image from flash. However, when run in download mode, which maybe used for factory flashing and repair purposes, a connected host can communicate with the BootROM via USB. In this case, the BootROM acts as a USB1.1 Serial-over-USB gadget, with a single data endpoint. Based on kernel sources, the USB device appears to be a Synopsys DesignWare USB 3.0 controller. Although the implementation of the USB stack in the Linux kernel and the BootROM is quite different (latter is orders of magnitude simpler), the offsets and the register map of the device can be learned from (drivers/usb/dwc3):

SVE-2017-8975: TOCTOU Race Condition in Samsung TrustZone SCrypto Driver

Summary Due to a race condition in input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow. The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers. The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA). The race condition vulnerability is in the ciphering command implementation of RSA decryption.

SVE-2017-8974: TOCTOU Race Condition in Samsung TrustZone SCrypto Driver

Summary Due to a race condition in input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow. The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers. The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA). The race condition vulnerability is in the ciphering command implementation of RSA encryption.

SVE-2017-8973: Buffer Overflow in Samsung TrustZone SCrypto Driver

Summary Due to missing input validation, the SCrypto implementation of the drTima secure driver (uuid ffffffffd0000000000000000000000a) was susceptible to a buffer overflow. The drTima secure driver implements a fully featured crypto engine entirely in software, called SCrypto. The SCrypto APIs are callable by all Trustlets without restriction. SCrypto is in fact the OpenSSL’s FIPS compliant library with an abstraction layer added to facilitate the same APIs for crypto operations that are present between Trustlets and Secure Drivers. The SCrypto command implements three kinds of functions: hashing (MD function family), encryption/decryption (3DES, AES, RSA), and signing (RSA). For each type, there are two types of implementations: