Summary

In a previous advisory we disclosed multiple vulnerabilities within the NPU device’s mmap handler and discussed how it exposes sensitive kernel data. This advisory focuses on the implementation errors in the same handler. The mapping function ignores the requested size parameter and fails to back regions of the mapped virtual memory with an actual mapping. Trying to access these holes or requesting an mmap that is smaller than the memory mapped by the kernel driver results in a kernel crash, most likely caused by invalid page accesses.

The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process. Because of these limitations a practical attack would need to target the hiaiserver first.

The devdrv_npu_map function calls drivers/hisi/npu/facility/memory/npu_shm.c:962 devdrv_info_sq_cq_mmap if the provided offset signals this type of mapping. The problem is that this function tries to map 0x8100000 bytes into the provided vma regardless of the requested size. When allocating vma-s the kernel aims to chose addresses that are tightly packed so the mapped regions are consecutive and no memory is wasted. When the vulnerable kernel driver ignores the the requested size it might extend the mapping to an address where a previously mmapped region already exists. This leads to a kernel crash due to corruption in the structures used to represent the process’ virtual memory. We have not investigated how an attacker can leverage this vulnerability.

The other issue is when devdrv_info_sq_cq_mmap invoked it does not create one contiguous mapping but rather creates several small mappings 32 MB apart. Despite of this, the user space process only sees one large chunk of valid virtual memory. Trying to access the “holes” between the actual mappings on our test device causes a kernel crash. Due to our limited debug capabilities it is hard to pinpoint what happens exactly, it most likely causes a page fault that the kernel can’t handle.

Affected Devices (Verified)

  • Kirin 990
    • Huawei Mate 30 Pro (LIO)
    • Huawei P40 Pro (ELS)
    • Huawei P40 (ANA)

Fix

Huawei OTA images, released after February 2021, contain the fix for the vulnerability.

Timeline

  • 2020.10.30. Bug reported to Huawei PSIRT
  • 2020.11.25. Huawei PSIRT confirms vulnerability, confirms fix plans
  • 2021.01.31. OTA distribution of the fix, mitigating the vulnerability, starts
  • 2021.06.09. Huawei assigns CVEs
  • 2021.06.30. Huawei releases security bulletin