Summary

Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the SoC platform runtime (including all cores running in Secure World) directly from the Baseband. The vulnerability was fixed in February 2022.

Vulnerability Details

This vulnerability is very similar to CVE-2021-37107 (“Huawei Peripheral DMA Memory Access Permission Bypass”). The difference is the finding that the Peripheral DMA is also allowed to access and modify the DMSS entries. The baseband’s direct access to these entries has been removed as a result of CVE-2021-22431. However, because the Peripheral DMA can still access them, the baseband can bypass the access control restriction by programming the Peripheral DMA to modify DMSS entries:

DMSS entry address | index | range begin-end | (N)S: (non)secure R/W | AXI Master ID for (W)rite and (R)ead
0xffe80610  17: 0x20000000 - 0x2bb7ffff  SR SW    Wbfc00010 Rffc00010

A Peripheral DMA transaction to modify the entry at 0xffe80610 by updating the corresponding SOC_DMSS_ASI_SEC_RGN_MAP0.rgn_base_addr field with the address of 0x00000000 leads to the DMSS allowing the modem to access and modify arbitrary DDR content (physical address) in the 0x000000000x2bc7ffff range. The memory content below 0x20000000 is where Linux kernel, trustfirmware, teeos, and most of the other firmwares are all loaded.

For a detailed description of the vulnerability impact, see our presentation.

Affected Devices (Verified)

  • Kirin 990
    • Huawei Mate 30 Pro (LIO)
    • Huawei P40 Pro (ELS)
    • Huawei P40 (ANA)

Fix

Huawei OTA images, released after February 2022, contain the fix for the vulnerability.

Timeline

  • 2021.08.05. Bug reported to Huawei PSIRT
  • 2021.09.08. Huawei PSIRT confirms vulnerability, does not provide severity rating
  • 2021.09.21. Additional reporting to Huawei PSIRT shows Kirin 9000 is vulnerable
  • 2021.10.19. Update Requested
  • 2021.10.20. Huawei confirms final assessment and High severity rating
  • 2022.02.03. Huawei promises a later response
  • 2022.02.25. Huawei confirms CVE released in security bulletin, confirms disclosure allowed in May