Summary

Last year we published research at Black Hat in which we disclosed multiple vulnerabilities in Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allowed some SoC cores or DMA-capable peripherals to directly access secure world memory and completely compromise the entire memory of the SoC. This advisory focuses on a new access permission vulnerability in the same DMSS. The vulnerability can be used to entirely compromise the SoC platform runtime (including all cores running in Secure World) directly from the Baseband. The vulnerability was fixed in February 2022.

Vulnerability Details

We have identified two related vulnerabilities related to the LPMSS subsystem of Huawei Kirin SoCs. LPMCU is a Cortex-M3 microcontroller, which also runs the BootROM, and the then xloader code. After the bootup completes, the xloader code gets replaced by the image called fw_lpm3. This firmware is responsible for low-level power management decisions, like the way of going into deep sleep, DDR tuning, etc.

The code of fw_lpm3 is not in the main DDR memory, but in an SRAM, which is also used previously by the BootROM and the xloader. This SRAM is marked by the following line in the soc_acpu_baseaddr_interface.h file of the published kernel sources:

#define SOC_ACPU_LP_RAM_BASE_ADDR (0xFFF50000)

This is the address at which the modem can access the LPMCU code, moreover it can even write the content, so it is possible to hot-patch LPMCU code from the modem. The modem’s MPU default configuration enables read/write on the whole memory-mapped peripherial address space. Here are the relevant entries:

[ 4]  on  0xe0000000 - 0xffffffff  |    R1  W1  R0  W0 | S  -      -    
[ 5]  on  0xfffe0000 - 0xffffffff  | X                 | S  -      -

The first vulnerability is that the DMSS (which controls accesses to DDR memory ranges) does not prevent the modem from directly overwriting the code of the LPMCU running in SRAM memory.

The second vulnerability is that the fix of CVE-2021-37107 only removed the modem’s direct access to DMSS ASI entries, but the LPMCU was still allowed to modify them.

Consequently, it is possible from the modem to overwrite the LPMCU code to gain control of that core and then use that context to modify DMSS ASI entries, once again entirely compromising the memory controller access permissions for the SoC.

For a detailed description of the vulnerability impact, see our presentation.

Affected Devices (Verified)

  • Kirin 990

    • Huawei Mate 30 Pro (LIO)
    • Huawei P40 Pro (ELS)
    • Huawei P40 (ANA)

  • Kirin 9000

    • Huawei Mate40 Pro (NOH)

Fix

Huawei OTA images, released after February 2022, contain the fix for the vulnerability.

Timeline

  • 2021.08.05. Bug reported to Huawei PSIRT
  • 2021.09.08. Huawei PSIRT confirms vulnerability, does not provide severity rating
  • 2021.09.21. Additional reporting to Huawei PSIRT shows Kirin 9000 is vulnerable
  • 2021.10.19. Update Requested
  • 2021.10.20. Huawei confirms final assessment and High severity rating
  • 2022.02.03. Huawei promises a later response
  • 2022.02.25. Huawei confirms CVE released in security bulletin, confirms disclosure allowed in May