CVE-2021-37109: Huawei Baseband MPU Security Protection Bypass via EDMA

Summary There is a vulnerability in the Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allows the baseband to bypass the Baseband’s MPU memory protections and circumvent RO and NX protections. The vulnerability was fixed in February 2022. Vulnerability Details CVE-2021-22430 is a vulnerability in the Huawei Kirin SoC’s basebands which allowed to circumvent MPU restrictions. The vulnerability in CVE-2021-22430 was that MPU configuration was restored from a writable table for sleep cycles and therefore overwriting the cached entries resulted in new settings taking effect. This worked because the implementation normally only wrote the table once (not every time the core went to sleep) but restored the MPU configuration from it every time it was woken up.

CVE-2021-39992: Huawei Kernel Memory Access Permission Bypass via EDMA

Summary There is a vulnerability in the Huawei Kirin SoC’s DDR Controller (DMSS) Access Permission system which allows the Linux kernel to bypass memory access restrictions and directly compromise multiple privileged subsystems of the SoC. As demonstrated by CVE-2021-3710, CVE-2021-39991, CVE-2021-37115, and CVE-2021-39986, read and write of critical system memory, including secure memory regions, is possible via those subsystems. Therefore, this vulnerability combined with one of CVE-2021-3710, CVE-2021-39991, CVE-2021-37115, or CVE-2021-39986 results in a fully realized chain of elevation of privileges from a kernel-level write primitive to total control of the secure world (TEE). The vulnerability was fixed in February 2022.

CVE-2021-32484: Heap Buffer overflow in GSM RRM E-UTRAN Individual Priority Parameters

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the CSN.1 decoding of the “E-UTRAN Individual Priority Parameters” element, the function rr_decode_eutran_individual_priority_para_description implements a two-depth nested repetition (Repeated Individual E-UTRAN Priority Parameters Description struct and its child element EARFCN). The outer loop is iterated by checking on the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual E-UTRAN Priority Parameters Description struct is processed.

CVE-2021-32485: Heap Buffer overflow in GSM RRM UTRAN Individual Priority Parameters

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the CSN.1 decoding of the “UTRAN (3G) Individual Priority Parameters” element, the function rr_decode_3g_individual_priority_para_description implements a two-depth nested repetition (Repeated Individual UTRAN Priority Parameters Description struct and its child element FDD-ARFCN). The outer loop is iterated by checking the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual UTRAN Priority Parameters Description struct is processed.

CVE-2021-32486: Heap Buffer overflow in GSM RRM E-UTRAN IPP with extended EARFCNs

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the CSN.1 decoding of the “E-UTRAN IPP with extended EARFCNs” element, the function rr_decode_eutran_ipp_extended_earfcns implements a two-depth nested repetition (Repeated Individual E-UTRAN PP with extended EARFCNs Description struct and its child element EARFCN_extended). The outer loop is iterated by checking the single bit representing the ongoing repetition, and while that equals “1”, a new Repeated Individual E-UTRAN PP with extended EARFCNs Description struct is processed.

CVE-2021-32487: Heap Buffer overflow in GSM RRM Channel Release, Cell Selection Indicator

Summary In this advisory we are disclosing a heap overflow vulnerability in the MediaTek baseband. The vulnerability can be exploited to gain arbitrary code execution in the context of the baseband runtime. The vulnerability was fixed in 2020 in some models, and received a CVE and more widely deployed fix in 2021. Vulnerability Details When processing the GSM Radio Resource Management Channel Release message, the CSN.1 decoding of the “Cell selection indicator after release of all TCH and SDCCH” information element contains a heap buffer overflow in the function FDD_csrr_decode_redirection_ie. The “Cell selection indicator after release of all TCH and SDCCH” is a type 4 information element with a minimum length of 4 octets.