There is a vmalloc out of bounds write vulnerability in the vision DSP kernel driver of Samsung Exynos S20 devices. The vulnerability could potentially be used by a malicious system application to compromise the kernel and gain further privileges. Vulnerability Details The Exynos DSP driver implements two distinct ioctl calls that are used to load images and graphs and boot the device. The DSP_IOC_BOOT ioctl loads the dsp’s firmware images, common libraries, an xml global kernel descriptor file and a linker file for linking libraries. The DSP_IOC_LOAD_GRAPH ioctl is responsible for creating a shared memory region between the dsp device and user space and for loading the custom graph models implemented in elf libraries.

There is an ION memory buffer type confusion vulnerability in the Exynos ION kernel driver. The vulnerability can cause zero initialised memory to be treated as a valid pointer and cause a kernel NULL pointer exception. Untrusted applications can abuse this bug to cause a kernel crash and carry out DOS attacks agains the device. Vulnerability Details The vulnerable code is in ion_iovmm_map in drivers/staging/android/ion/ion_exynos.c, the function is used to map an ion buffer into the bus’s io address space, to make it available for dma capable external devices and returns this dma address. The function has a fast path for buffers marked with ION_FLAG_PROTECTED and returns their associated, preinitialised prot->dma_addr pointers.

There are a series of memory corruption vulnerabilities in Samsung Exynos kernels, due to improper error checks, after dma_buf_vmap calls. These bugs can be abused by various privileged processes to cause NULL pointer accesses and crash the kernel. Vulnerability Details The kernel uses the dma_buf_vmap function if it needs to map a dma buffer into the kernel address space to access its content. This function returns a NULL pointer if it encounters an error during its execution. While some drivers employ a null check on the returned pointer, many call sites incorrectly use the IS_ERR macro which explicitly allows NULL pointers.

Summary In this advisory we are disclosing a vmap/vmalloc use-after-free vulnerability within the Android ION allocator, that impacts most Android devices that utilize ION. The exploitability of the vulnerability depends on how the various kernel drivers use the allocated ION buffers, the version of the kernel and the vendor specific modifications to the ION subsystem. In the most serious cases the vulnerability can be used to corrupt vmallocated kernel buffers, including kernel stacks, to achieve kernel code execution and compromise the integrity of the kernel. The ION allocator went over multiple refactors throughout its evolution, yet the vulnerability persisted within the Android common and the Linux upstream kernel branches.

Summary The NPU device’s kernel driver implements a set of ioctl handlers one of which uses unsanitized user data as an index into a function pointer array. The user provided values can exceed the boundaries of the legitimate array and might cause user controlled values to be called as function pointers. A malicious actor can use this vulnerability to hijack the control flow of the kernel and call arbitrary functions with controlled parameters. The function pointer callsite is protected by clang’s CFI, which reduces the number of function that can be called through this primitive. The mmap handler is exposed through the /dev/davinci0 character device.

Summary The NPU device’s kernel driver implements a custom mmap handler that exposes trusted kernel data to user space. These exposed structures contain sensitive data, including kernel pointers, which can be controlled by a user process. The content of these structures is inherently trusted by the kernel, the pointers are accessed for reading and writing at various places. This provides a very convenient arbitrary kernel read-write primitive that can be abused by an attacker to compromise the integrity of the kernel achieve kernel code execution and gain elevated privileges. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process.

Summary Due to a bug in the way mappings are closed it is possible to free a kmallocated memory chunk arbitrary times. This vulnerability can be used to craft a use after free scenario against any kernel structure that is allocated from the kmalloc-64 cache. There is rich public literature on how such use after free vulnerabilities can be utilized to compromise the kernel, achieve code execution in kernel context, and elevate privileges of user space processes. Even when modern mitigation is deployed. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process.

Summary The NPU device’s kernel driver implements a set of ioctl handlers one of which uses unsanitized user data as an offset to retrieve a kernel structure. Fields of the structure are written with user provided values. A malicious actor can use this vulnerability to overwrite kernel memory with controlled data. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process. Because of these limitations a practical attack would need to target the hiaiserver first. The /dev/davinci0 device exposes a series of ioctl handlers, one of which is devdrv_ioctl_load_stream_buff.

Summary In a previous advisory we disclosed multiple vulnerabilities within the NPU device’s mmap handler and discussed how it exposes sensitive kernel data. This advisory focuses on the implementation errors in the same handler. The mapping function ignores the requested size parameter and fails to back regions of the mapped virtual memory with an actual mapping. Trying to access these holes or requesting an mmap that is smaller than the memory mapped by the kernel driver results in a kernel crash, most likely caused by invalid page accesses. The mmap handler is exposed through the /dev/davinci0 character device. Due to the applied selinux policy, access to this device is restricted to the hiaiserver system process.