Coordinated Disclosure Timeline

Summary

Information leak in Qualcomm npu driver

Product

msm kernel

Tested Version

Samsung Galaxy A71: SM-A715F/DS AP: A715FXXU3ATJ2 and CP: A715FXXU3ATI5, Kernel version 4.14.117-19828683 and build ID QP1A.190711.020.A715FXXU3ATJ2

Details

In the npu_process_kevent method, the reference of the field reserved[0] is used as a source pointer in the copy_to_user method [1].

static int npu_process_kevent(struct npu_kevent *kevt)
{
int ret = 0;
switch (kevt->evt.type) {
case MSM_NPU_EVENT_TYPE_EXEC_V2_DONE:
ret = copy_to_user((void __user *)kevt->reserved[1],
(void *)&kevt->reserved[0],                           //<--- reference of kevt->reserved[0] used as source
kevt->evt.u.exec_v2_done.stats_buf_size);

This, however, is incorrect, as reserved[0] itself is meant to be the pointer that points to a network source buffer [2].

kevt.evt.u.exec_v2_done.stats_buf_size = stats_size;
kevt.reserved[0] = (uint64_t)network->stats_buf;            //<--- stats_buf address
kevt.reserved[1] = (uint64_t)network->stats_buf_u;

This means that, when npu_process_kevent is executed, instead of the stats buffer, the object kevt itself, plus the data of the size of the stats buffer that is after it, is being copied back to the userland. As stats_buf_size can go up to 16384, this can result in a fairly large amount of information leak from the kernel. Even with a small stats_buf_size, kevt->reserved, which contains kernel pointer addresses, would probably be written back to user, resulting in a leak of kernel pointer addresses.

  1. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_dev.c#1580
  2. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_mgr.c#819

CVE

Impact

Trivially exploitable to leak kernel heap address from the untrusted app domain.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2021-1030 in any communication regarding this issue.