GHSL-2021-1029: Use-after-free (UaF) in Qualcomm npu driver - CVE-2021-1940

Coordinated Disclosure Timeline

• 22/11/2020 Reported to Qualcomm security team.
• 14/12/2020 Qualcomm security team confirms that they are able to verify the vulnerability and rated it as High severity.
• 01/07/2021 Fix is made publicly available in the July bulletin

Summary

Use-after-free in Qualcomm npu driver

Product

msm kernel

Tested Version

Samsung Galaxy A71: SM-A715F/DS AP: A715FXXU3ATJ2 and CP: A715FXXU3ATI5, Kernel version 4.14.117-19828683 and build ID QP1A.190711.020.A715FXXU3ATJ2

Details

When executing a network with the async option, the ioctl will exit immediately after a message is posted to the npu [1], while the npu executes the network. When the execution is completed, the npu will notify the host by sending a NPU_IPC_MSG_EXECUTE_DONE event. The event handler of the driver will then pass network->client to npu_queue_event [2].

If the file associated with client is close (the one comes from open("/dev/msm_npu")) then npu_close will be called [3]. This will first call npu_host_cleanup_networks [4], which will try to call npu_host_unload_network to unload the networks that are associated with the client and clear out network->client. However, as the network is still executing, the call will end up with a -EBUSY error [5], which will skip the cleaning up of the network. npu_close will then progress to free the client [6], which will then leave a dangling pointer in network->client, and causes use-after-free when the execution completed and the driver uses network->client in npu_queue_event mentioned above.

1. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_mgr.c#1835
2. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_mgr.c#764
3. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_dev.c#1238
4. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_dev.c#1243
5. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_mgr.c#1691
6. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_dev.c#1253

CVE

• CVE-2021-1940

Impact

Can be exploited to gain arbitrary kernel code execution from the untrusted app domain.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-YEAR-ID in any communication regarding this issue.