GHSL-2021-1030: Information leak in Qualcomm npu driver - CVE-2021-1968

Coordinated Disclosure Timeline

• 03/12/2020 Reported to Qualcomm security team.
• 14/12/2020 Qualcomm security team confirms that they are able to verify the vulnerability and rated it as Medium severity.
• 08/09/2021 Enquire Qualcomm security team about when the fix will be available
• 08/09/2021 Qualcomm security team replied saying that the fix were available in their customer security bulletin in April 2021 and the vulnerability was assigned CVE-2021-1968, but did not say when the patch will be made public.
• 01/10/2021 The fix is available publicly in the October bulletin.

Summary

Information leak in Qualcomm npu driver

Product

msm kernel

Tested Version

Samsung Galaxy A71: SM-A715F/DS AP: A715FXXU3ATJ2 and CP: A715FXXU3ATI5, Kernel version 4.14.117-19828683 and build ID QP1A.190711.020.A715FXXU3ATJ2

Details

In the npu_process_kevent method, the reference of the field reserved[0] is used as a source pointer in the copy_to_user method [1].

static int npu_process_kevent(struct npu_kevent *kevt)
{
int ret = 0;
switch (kevt->evt.type) {
case MSM_NPU_EVENT_TYPE_EXEC_V2_DONE:
ret = copy_to_user((void __user *)kevt->reserved[1],
(void *)&kevt->reserved[0],                           //<--- reference of kevt->reserved[0] used as source
kevt->evt.u.exec_v2_done.stats_buf_size);

This, however, is incorrect, as reserved[0] itself is meant to be the pointer that points to a network source buffer [2].

kevt.evt.u.exec_v2_done.stats_buf_size = stats_size;
kevt.reserved[0] = (uint64_t)network->stats_buf;            //<--- stats_buf address
kevt.reserved[1] = (uint64_t)network->stats_buf_u;

This means that, when npu_process_kevent is executed, instead of the stats buffer, the object kevt itself, plus the data of the size of the stats buffer that is after it, is being copied back to the userland. As stats_buf_size can go up to 16384, this can result in a fairly large amount of information leak from the kernel. Even with a small stats_buf_size, kevt->reserved, which contains kernel pointer addresses, would probably be written back to user, resulting in a leak of kernel pointer addresses.

1. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_dev.c#1580
2. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android11/drivers/media/platform/msm/npu/npu_mgr.c#819

CVE

• CVE-2021-1968

Impact

Trivially exploitable to leak kernel heap address from the untrusted app domain.

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include the GHSL-2021-1030 in any communication regarding this issue.