skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
November 18, 2021

GHSL-2021-1030: Information leak in Qualcomm npu driver - CVE-2021-1968

Man Yue Mo

Coordinated Disclosure Timeline


Information leak in Qualcomm npu driver


msm kernel

Tested Version

Samsung Galaxy A71: SM-A715F/DS AP: A715FXXU3ATJ2 and CP: A715FXXU3ATI5, Kernel version 4.14.117-19828683 and build ID QP1A.190711.020.A715FXXU3ATJ2


In the npu_process_kevent method, the reference of the field reserved[0] is used as a source pointer in the copy_to_user method [1].

static int npu_process_kevent(struct npu_kevent *kevt)
int ret = 0;
switch (kevt->evt.type) {
ret = copy_to_user((void __user *)kevt->reserved[1],
(void *)&kevt->reserved[0],                           //<--- reference of kevt->reserved[0] used as source

This, however, is incorrect, as reserved[0] itself is meant to be the pointer that points to a network source buffer [2].

kevt.evt.u.exec_v2_done.stats_buf_size = stats_size;
kevt.reserved[0] = (uint64_t)network->stats_buf;            //<--- stats_buf address
kevt.reserved[1] = (uint64_t)network->stats_buf_u;

This means that, when npu_process_kevent is executed, instead of the stats buffer, the object kevt itself, plus the data of the size of the stats buffer that is after it, is being copied back to the userland. As stats_buf_size can go up to 16384, this can result in a fairly large amount of information leak from the kernel. Even with a small stats_buf_size, kevt->reserved, which contains kernel pointer addresses, would probably be written back to user, resulting in a leak of kernel pointer addresses.




Trivially exploitable to leak kernel heap address from the untrusted app domain.


This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).


You can contact the GHSL team at, please include the GHSL-2021-1030 in any communication regarding this issue.