GHSL-2022-038: Use After Free (UAF) in Qualcomm NPU driver - CVE-2022-22068

Coordinated Disclosure Timeline

• 11/23/2021: Reported issue to Qualcomm
• 12/01/2021: Qualcomm confirmed the report and assigned severity to High
• 05/03/2021: Qualcomm publicly disclosed the issue in the May 2022 Security Bulletin as CVE-2022-22068

Summary

There is a use-after-free vulnerability in the Qualcomm NPU driver.

Product

msm_kernel

Tested Version

v4.x before May 2022

Details

Issue 1: Use-after-free in Qualcomm NPU driver (GHSL-2022-038)

When app_msg_proc receives a NPU_IPC_MSG_EXECUTE_V2_DONE message, initializes a npu_kevent and sets its reserved[0] field to the address of the stats_buf [1] and places the event in the event queue of network->client:

	case NPU_IPC_MSG_EXECUTE_V2_DONE:
	{
        ...
		if (network->cmd_async) {
            ...
			kevt.reserved[0] = (uint64_t)network->stats_buf;        //<-------- address sets to `stats_buf`
			kevt.reserved[1] = (uint64_t)network->stats_buf_u;
			if (npu_queue_event(network->client, &kevt))           //<--------- place event in `network->client`'s event queue
				pr_err("queue npu event failed\n");

If the stats_buf is free’d after this by using the npu_unload_network_v2 ioctl, then stats_buf will be free’d when free_network is called [2]:

static void free_network(struct npu_host_ctx *ctx, struct npu_client *client,
	int64_t id)
{
    ...
	if (network) {
		network_put(network);
		if (atomic_read(&network->ref_cnt) == 0) {
			kfree(network->stats_buf);    //<---------- frees network->stats_buf
            ...
}

This leaves the kevt.reserved[0] pointing to a free’d object. When npu_receive_event ioctl is then used, npu_process_kevent will copy the content of the free’d object pointed to by kevt->reserved[0] back to user space, causing a use-after-free [3]:

static int npu_process_kevent(struct npu_kevent *kevt)
{
	int ret = 0;
	switch (kevt->evt.type) {
	case MSM_NPU_EVENT_TYPE_EXEC_V2_DONE:
		ret = copy_to_user((void __user *)kevt->reserved[1],
			(void *)kevt->reserved[0],                        //<------- kevt->reserved[0] is free'd
			kevt->evt.u.exec_v2_done.stats_buf_size);
    ...
	return ret;
}

Impact

This vulnerability can be exploited to leak kernel data to an untrusted app

Resources and links:

1. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android12/drivers/media/platform/msm/npu/npu_mgr.c#831
2. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android12/drivers/media/platform/msm/npu/npu_mgr.c#688
3. https://android.googlesource.com/kernel/msm/+/refs/heads/android-msm-coral-4.14-android12/drivers/media/platform/msm/npu/npu_dev.c#1579

CVE

• CVE-2022-22068

Credit

These issues were discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-038 in any communication regarding these issues.