Coordinated Disclosure Timeline
- 2024-12-12: Reported issue to Arm security team
- 2024-12-13: Arm security team confirmed the vulnerability and assigned CVE-2025-0073 to the vulnerability
- 2025-06-02: Vulnerability disclosed
Summary
GPU memory in the Arm Mali GPU can be accessed after it is freed
Project
Arm Mali
Tested Version
Driver version r53
Details
Freed memory can be accessed with CSG_CS_USER_PAGE_ALLOCATION capability (GHSL-2024-357)
For the r53 version of the driver, the new CSG_CS_USER_PAGE_ALLOCATION capability introduces a vulnerability. In this case, the pages mapped from a kbase_queue to the user space are owned by the kbase_queue_group that it binds to:
static vm_fault_t kbase_csf_user_io_pages_vm_fault(struct vm_fault *vmf)
{
...
if (mali_kbase_supports_csg_cs_user_page_allocation(queue->kctx->api_version)) {
if (!queue->group) {
ret = VM_FAULT_SIGBUS;
goto exit;
}
input_page_pfn = PFN_DOWN(as_phys_addr_t(queue->group->phys[0])); //<----- pages are owned by queue->group
output_page_pfn = PFN_DOWN(as_phys_addr_t(queue->group->phys[1]));
} else {
...
}
In particular, these pages are freed when the kbase_queue_group is terminated:
void kbase_csf_term_descheduled_queue_group(struct kbase_queue_group *group)
{
...
if (mali_kbase_supports_csg_cs_user_page_allocation(kctx->api_version)) {
kernel_free_user_io_pages(kctx, group->phys, group->user_io_addr);
group->user_io_addr = NULL;
}
...
}
However, when the group terminates, the user space mappings of these pages are not removed and remain accessible.
Impact
This issue can be exploited to gain arbitrary kernel code execution and from a malicious user space application.
CVE
- CVE-2025-0073
Credit
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2024-357 in any communication regarding this issue.