In a previous advisory we disclosed multiple vulnerabilities within the NPU device’s mmap handler and discussed how it exposes sensitive kernel data. This advisory focuses on the implementation errors in the same handler. The mapping function ignores the requested size parameter and fails to back regions of the mapped virtual memory with an actual mapping. Trying to access these holes or requesting an mmap that is smaller than the memory mapped by the kernel driver results in a kernel crash, most likely caused by invalid page accesses.
The mmap handler is exposed through the /dev/davinci0
character device.
Due to the applied selinux policy, access to this device is restricted to the hiaiserver
system process.
Because of these limitations a practical attack would need to target the hiaiserver first.
The devdrv_npu_map
function calls drivers/hisi/npu/facility/memory/npu_shm.c:962 devdrv_info_sq_cq_mmap
if the provided offset signals this type of mapping.
The problem is that this function tries to map 0x8100000 bytes into the provided vma regardless of the requested size.
When allocating vma-s the kernel aims to chose addresses that are tightly packed so the mapped regions are consecutive and no memory is wasted.
When the vulnerable kernel driver ignores the the requested size it might extend the mapping to an address where a previously mmapped region already exists.
This leads to a kernel crash due to corruption in the structures used to represent the process’ virtual memory.
We have not investigated how an attacker can leverage this vulnerability.
The other issue is when devdrv_info_sq_cq_mmap
invoked it does not create one contiguous mapping but rather creates several small mappings 32 MB apart.
Despite of this, the user space process only sees one large chunk of valid virtual memory.
Trying to access the “holes” between the actual mappings on our test device causes a kernel crash.
Due to our limited debug capabilities it is hard to pinpoint what happens exactly, it most likely causes a page fault that the kernel can’t handle.
Huawei OTA images, released after February 2021, contain the fix for the vulnerability.