CVE-2022-22706 - Exploiting Arm Mali GPU Kernel Driver to Gain Write Access to Read-Only Memory Pages
Arm Mali GPUs are popularly used across various devices like smartphones, tablets, and digital TVs. Recently, a vulnerability was discovered (CVE-2022-22706) in the Arm Mali GPU kernel driver which allows a non-privileged user to gain write access to read-only memory pages. This opens the door for attackers to potentially exploit a system and execute unauthorized code.
In this long-read post, we will discuss the details of the vulnerability, affected Arm Mali GPU versions, and dig deeper into the code snippets to understand the exploit. We will also provide links to original references and resources at the end of the article.
Exploit Details
The Arm Mali GPU kernel driver is responsible for managing device memory, handling GPU interrupts, and communicating with the GPU hardware. The vulnerability specifically lies within the GPU memory management component.
The exploit hinges on an attacker causing the GPU kernel driver to incorrectly validate the memory page permissions. When mapping device memory, it allows non-privileged users to gain write access to read-only memory pages. This can be achieved by manipulating the GPU's MMU (Memory Management Unit) through IOCTL syscalls.
Here's a code snippet showcasing the issue
static int mali_ioctl_mem_mmap(struct mali_session_data *session, _mali_uk_map_external_mem_s __user *argument)
{
// ...
/* validate the requested memory size */
if (mem_size > (ext_mem->size - ext_mem->offset) || == mem_size)
{
MALI_DEBUG_PRINT(1, ("Mali Map external memory: incorrect size requested to map: %lx larger than available :%lx\n", mem_size, ext_mem->size - ext_mem->offset));
return -EINVAL;
}
// ...
/* Check if the requested CPU memory region is write protected */
if (pgprot_val(prot) & PTE_WRITE)
{
MALI_DEBUG_PRINT(1, ("Mali Map external memory: requested memory region is write protected\n"));
return -EPERM;
}
// ...
}
In this code snippet, the vulnerability stems from the improper validation of permissions when mapping the device memory. Since the check for write protection is insufficient, it allows a non-privileged user to map a read-only page to a writeable one.
Mitigation and Patch Information
The Arm Mali GPU kernel driver team has issued patches for the vulnerability. Users are advised to update their drivers to the latest available version to protect their systems from potential exploits.
For more information on this vulnerability, consult the following resources
1. Arm Mali GPU Developer Guide: Developer's Guide
2. Arm Developer Portal: Arm Developer
3. CVE-2022-22706: CVE Detail
Conclusion
To sum up, CVE-2022-22706 poses a significant threat to devices that use affected Arm Mali GPU kernel driver versions. Non-privileged users exploiting this vulnerability can escalate their permissions and potentially compromise a system. It is essential for users to update their kernel drivers with the provided patches to mitigate the risk of this exploit.
Timeline
Published on: 03/03/2022 15:15:00 UTC
Last modified on: 05/13/2022 16:26:00 UTC