Unprivileged GPU command streams can change the IOMMU page table (CVE-2014-0972)

Release Date: 
June 21, 2014
Advisory ID: 
QCIR-2014-00004-1
Summary: 

The following security vulnerability has been identified in the implementation of the kgsl graphics driver for the Android kernel.

CVE-2014-0972:
When using the per-process page table feature, IOMMU context registers, which control the physical location of the IOMMU page table in memory, are mapped into the GPU's memory space and are not properly protected from write-access. Specifically, the register used by the GPU to switch an IOMMU page table during a context switch is not protected. An unprivileged local attacker can use this flaw to switch to a fake page table via a specially crafted GPU command stream and access arbitrary physical memory locations.

Access Vector: local
Security Risk: high
Vulnerability: CWE-284 (improper access control)

Affected versions:
All active branches of kgsl implementations in the Android kernel on CAF are affected.

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks Rob Clark for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com