ASB-A-279739439

See a problem?
Import Source
https://storage.googleapis.com/android-osv/ASB-A-279739439.json
JSON Data
https://api.osv.dev/v1/vulns/ASB-A-279739439
Aliases
Published
2023-08-01T00:00:00Z
Modified
2024-08-07T19:30:15.067796Z
Summary
Prevent MMIO regions being shared or donated by the host
Details

In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.

References

Affected packages

Android / :linux_kernel:

Package

Name
:linux_kernel:

Affected ranges

Type
ECOSYSTEM
Events
Introduced
:0
Fixed
:2023-08-05

Affected versions

Other

Kernel

Ecosystem specific 

{
    "vanir_signatures": [
        {
            "digest": {
                "length": 693.0,
                "function_hash": "190076140231989935362870905066839385057"
            },
            "id": "ASB-A-279739439-0954dee9",
            "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c",
                "function": "__pkvm_host_reclaim_page"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "threshold": 0.9,
                "line_hashes": [
                    "159573811589181002621094813536221046390",
                    "229293786986934561072731945104396904085",
                    "170674628427740286959347064599166393814",
                    "125042896222317004565562763721172264952",
                    "93343191715114540358126453880890955943",
                    "332345538893623952994519022328336007503",
                    "70490823019884559005461534855261875810",
                    "219332062120971839908005443148221440866",
                    "331522620597668158372580849979134558981",
                    "71569968314925172432795975491747809792",
                    "291172116132289003825631732250966060341",
                    "137126736996162038791905792528503451267",
                    "230987415054459948895710591002264939009",
                    "272729821055629189786120902680265609429",
                    "220571082659020343931664331699655360857",
                    "296276501180335104566432184015190522736",
                    "42820666885564598334397585946821412973",
                    "325394393721615015370086382630291014203",
                    "34518472726429489358179896271445659414",
                    "231029698342252625665078744064097740117",
                    "84585355657676988621645773229655080492",
                    "3071802377199206130372294992307315789",
                    "28255639015324455524178440269729643110",
                    "86548690075308636827663028069515789298",
                    "307606043422104275320841552028500190990",
                    "184953143942181651603849895146522007764",
                    "168366595750989021361391112621217445664",
                    "136542369017955582227873466768175325242"
                ]
            },
            "id": "ASB-A-279739439-09fa8bb1",
            "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c"
            },
            "signature_type": "Line"
        },
        {
            "digest": {
                "length": 131.0,
                "function_hash": "264169070750881564850113407678937129072"
            },
            "id": "ASB-A-279739439-0a14c72f",
            "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c",
                "function": "hyp_get_page_state"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 131.0,
                "function_hash": "264169070750881564850113407678937129072"
            },
            "id": "ASB-A-279739439-4e48c2d0",
            "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c",
                "function": "guest_get_page_state"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 140.0,
                "function_hash": "298757257060964122877856558352071248758"
            },
            "id": "ASB-A-279739439-a45e31bd",
            "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c",
                "function": "host_get_page_state"
            },
            "signature_type": "Function"
        },
        {
            "digest": {
                "length": 682.0,
                "function_hash": "53328142975875748453165132359204550725"
            },
            "id": "ASB-A-279739439-ba6d7f4e",
            "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4",
            "deprecated": false,
            "signature_version": "v1",
            "target": {
                "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c",
                "function": "__guest_request_page_transition"
            },
            "signature_type": "Function"
        }
    ],
    "fixes": [
        "https://android.googlesource.com/kernel/common/+/b35a06182451f",
        "https://android.googlesource.com/kernel/common/+/53625a846a7b4"
    ],
    "spl": "2023-08-05",
    "severity": "Critical",
    "types": [
        "EoP"
    ]
}