In multiple functions of mem_protect.c, there is a possible way to access hypervisor memory due to a memory access check in the wrong place. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "length": 693.0, "function_hash": "190076140231989935362870905066839385057" }, "id": "ASB-A-279739439-0954dee9", "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c", "function": "__pkvm_host_reclaim_page" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "159573811589181002621094813536221046390", "229293786986934561072731945104396904085", "170674628427740286959347064599166393814", "125042896222317004565562763721172264952", "93343191715114540358126453880890955943", "332345538893623952994519022328336007503", "70490823019884559005461534855261875810", "219332062120971839908005443148221440866", "331522620597668158372580849979134558981", "71569968314925172432795975491747809792", "291172116132289003825631732250966060341", "137126736996162038791905792528503451267", "230987415054459948895710591002264939009", "272729821055629189786120902680265609429", "220571082659020343931664331699655360857", "296276501180335104566432184015190522736", "42820666885564598334397585946821412973", "325394393721615015370086382630291014203", "34518472726429489358179896271445659414", "231029698342252625665078744064097740117", "84585355657676988621645773229655080492", "3071802377199206130372294992307315789", "28255639015324455524178440269729643110", "86548690075308636827663028069515789298", "307606043422104275320841552028500190990", "184953143942181651603849895146522007764", "168366595750989021361391112621217445664", "136542369017955582227873466768175325242" ] }, "id": "ASB-A-279739439-09fa8bb1", "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c" }, "signature_type": "Line" }, { "digest": { "length": 131.0, "function_hash": "264169070750881564850113407678937129072" }, "id": "ASB-A-279739439-0a14c72f", "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c", "function": "hyp_get_page_state" }, "signature_type": "Function" }, { "digest": { "length": 131.0, "function_hash": "264169070750881564850113407678937129072" }, "id": "ASB-A-279739439-4e48c2d0", "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c", "function": "guest_get_page_state" }, "signature_type": "Function" }, { "digest": { "length": 140.0, "function_hash": "298757257060964122877856558352071248758" }, "id": "ASB-A-279739439-a45e31bd", "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c", "function": "host_get_page_state" }, "signature_type": "Function" }, { "digest": { "length": 682.0, "function_hash": "53328142975875748453165132359204550725" }, "id": "ASB-A-279739439-ba6d7f4e", "source": "https://android.googlesource.com/kernel/common/+/53625a846a7b4", "deprecated": false, "signature_version": "v1", "target": { "file": "arch/arm64/kvm/hyp/nvhe/mem_protect.c", "function": "__guest_request_page_transition" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/kernel/common/+/b35a06182451f", "https://android.googlesource.com/kernel/common/+/53625a846a7b4" ], "spl": "2023-08-05", "severity": "Critical", "types": [ "EoP" ] }