CVE-2022-36449

Arm Mali CSF Missing Buffer Size Check

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed memory, write a limited amount outside of buffer bounds, or to disclose details of memory mappings. This affects Midgard r4p0 through r32p0, Bifrost r0p0 through r38p0 and r39p0 before r38p1, and Valhall r19p0 through r38p0 and r39p0 before r38p1.

Se ha detectado un problema en el controlador del kernel de la GPU Arm Mali. Un usuario no privilegiado puede realizar operaciones inapropiadas de procesamiento de la GPU para conseguir acceso a la memoria ya liberada, escribir una cantidad limitada fuera de límites del búfer o divulgar detalles de las asignaciones de memoria. Esto afecta a Midgard versiones r4p0 hasta r32p0, Bifrost versiones r0p0 hasta r38p0 y r39p0 anteriores a r38p1, y Valhall versiones r19p0 hasta r38p0 y r39p0 anteriores a r38p1

In the Linux Mali driver, when building with MALI_USE_CSF, the VFS read handler of the main Mali file descriptor (kbase_read()) never looks at its "count" parameter. This means that a simple userspace program that sets up a Mali file descriptor, then calls read(mali_fd, buf, 1), will see read() returning a higher length than requested, and out-of-bounds data in the userspace buffer will be clobbered.

*Credits: N/A

CVSS Scores

NISTv3.1 6.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-07-25 CVE Reserved
2022-09-01 CVE Published
2024-05-06 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-416: Use After Free

CAPEC

References (5)

URL	Tag	Source
http://packetstormsecurity.com/files/168431/Arm-Mali-Released-Buffer-Use-After-Free.html	Third Party Advisory
http://packetstormsecurity.com/files/168432/Arm-Mali-Physical-Address-Exposure.html	Third Party Advisory
http://packetstormsecurity.com/files/168433/Arm-Mali-Race-Condition.html	Third Party Advisory
http://packetstormsecurity.com/files/168434/Arm-Mali-CSF-Missing-Buffer-Size-Check.html	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities	2022-09-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Arm Search vendor "Arm"		Bifrost Search vendor "Arm" for product "Bifrost"				>= r0p0 <= r38p0 Search vendor "Arm" for product "Bifrost" and version " >= r0p0 <= r38p0"		-		Affected
Arm Search vendor "Arm"		Bifrost Search vendor "Arm" for product "Bifrost"				r39p0 Search vendor "Arm" for product "Bifrost" and version "r39p0"		-		Affected
Arm Search vendor "Arm"		Midgard Search vendor "Arm" for product "Midgard"				>= r4p0 <= r32p0 Search vendor "Arm" for product "Midgard" and version " >= r4p0 <= r32p0"		-		Affected
Arm Search vendor "Arm"		Valhall Search vendor "Arm" for product "Valhall"				>= r19p0 <= r38p0 Search vendor "Arm" for product "Valhall" and version " >= r19p0 <= r38p0"		-		Affected
Arm Search vendor "Arm"		Valhall Search vendor "Arm" for product "Valhall"				r39p0 Search vendor "Arm" for product "Valhall" and version "r39p0"		-		Affected