Arm Mali GPU Vulnerability Let Bypass MTE and Gain Arbitrary Kernel Code Execution
- С сайта: Vulnerability(cybersecuritynews.com)
- Вернуться к списку новостей
С сайта: Vulnerability(cybersecuritynews.com)
Security researchers have uncovered a critical vulnerability in Arm’s Mali GPU driver that allows malicious Android applications to bypass Memory Tagging Extension (MTE) protections and achieve arbitrary kernel code execution.
The vulnerability, designated CVE-2025-0072, represents a significant threat to devices equipped with newer Arm Mali GPUs utilizing the Command Stream Frontend (CSF) architecture, including Google’s Pixel 7, 8, and 9 series smartphones.
The vulnerability emerged from research conducted by security expert Man Yue Mo, who reported the issue to Arm on December 12, 2024.
Following responsible disclosure practices, Arm addressed the vulnerability in Mali driver version r54p0, which was publicly released on May 2, 2025, and subsequently included in Android’s May 2025 security update.
The attack vector involves exploiting the communication mechanism between Mali GPUs and userland applications through command queues, specifically targeting the kbase_queue objects implementation within the driver.
GitHub analysts noted that this vulnerability follows a concerning pattern of MTE bypass techniques, building upon similar research that Mo had previously published regarding CVE-2023-6241.
The impact of this vulnerability extends beyond typical memory corruption issues, as it demonstrates that hardware-based security features like MTE can be circumvented through carefully crafted driver-level exploits.
Mo successfully developed and tested the exploit on a Pixel 8 device with kernel MTE enabled, indicating that the vulnerability affects real-world deployments where MTE is actively protecting against memory safety violations.
The exploitation technique centers on creating a page use-after-free condition that allows attackers to reuse freed memory pages as page table global directories (PGD) for GPU contexts.
This approach enables the manipulation of GPU memory management structures, ultimately providing a pathway to arbitrary kernel code execution.
The vulnerability’s significance lies not only in its ability to compromise device security but also in its demonstration that modern hardware security extensions can be systematically bypassed through sophisticated driver-level attacks.
Technical Exploitation Mechanism
The core of CVE-2025-0072 lies in the manipulation of CSF queue binding and unbinding processes within the Mali GPU driver.
The vulnerability exploits a design flaw in how kbase_queue objects manage memory allocation during queue binding operations.
When a kbase_queue is created and bound to a kbase_queue_group using the KBASE_IOCTL_CS_QUEUE_BIND ioctl, the driver allocates GPU memory pages and stores their addresses in the queue->phys field.
The critical flaw emerges during the queue termination and rebinding process.
When a kbase_queue_group is terminated using the KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE ioctl, the cleanup process calls kbase_csf_term_descheduled_queue_group, which unbinds associated queues and resets their queue->group field.
This unbinding operation creates an opportunity for the same kbase_queue to be bound to a different kbase_queue_group, triggering a second memory allocation that overwrites the original queue->phys addresses.
The exploitation sequence involves creating a page use-after-free condition through the following process: first, the attacker creates and binds a kbase_queue to a kbase_queue_group, mapping GPU memory pages to user space.
.webp)
Mapping (Source – GitHub)
Next, they terminate the kbase_queue_group, which unbinds the queue while leaving the mapped memory intact.
The attacker then creates a new kbase_queue_group and rebinds the same kbase_queue, causing new memory pages to overwrite the queue->phys field.
Finally, when the original user space mapping is unmapped, the kbase_csf_free_command_stream_user_pages function frees the new pages instead of the original ones, leaving the new pages accessible from user space despite being freed.
void kbase_csf_free_command_stream_user_pages(struct kbase_context *kctx, struct kbase_queue *queue) { kernel_unmap_user_io_pages(kctx, queue); kbase_mem_pool_free_pages(&kctx->mem_pools.small[KBASE_MEM_GROUP_CSF_IO], KBASEP_NUM_CS_USER_IO_PAGES, queue->phys, true, false); }
This use-after-free condition enables the attacker to manipulate freed memory pages and potentially reuse them as page table structures, ultimately achieving arbitrary kernel code execution while bypassing MTE protections through user space memory mappings that circumvent kernel-level dereferencing checks.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
Arm Mali GPU Vulnerability Let Bypass MTE and Gain Arbitrary Kernel Code Execution
Author: Tushar Subhra DuttaSecurity researchers have uncovered a critical vulnerability in Arm’s Mali GPU driver that allows malicious Android applications to bypass Memory Tagging Extension (MTE) protections and achieve arbitrary kernel code execution.
The vulnerability, designated CVE-2025-0072, represents a significant threat to devices equipped with newer Arm Mali GPUs utilizing the Command Stream Frontend (CSF) architecture, including Google’s Pixel 7, 8, and 9 series smartphones.
The vulnerability emerged from research conducted by security expert Man Yue Mo, who reported the issue to Arm on December 12, 2024.
Following responsible disclosure practices, Arm addressed the vulnerability in Mali driver version r54p0, which was publicly released on May 2, 2025, and subsequently included in Android’s May 2025 security update.
The attack vector involves exploiting the communication mechanism between Mali GPUs and userland applications through command queues, specifically targeting the kbase_queue objects implementation within the driver.
GitHub analysts noted that this vulnerability follows a concerning pattern of MTE bypass techniques, building upon similar research that Mo had previously published regarding CVE-2023-6241.
The impact of this vulnerability extends beyond typical memory corruption issues, as it demonstrates that hardware-based security features like MTE can be circumvented through carefully crafted driver-level exploits.
Mo successfully developed and tested the exploit on a Pixel 8 device with kernel MTE enabled, indicating that the vulnerability affects real-world deployments where MTE is actively protecting against memory safety violations.
The exploitation technique centers on creating a page use-after-free condition that allows attackers to reuse freed memory pages as page table global directories (PGD) for GPU contexts.
This approach enables the manipulation of GPU memory management structures, ultimately providing a pathway to arbitrary kernel code execution.
The vulnerability’s significance lies not only in its ability to compromise device security but also in its demonstration that modern hardware security extensions can be systematically bypassed through sophisticated driver-level attacks.
Technical Exploitation Mechanism
The core of CVE-2025-0072 lies in the manipulation of CSF queue binding and unbinding processes within the Mali GPU driver.
The vulnerability exploits a design flaw in how kbase_queue objects manage memory allocation during queue binding operations.
When a kbase_queue is created and bound to a kbase_queue_group using the KBASE_IOCTL_CS_QUEUE_BIND ioctl, the driver allocates GPU memory pages and stores their addresses in the queue->phys field.
The critical flaw emerges during the queue termination and rebinding process.
When a kbase_queue_group is terminated using the KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE ioctl, the cleanup process calls kbase_csf_term_descheduled_queue_group, which unbinds associated queues and resets their queue->group field.
This unbinding operation creates an opportunity for the same kbase_queue to be bound to a different kbase_queue_group, triggering a second memory allocation that overwrites the original queue->phys addresses.
The exploitation sequence involves creating a page use-after-free condition through the following process: first, the attacker creates and binds a kbase_queue to a kbase_queue_group, mapping GPU memory pages to user space.
Mapping (Source – GitHub)Next, they terminate the kbase_queue_group, which unbinds the queue while leaving the mapped memory intact.
The attacker then creates a new kbase_queue_group and rebinds the same kbase_queue, causing new memory pages to overwrite the queue->phys field.
Finally, when the original user space mapping is unmapped, the kbase_csf_free_command_stream_user_pages function frees the new pages instead of the original ones, leaving the new pages accessible from user space despite being freed.
void kbase_csf_free_command_stream_user_pages(struct kbase_context *kctx, struct kbase_queue *queue) { kernel_unmap_user_io_pages(kctx, queue); kbase_mem_pool_free_pages(&kctx->mem_pools.small[KBASE_MEM_GROUP_CSF_IO], KBASEP_NUM_CS_USER_IO_PAGES, queue->phys, true, false); }
This use-after-free condition enables the attacker to manipulate freed memory pages and potentially reuse them as page table structures, ultimately achieving arbitrary kernel code execution while bypassing MTE protections through user space memory mappings that circumvent kernel-level dereferencing checks.
#Cyber_Security_News #Vulnerability #cyber_security_news #vulnerability
Оригинальная версия на сайте:
