Imagination Technologies GPU Driver Out-of-Bounds Read Vulnerability in Guest VMs

A vulnerability exists in the GPU driver that can be exploited by kernel software running in a Guest VM. The issue arises because the software may send improper commands to the GPU firmware, allowing it to read data from outside the Guest's virtualized GPU memory. This vulnerability affects several different DDK releases, up to and including 24.3.

Impact

Exploitation of this vulnerability allows for out-of-bounds read operations, where the GPU can access physical memory pages that have been freed, potentially leading to information disclosure or memory corruption.

Reproduction

The vulnerability can be reproduced by running kernel software in a Guest VM that interacts with the GPU driver. The software can be crafted to send commands that exploit the improper handling of memory references, particularly in relation to physical memory management and synchronization operations. This can be done by manipulating reservation objects and memory allocation flags to create a scenario where the GPU is able to read from or write to out-of-bounds memory areas.

Remediation

The DDK kernel module has been updated to address this vulnerability by introducing protections that prevent improper memory access. Users should ensure they are using a version of the GPU driver that includes this update.