Imagination Technologies GPU Driver Out-of-Bounds Write Vulnerability Allowing Arbitrary Memory Writes

A vulnerability exists in the GPU driver provided by Imagination Technologies, specifically in the Graphics Processing Unit (GPU) Driver Development Kit (DDK) version 24.3 and earlier. This vulnerability allows kernel software running inside a Guest Virtual Machine (VM) to exploit memory shared with the GPU firmware, causing unauthorized writes to physical memory outside the Guest's allocated GPU memory. This issue arises from improper handling of commands sent to the GPU firmware, which can be manipulated to overwrite memory arbitrarily.

Impact

Exploitation of this vulnerability leads to out-of-bounds writes in the GPU driver, allowing for arbitrary memory manipulation. Such actions can disrupt normal system operations, potentially causing crashes or instability by overwriting critical data in the kernel or other drivers.

Reproduction

To reproduce this vulnerability, load a Guest VM with a kernel that has access to the affected GPU driver version. Once the VM is running, the vulnerability can be triggered by sending specific commands through the GPU's system call interface that take advantage of the improper memory handling. This can be done by crafting a user-mode application that interacts with the GPU in a way that exploits the identified weaknesses, such as using the DevmemIntChangeSparse remap mode to access and write to freed memory.

Remediation

Users can update to the latest version of the Imagination Technologies GPU Driver Development Kit, which includes patches for this vulnerability. Instructions for updating the driver can be found on the Imagination Technologies website or through their support channels.