Android Kernel KVM Privilege Escalation Vulnerability via Out-of-Bounds Write

A vulnerability in the Android kernel's KVM (Kernel-based Virtual Machine) component for arm64 architecture has been identified. The issue arises in the 'pkvm_host_share_guest' function within 'mem_protect.c', where an integer overflow creates a potential out-of-bounds write. This vulnerability could lead to local privilege escalation, allowing a user to gain elevated rights without needing additional execution privileges or user interaction.

Impact

Exploitation of this vulnerability could result in unauthorized local privilege escalation, allowing a user to gain elevated rights within the system.

Reproduction

The vulnerability can be reproduced by enforcing checks for the end-boundary in 'mem_protect' hypervisor calls (HVCs) within the KVM component of the Android kernel. This can be done by applying the patch available in the Android Common Kernels repository, which addresses the size overflow issue by adding the necessary boundary checks.

Remediation

Users can apply the patch available in the Android Common Kernels repository, which has been merged to address this vulnerability. Instructions for applying the patch can be found in the repository's README file.