CVE-2021-0942

The path in this case is a little bit convoluted. The end result is that via an ioctl an untrusted app can control the ui32PageIndex offset in the expression:sPA.uiAddr = page_to_phys(psOSPageArrayData->pagearray[ui32PageIndex]);With the current PoC this crashes as an OOB read. However, given that the OOB read value is ending up as the address field of a struct I think i seems plausible that this could lead to an OOB write if the attacker is able to cause the OOB read to pull an interesting kernel address. Regardless if this is a read or write, it is a High severity issue in the kernel.Product: AndroidVersions: Android SoCAndroid ID: A-238904312

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://source.android.com/security/bulletin/2022-09-01	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:o:google:android:-:*:*:*:*:*:*:*

History

16 Sep 2022, 18:50

Type	Values Removed	Values Added
CPE		cpe:2.3:o:google:android:-:::::::*
References	~~(MISC) https://source.android.com/security/bulletin/2022-09-01 -~~	(MISC) https://source.android.com/security/bulletin/2022-09-01 - Vendor Advisory
First Time		Google android Google
CWE		CWE-125
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8

13 Sep 2022, 20:43

Type	Values Removed	Values Added
New CVE

Information

Published : 2022-09-13 20:15

Updated : 2023-12-10 14:35

NVD link : CVE-2021-0942

Mitre link : CVE-2021-0942

CVE.ORG link : CVE-2021-0942

JSON object : View

Products Affected

google

android

CWE

CWE-125

Out-of-bounds Read

{"id": "CVE-2021-0942", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2022-09-13T20:15:08.983", "references": [{"url": "https://source.android.com/security/bulletin/2022-09-01", "tags": ["Vendor Advisory"], "source": "security@android.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "The path in this case is a little bit convoluted. The end result is that via an ioctl an untrusted app can control the ui32PageIndex offset in the expression:sPA.uiAddr = page_to_phys(psOSPageArrayData->pagearray[ui32PageIndex]);With the current PoC this crashes as an OOB read. However, given that the OOB read value is ending up as the address field of a struct I think i seems plausible that this could lead to an OOB write if the attacker is able to cause the OOB read to pull an interesting kernel address. Regardless if this is a read or write, it is a High severity issue in the kernel.Product: AndroidVersions: Android SoCAndroid ID: A-238904312"}, {"lang": "es", "value": "El camino en este caso es un poco enrevesado. El resultado final es que por medio de un ioctl una app no confiable puede controlar el offset ui32PageIndex en la expresi\u00f3n:sPA.uiAddr = page_to_phys(psOSPageArrayData->pagearray[ui32PageIndex]);Con el PoC actual esto falla como una lectura OOB. Sin embargo, dado que el valor de la lectura OOB est\u00e1 terminando como el campo de direcci\u00f3n de una estructura, creo que parece plausible que esto podr\u00eda conllevar a una escritura OOB si el atacante es capaz de causar la lectura OOB para obtener una direcci\u00f3n interesante del kernel. Independientemente de si es tratado de una lectura o escritura, es un problema de Alta gravedad en el kernel.Product: Android, Versiones: Android SoC, ID de Android: A-238904312"}], "lastModified": "2022-09-16T18:50:57.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:google:android:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F8B9FEC8-73B6-43B8-B24E-1F7C20D91D26"}], "operator": "OR"}]}], "sourceIdentifier": "security@android.com"}