An interesting vulnerability in Huawei’s security hypervisor which Huawei devices use to protect the kernel integrity. The hypervisor provides logging capability, and allows the kernel to access the log buffers via shared memory that the kernel can map into it’s address space. Inside the log buffer there’s a control structure named log_buffer_t. This structure contains a pointer to the data as well as some other important data for managing the buffer. This pointer is entirely exposed and unprotected. When the hypervisor goes to log using that pointer, an attacker can make it point into hypervisor-exclusive memory and get out of bounds write. The data is not controlled where it’ll be a log string from the HV, but it’s enough to get a foothold.

They took advantage of this OOB write by smashing the stage 2 pagetable allocator and integer underflowing the heap offset value that’s used to ensure the allocator only returns hypervisor-exclusive memory. This then allows them to get an alloc from kernel-accessible memory (the shared memory) and get complete control over a stage 2 pagetable. Once they have this, it’s a matter of remapping hypervisor code pages as writable to the kernel and patching the HV.