好的,我现在需要帮用户总结一篇文章,控制在100字以内。首先,我得仔细阅读用户提供的文章内容,理解其主要信息。 文章标题是“Advisory”,日期是2025年6月4日,作者是Billy Jheng Bing Jhong、Muhammad Alifa Ramdhan和Pan ZhenPeng。文章讨论的是三星Galaxy S24+手机中的一个安全漏洞,具体来说是Exynos NPU驱动中的一个双释放(double free)问题。 漏洞的CVE编号是CVE-2025-23095,CVSS3.1评分为7.8,属于高危级别。攻击者可以在本地利用这个漏洞进行权限提升,从untrusted_app SELinux上下文提升到root权限。 技术细节部分提到,在__prepare_IMB_info函数中,当IMB_info分配失败或大小检查失败时,会跳转到p_err标签处释放IMB_info,但没有清除session->IMB_info指针。之后在_undo_s_graph_each_state函数中再次释放同一个内存块,导致双释放。 漏洞影响的版本包括三星Galaxy S24+(Android 14)和Exynos 1280、2200、1380、1480、2400处理器。该漏洞于2024年12月8日报告给三星,并于2025年6月4日发布补丁。 现在,我需要将这些信息浓缩到100字以内。重点包括:三星Galaxy S24+的Exynos NPU驱动存在双释放漏洞,CVSS评分7.8高危,允许本地攻击者提升权限至root。影响版本包括S24+和多个Exynos处理器型号。补丁已发布。 最后检查字数是否在限制内,并确保没有使用“文章内容总结”等开头语。 </think> 三星Galaxy S24+的Exynos NPU驱动存在双释放漏洞(CVE-2025-23095),CVSS评分7.8(高危),允许本地攻击者通过untrusted_app SELinux上下文提升权限至root。该漏洞影响Exynos 1280、2200、1380、1480和2400处理器。补丁已发布以修复此问题。 2025-6-4 00:0:0 Author: starlabs.sg(查看原文) 阅读量:3 收藏
Advisory June 4, 2025 By Billy Jheng Bing Jhong, Muhammad Alifa Ramdhan, Pan ZhenPeng 3 min read
CVE: CVE-2025-23095
Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1280, 2200, 1380, 1480, 2400
CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
| Product | Samsung Exynos NPU Driver |
|---|---|
| Vendor | Samsung |
| Severity | High — a local attacker within untrusted_app SELinux context may exploit this to achieve local privilege escalation |
| Affected Versions | Samsung Galaxy S24+ (Android 14); Exynos 1280, 2200, 1380, 1480, 2400 |
| Tested Versions | Samsung Galaxy S24+ (S926BXXS3AXGD) |
| CVE Identifier | CVE-2025-23095 |
| CVE Description | A double free in the Samsung Exynos mobile processor NPU driver leads to privilege escalation |
| CWE Classification(s) | CWE-415: Double Free |
CVSS3.1 Scoring System
Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Background
The Samsung Galaxy S24+ features a Neural Processing Unit (NPU) integrated into either the Snapdragon 8 Gen 3 or Exynos 2400 chipset depending on the market. The NPU accelerates on-device AI workloads including camera processing, real-time translation, and generative photo editing. The NPU kernel driver is a privileged component that manages session state, memory allocation, and inference buffer management on behalf of userspace applications.
Technical Details
The double free exists in __prepare_IMB_info, which manages IMB (Inference Memory Buffer) allocation for an NPU session.
The function allocates IMB_info, assigns it to session->IMB_info, and then checks whether session->IMB_size exceeds the maximum permitted chunk size. If the size check fails, execution jumps to p_err, which frees IMB_info — but does not clear the session->IMB_info pointer:
int __prepare_IMB_info(struct npu_session *session, struct addr_info **IMB_av,
struct npu_memory_buffer *IMB_mem_buf)
{
IMB_info = kcalloc(IMB_cnt, sizeof(struct addr_info), GFP_KERNEL);
if (unlikely(!IMB_info)) {
npu_err("IMB: IMB_info alloc is fail\n");
ret = -ENOMEM;
goto p_err;
}
session->IMB_info = IMB_info;
...
if (session->IMB_size > (NPU_IMB_CHUNK_SIZE * NPU_IMB_CHUNK_MAX_NUM)) {
npu_uerr("IMB_size(%zu) is larger than %u\n",
session, session->IMB_size, NPU_IMB_CHUNK_SIZE * NPU_IMB_CHUNK_MAX_NUM);
ret = -ENOMEM;
goto p_err;
}
...
p_err:
if (likely(IMB_info))
kfree(IMB_info); /* freed here, but session->IMB_info still points to it */
}
When the session is subsequently torn down via _undo_s_graph_each_state, the stale session->IMB_info pointer is freed a second time:
imb_ion_unmap:
addr_info = session->IMB_info;
session->IMB_info = NULL;
if (likely(addr_info))
kfree(addr_info); /* double free */
This double free of a kernel heap object is exploitable from the untrusted_app SELinux context to achieve local privilege escalation to root.
References
1a13e0c1— example of a similar fix addressing a dangling pointer not cleared on error path
Credit
Billy Jheng Bing Jhong, Muhammad Alifa Ramdhan and Pan ZhenPeng of STAR Labs SG Pte. Ltd.
Timeline
- 2024-12-08 — Reported to Samsung
- 2025-06-04 — CVE-2025-23095 assigned and published; patch released via Samsung Product Security Update
如有侵权请联系:admin#unsafe.sh