嗯,用户让我帮忙总结一篇文章,控制在一百个字以内。首先,我需要仔细阅读文章内容,抓住关键点。 文章标题是关于三星Galaxy S24+的漏洞,涉及到Exynos处理器的NPU驱动。漏洞类型是CWE-415,也就是双重释放。CVSS评分是7.8,属于高危。攻击者可以在本地利用这个漏洞进行提权。 接下来,我需要把这些信息浓缩成一句话。要包括受影响的设备、漏洞类型、影响和攻击结果。同时,要确保不超过一百个字。 可能的结构是:设备名称 + 漏洞类型 + 影响 + 攻击结果。比如,“三星Galaxy S24+中的Exynos NPU驱动存在双重释放漏洞,可能导致本地提权。” 这样既涵盖了关键点,又简洁明了。 </think> 三星Galaxy S24+中的Exynos NPU驱动存在双重释放漏洞(CWE-415),可能导致本地提权至root权限。 2025-6-1 00:0:0 Author: starlabs.sg(查看原文) 阅读量:3 收藏
Advisory June 1, 2025 By Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, Pan Zhenpeng 2 min read
CVE: CVE-2025-23096
Affected Versions: Samsung Galaxy S24+ (samsung/e2sxxx/e2s:14/UP1A.231005.007/S926BXXS3AXGD:user/release-keys); Samsung Exynos 1280, 2200, 1380, 1480, 2400
CVSS3.1: 7.8 (High) — CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
| Product | Samsung Exynos NPU Driver |
|---|---|
| Vendor | Samsung |
| Severity | High — a local attacker within untrusted_app SELinux context may exploit this to achieve local privilege escalation |
| Affected Versions | Samsung Galaxy S24+ (Android 14); Exynos 1280, 2200, 1380, 1480, 2400 |
| Tested Versions | Samsung Galaxy S24+ (S926BXXS3AXGD) |
| CVE Identifier | CVE-2025-23096 |
| CVE Description | A double free in the Samsung Exynos mobile processor NPU driver leads to privilege escalation |
| CWE Classification(s) | CWE-415: Double Free |
CVSS3.1 Scoring System
Base Score: 7.8 (High)
Vector String: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
| Metric | Value |
|---|---|
| Attack Vector (AV) | Local |
| Attack Complexity (AC) | Low |
| Privileges Required (PR) | Low |
| User Interaction (UI) | None |
| Scope (S) | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| Availability (A) | High |
Product Background
The Samsung Galaxy S24+ features a Neural Processing Unit (NPU) integrated into either the Snapdragon 8 Gen 3 or Exynos 2400 chipset depending on the market. The NPU accelerates on-device AI workloads including camera processing, real-time translation, and generative photo editing. The NPU kernel driver is a privileged component that manages session state, memory allocation, and inference buffer management on behalf of userspace applications.
Technical Details
The double free exists in the IMB (Inference Memory Buffer) session setup path. __config_session_info allocates IMB_mem_buf and passes it to __prepare_IMB_info, which assigns it to session->IMB_mem_buf before performing a size check:
int __config_session_info(struct npu_session *session)
{
IMB_mem_buf = kcalloc(1, sizeof(struct npu_memory_buffer), GFP_KERNEL);
...
ret = __prepare_IMB_info(session, &IMB_av, IMB_mem_buf);
...
}
int __prepare_IMB_info(struct npu_session *session, struct addr_info **IMB_av,
struct npu_memory_buffer *IMB_mem_buf)
{
...
session->IMB_mem_buf = IMB_mem_buf;
if (session->IMB_size > (NPU_IMB_CHUNK_SIZE * NPU_IMB_CHUNK_MAX_NUM)) {
...
goto p_err;
}
p_err:
if (likely(IMB_mem_buf))
kfree(IMB_mem_buf); /* [1] freed here, but session->IMB_mem_buf still points to it */
When session->IMB_size exceeds the maximum permitted chunk size, execution jumps to p_err, which frees IMB_mem_buf at [1] but does not clear the session->IMB_mem_buf pointer. When the session is subsequently torn down via __release_imb_mem_buf, the stale pointer is freed a second time:
static inline void __release_imb_mem_buf(struct npu_session *session)
{
struct npu_memory_buffer *ion_mem_buf = session->IMB_mem_buf;
if (likely(ion_mem_buf)) {
...
session->IMB_mem_buf = NULL;
kfree(ion_mem_buf); /* double free */
}
}
This double free of a kernel heap object is exploitable from the untrusted_app SELinux context to achieve local privilege escalation to root.
Credit
Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan and Pan Zhenpeng of STAR Labs SG Pte. Ltd.
Timeline
- 2024-12-08 — Reported to Samsung
- 2025-06-01 — CVE-2025-23096 assigned and published; patch released via Samsung Product Security Update
如有侵权请联系:admin#unsafe.sh