Preface: This vulnerability was posted on April 1 2024. For details, please refer to the Qualcomm April 2024 Security Bulletin.

Background: EL1 can access most system registers, EL2 has additional privileges, and EL3 has all privileges. The only way that the processor can change from one exception level to a higher level is when an exception occurs.

In computing, an input–output memory management unit is a memory management unit connecting a direct-memory-access–capable I/O bus to the main memory. Like a traditional MMU, which translates CPU-visible virtual addresses to physical addresses, the IOMMU maps device-visible virtual addresses to physical addresses.

Qualcomm “B” family devices which are not compatible with arm-smmu have a similar looking IOMMU but without access to the global register space, and optionally requiring additional configuration to route context irqs to non-secure vs secure interrupt line.

Vulnerability details: Use After Free in Kernel. UAF scenario may occur in clients with EL1 privileges for iova mappings when we miss to check the return value of arm_lpae_init_pte which may lead to an PTE be counted as it was set even if it was already existing. This can cause a dangling IOMMU PTE to be left mapped pointing to a freed object and cause UAF in the client if the dangling PTE is accessed after a failed unmap operation.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2024-bulletin.html