DMA / MMIO Access
Using Direct Memory Access or Memory-Mapped I/O to read/write physical memory.
Description
Drivers that map physical memory via MmMapIoSpace or configure DMA transfers without proper bounds validation may allow mapping of arbitrary physical addresses. Without IOMMU enforcement, DMA-capable devices can access all physical memory.
Mechanism
MmMapIoSpace/MmMapIoSpaceExwith controlled physical address- DMA common buffer allocation with attacker-influenced parameters
- Missing IOMMU (VT-d) enforcement
AutoPiff Detection
mmio_mapping_bounds_validation_addeddma_buffer_bounds_check_addednew_dma_mmio_access
Related CVEs
| CVE | Driver | Description |
|---|---|---|
| CVE-2019-16098 | RTCore64.sys |
Physical memory mapping via MmMapIoSpace |
| CVE-2018-19320 | gdrv.sys |
Physical memory mapping via MmMapIoSpace |
| ATSZIO64.sys | ATSZIO64.sys |
Physical memory mapping via MmMapIoSpace |
| AsIO3.sys | AsIO3.sys |
Physical memory R/W including SMRAM access |
| NVDrv | nvlddmkm.sys |
GPU DMA-based physical memory access |