Fixed
Status Update
Comments
an...@google.com <an...@google.com>
[Deleted User] <[Deleted User]> #2
an...@google.com <an...@google.com> #3
[Empty comment from Monorail migration]
is...@google.com <is...@google.com> #4
This issue was migrated from crbug.com/apvi/133?no_tracker_redirect=1
[Monorail components: ImaginationTechnologies]
[Monorail components: ImaginationTechnologies]
Description
**Summary:**
[ImgTec] PowerVR GPU - GPU can R/W arbitrary freed physical pages due to PMR object reference count mismanagement in DevmemIntMapPages
**Description:**
A malicious user may map GPU virtual pages to the allocated physical pages and free physical pages later. However, the driver fails to clear the memory mapping between PA and GPU VA, leading to page UAF. An attacker can easily exploit this vulnerability as an universal Android root.
**Overview:**
Non-privileged users can access PowerVR mobile graphic device drivers locally. By interacting with the PowerVR GPU PMR and GPU mapping related functions, an attacker can gain escalation of privilege by page UAF.
**Technical Details:**
Test device: Samsung M04, PVR GPU Version 1.13, SPL 2023-03-01 (latest)
A malicious user may create a PMR object and call
PVRSRVBridgeDevmemIntMapPages
for mapping GPU pages. UnlikePVRSRVBridgeDevmemIntMapPMR
bridge function, the functionPVRSRVBridgeDevmemIntMapPages
fails to increment the PMR reference count and just callsMMU_MapPages
:As a result, a malicious user can later on call
PVRSRVBridgePMRUnrefPMR
to destroy the PMR object, meaning the allocated physical pages will also be freed. Since GPU virtual pages still map to the freed physical pages, we can use the OpenCL kernel function to access the freed physical pages and devices.**Impact:**
LPE (universal root)
**Suggested Action:**
Increment PMR reference count in
DevmemIntMapPages
.NOTES
Google has determined that this issue affects other partners. Please note that ImgTec was informed of this security vulnerability on June 27, 2023. This issue has been assigned CVE-2023-35685.