**Summary:**

[ImgTec] PowerVR GPU - GPU can R/W arbitrary freed physical pages due to PMR object reference count mismanagement in DevmemIntMapPages

**Description:**

A malicious user may map GPU virtual pages to the allocated physical pages and free physical pages later. However, the driver fails to clear the memory mapping between PA and GPU VA, leading to page UAF. An attacker can easily exploit this vulnerability as an universal Android root.

**Overview:**

Non-privileged users can access PowerVR mobile graphic device drivers locally. By interacting with the PowerVR GPU PMR and GPU mapping related functions, an attacker can gain escalation of privilege by page UAF.

**Technical Details:**

Test device: Samsung M04, PVR GPU Version 1.13, SPL 2023-03-01 (latest)

A malicious user may create a PMR object and call PVRSRVBridgeDevmemIntMapPages for mapping GPU pages. Unlike PVRSRVBridgeDevmemIntMapPMR bridge function, the function PVRSRVBridgeDevmemIntMapPages fails to increment the PMR reference count and just calls MMU_MapPages:

PVRSRV_ERROR  
DevmemIntMapPages(DEVMEMINT_RESERVATION \*psReservation,  
                  PMR \*psPMR,  
                  IMG_UINT32 ui32PageCount,  
                  IMG_UINT32 ui32PhysicalPgOffset,  
                  PVRSRV_MEMALLOCFLAGS_T uiFlags,  
                  IMG_DEV_VIRTADDR sDevVAddrBase)  
{  
	PVRSRV_ERROR eError;  
  
	if (psReservation->psDevmemHeap->uiLog2PageSize > PMR_GetLog2Contiguity(psPMR))  
	{  
		PVR_DPF((PVR_DBG_ERROR,  
		         "%s: Device heap and PMR have incompatible Log2Contiguity (%u - %u). "  
		         "PMR contiguity must be a multiple of the heap contiguity!",  
		         __func__,  
		         psReservation->psDevmemHeap->uiLog2PageSize,  
		         PMR_GetLog2Contiguity(psPMR)));  
		PVR_GOTO_WITH_ERROR(eError, PVRSRV_ERROR_INVALID_PARAMS, e0);  
	}  
  
	eError = MMU_MapPages(psReservation->psDevmemHeap->psDevmemCtx->psMMUContext,  
	                      uiFlags,  
	                      sDevVAddrBase,  
	                      psPMR,  
	                      ui32PhysicalPgOffset,  
	                      ui32PageCount,  
	                      NULL,  
	                      psReservation->psDevmemHeap->uiLog2PageSize);  
  
e0:  
	return eError;  
}

As a result, a malicious user can later on call PVRSRVBridgePMRUnrefPMR to destroy the PMR object, meaning the allocated physical pages will also be freed. Since GPU virtual pages still map to the freed physical pages, we can use the OpenCL kernel function to access the freed physical pages and devices.

**Impact:**

LPE (universal root)

**Suggested Action:**

Increment PMR reference count in DevmemIntMapPages.

NOTES
Google has determined that this issue affects other partners. Please note that ImgTec was informed of this security vulnerability on June 27, 2023. This issue has been assigned CVE-2023-35685.