PowerVR GPU - GPU can R/W arbitrary freed physical pages due to PMR object reference count mismanagement in DevmemIntMapPages [42420027]

Fixed

Vulnerability

Status Update

No update yet.

Description

an...@google.com

created issue #1

Sep 26, 2023 10:31PM

**Summary:**

[ImgTec] PowerVR GPU - GPU can R/W arbitrary freed physical pages due to PMR object reference count mismanagement in DevmemIntMapPages

**Description:**

A malicious user may map GPU virtual pages to the allocated physical pages and free physical pages later. However, the driver fails to clear the memory mapping between PA and GPU VA, leading to page UAF. An attacker can easily exploit this vulnerability as an universal Android root.

**Overview:**

Non-privileged users can access PowerVR mobile graphic device drivers locally. By interacting with the PowerVR GPU PMR and GPU mapping related functions, an attacker can gain escalation of privilege by page UAF.

**Technical Details:**

Test device: Samsung M04, PVR GPU Version 1.13, SPL 2023-03-01 (latest)

A malicious user may create a PMR object and call PVRSRVBridgeDevmemIntMapPages for mapping GPU pages. Unlike PVRSRVBridgeDevmemIntMapPMR bridge function, the function PVRSRVBridgeDevmemIntMapPages fails to increment the PMR reference count and just calls MMU_MapPages:

PVRSRV_ERROR  
DevmemIntMapPages(DEVMEMINT_RESERVATION \*psReservation,  
                  PMR \*psPMR,  
                  IMG_UINT32 ui32PageCount,  
                  IMG_UINT32 ui32PhysicalPgOffset,  
                  PVRSRV_MEMALLOCFLAGS_T uiFlags,  
                  IMG_DEV_VIRTADDR sDevVAddrBase)  
{  
	PVRSRV_ERROR eError;  
  
	if (psReservation->psDevmemHeap->uiLog2PageSize > PMR_GetLog2Contiguity(psPMR))  
	{  
		PVR_DPF((PVR_DBG_ERROR,  
		         "%s: Device heap and PMR have incompatible Log2Contiguity (%u - %u). "  
		         "PMR contiguity must be a multiple of the heap contiguity!",  
		         __func__,  
		         psReservation->psDevmemHeap->uiLog2PageSize,  
		         PMR_GetLog2Contiguity(psPMR)));  
		PVR_GOTO_WITH_ERROR(eError, PVRSRV_ERROR_INVALID_PARAMS, e0);  
	}  
  
	eError = MMU_MapPages(psReservation->psDevmemHeap->psDevmemCtx->psMMUContext,  
	                      uiFlags,  
	                      sDevVAddrBase,  
	                      psPMR,  
	                      ui32PhysicalPgOffset,  
	                      ui32PageCount,  
	                      NULL,  
	                      psReservation->psDevmemHeap->uiLog2PageSize);  
  
e0:  
	return eError;  
}

As a result, a malicious user can later on call PVRSRVBridgePMRUnrefPMR to destroy the PMR object, meaning the allocated physical pages will also be freed. Since GPU virtual pages still map to the freed physical pages, we can use the OpenCL kernel function to access the freed physical pages and devices.

**Impact:**

LPE (universal root)

**Suggested Action:**

Increment PMR reference count in DevmemIntMapPages.

NOTES
Google has determined that this issue affects other partners. Please note that ImgTec was informed of this security vulnerability on June 27, 2023. This issue has been assigned CVE-2023-35685.

Comments

an...@google.com <an...@google.com> Sep 26, 2023 10:31PM

Marked as fixed.

[Deleted User] <[Deleted User]> #2Sep 27, 2023 12:00PM

an...@google.com <an...@google.com> #3Sep 27, 2023 07:00PM

[Empty comment from Monorail migration]

is...@google.com <is...@google.com> #4Sep 27, 2023 07:00PM

This issue was migrated from

crbug.com/apvi/133?no_tracker_redirect=1

[Monorail components: ImaginationTechnologies]

IssueTracker

This issue is a part of the APVI tracker.