Google’s Project Zero (GPZ) team has disclosed a “high” severity security flaw in Qualcomm Adreno GPUs. Since the chipmaker was unable to develop an adequate patch within 90 days of receiving notification from Project Zero, Google has now publicly released the details of the bug.
For those unaware, under the revised disclosure policy, GPZ needs to wait for at least 90 days before publicly revealing the details of a security bug, even if the bug is fixed ahead of that deadline. Also, vendors can request an additional 14-day grace period from Google if they believe they won’t be able to fix the reported vulnerability within 90 days.
The Adreno GPU driver associates a private device structure (“process_priv”) with each KGSL file descriptor, which holds the page tables that are used for GPU context switching. This structure is tied to the PID of the calling process and can be reused multiple times by additional KGSL file descriptors in the same process (presumably to save the cost of performing a GPU context switch between draw contexts in the same process).
When a process forks, the child inherits the parent’s KGSL file descriptors along with the private structure associated with the parent’s PID. If a child process holds a KGSL file descriptor that was originally opened in a parent process, and if that parent process exits, then the child still holds a reference to the private structure associated with the parent’s PID.
However, if the parent’s PID is reused by a victim process, then the victim will reuse the existing private structure rather than creating a new one. In practice, this gives the child process (an attacker) the ability to read any subsequent GPU shared mappings that the victim process creates since their draw contexts are considered to be running in the same GPU context.
According to Google Project Zero, “a real world attack would require the attacker to loop the PID and then trigger either a well-timed intent or system service restart via a crashing bug. The exploit would then likely attempt to recover the contents of the victim’s GPU compositing (or the results of other GPU operations).”
On September 15, 2020, Google’s research team contacted Qualcomm to report the vulnerability along with bug fix suggestions. The research team gave Qualcomm a 90-day deadline under the revised disclosure policy (which would expire on December 14) to fix the issue before publicly revealing the details of the bug.
Further, on December 7, 2020, Qualcomm informed Project Zero said that the issue (CVE-2020-11311) was resolved and shared in the private OEM bulletin with a planned public advisory for January 2021. To this, Google’s research team responded that the issue will be disclosed on December 14th and requested for a link to the relevant patches, which was readily provided by Qualcomm.
On investigating the proposed patch, Google found that it introduced a reference counting issue leading to an exploitable UAF (e.g. the patch for this info leak bug is introducing a kernel privilege escalation bug). Project Zero shared details of the new UAF that the patch introduces on December 10, 2020, to which Qualcomm responded that they are investigating the new information.
Since the deadline of December 14th was not met by Qualcomm, Project Zero has gone ahead and publicly exposed the high severity flaw in the Adreno GPU driver. While under the revised disclosure policy, vendors can request for an additional grace period of 14 days to fix the flaw, it is unclear in Google’s bulletin if Qualcomm has done so.
With the security bug now public, Qualcomm has to push the accelerator before any attackers find an effective way to exploit the flaw.