PoC Code for Arm Mali GPU Kernel Driver Flaw (CVE-2022-38181) Published
Man Yue Mo, a security researcher with GitHub, has released technical details and proof-of-concept (PoC) exploit code for an Arm Mali GPU Kernel Driver security bypass that Arm patched in August last year.
The PoC exploit targets CVE-2022-38181 (CVSS score of 8.8), a vulnerability that could allow a remote authenticated attacker to bypass security restrictions, caused by a use-after-free error. By making improper GPU processing operations, an attacker could exploit this vulnerability to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.
The flaw impacts Arm Mali GPU kernel drivers Midgard r4p0 through r32p0, Bifrost r0p0 through r38p1, and r39p0, and Valhall r19p0 through r38p1, and r39p0.
Midgard drivers are used in even older (2016) Mali T800 and T700 series chips, Samsung Galaxy S7 and Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X, and Redmi Note 4.
Bifrost drivers are used in the older (2018) Mali G76, G72, and G52 chips used by Samsung Galaxy S10, S9, A51 and A71, Redmi Note 10, Huawei P30 and P40 Pro, Honor View 20, Motorola Moto G60S, and Realme 7.
Valhall drivers are used in Mali G710, G610, and G510 chips found inside the Google Pixel 7, Asus ROG Phone 6, Redmi Note 11 and 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro and Reno 8 Pro, Motorola Edge, and OnePlus 10R.
The researcher wrote in the write-up:
“To summarize, the exploit involves the following steps:
- Create JIT memory.
- Mark the JIT memory as evictable.
- Increase memory pressure by mapping memory to the user space via normal mmap system calls.
- Use the KBASE_IOCTL_MEM_QUERY ioctl to check if the JIT memory is freed. Carry on applying memory pressure until the JIT region is freed.
- Allocate new GPU memory regions using the KBASE_IOCTL_MEM_ALLOC ioctl to replace the freed JIT memory.
- Create an alias region to the new GPU memory region that replaced the JIT memory so that the backing pages of the new GPU memory are shared with the alias region.
- Submit a BASE_JD_REQ_SOFT_JIT_FREE job to free the JIT region. As the JIT region is now replaced by the new memory region, this will cause kbase_jit_free to remove the backing pages of the new memory region, but the GPU mappings created in the alias region in step 6. will not be removed. The alias region can now be used to access the freed backing pages.
- Reuse the freed backing pages as PGD of the kbase_context. The alias region can now be used to rewrite the PGD. I can then map arbitrary physical pages to the GPU address space.
- Map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux.”
Man Yue Mo has published PoC code that used CVE-2022-38181 vulnerability to gain arbitrary kernel code execution and root privileges on a Pixel 6 from an Android app.
The severity score of the issues is high, they are exploitable and impact a wide number of Android devices.