Google Project Zero Outs Qualcomm Adreno GPU Driver Exploit Affecting Millions Of Android Devices

Qualcomm Adreno
It seems Qualcomm is having a devil of a time fixing a security flaw related to its Adreno GPU driver code. It was brought to Qualcomm's attention by Google's Project Zero team, which sniffs out vulnerabilities and compels companies to fast-track security fixes by going public with the details after 90 days have passed (barring a grace period, which the team sometimes grants).

The general idea behind the 90-day deadline is that it provides incentive for companies not to drag their feet in fixing security flaws. This sometimes comes at the consternation of companies, especially if they request a bit of additional time and are denied for whatever reason. In that sense, there is a controversial nature to Project Zero, but to its credit, the program has been mostly effective.

In this case, the team discovered a GPU shared mapping flaw. It has a "High" severity rating, and is also concerning because millions of Android devices run on Qualcomm hardware.

The disclosure page lays out all the technical details, but what it boils down to is how the Adreno GPU driver associates a private device structure for each kernel graphics support layer (KGSL) file descriptor. This holds page tables that are used for GPU context switching, and can be reused multiple times by additional KGSL file descriptors in the same process.

"When a process forks, the child inherits the parent's KGSL file descriptors along with the private structure associated with the parent's PID. If a child process holds a KGSL file descriptor that was originally opened in a parent process, and if that parent process exits, then the child still holds a reference to the private structure associated with the parent's PID," Project Zero explains.

"However if the parent's PID is reused by a victim process, then the victim will reuse the existing private structure rather than creating a new one. In practice this gives the child process (an attacker) the ability to read any subsequent GPU shared mappings that the victim process creates, since their draw contexts are considered to be running in the same GPU context," Project Zero continues.

The team provided a proof-of-concept, noting that a real-world implementation would be a little trickier to pull off.

Project Zero notified Qualcomm about its findings on September 15. Qualcomm came up with a fix and shared it privately with OEMs, saying it would post a public bulletin in January. However, according to Project Zero, the fix introduces another flaw, an exploitable UAF, and has recommended that Qualcomm hold back on applying the patch until that issue is also resolved.

For whatever reason, it seems Qualcomm did not request additional time from Project Zero (if so, it's not mentioned in the bulletin), and so the details for this high severity security flaw have now been made public.