Android PowerVR GPU Privilege Escalation Vulnerability via Use-After-Free in DevmemIntMapPages

A use-after-free vulnerability has been identified in the PowerVR GPU device driver within the Android operating system. This issue arises from improper management of reference counts in the 'DevmemIntMapPages' function, allowing a malicious user to read and write to arbitrary freed physical memory pages. Exploitation of this vulnerability could lead to local privilege escalation in the kernel, with no additional execution privileges required.

Impact

Exploitation of this vulnerability allows for local privilege escalation, granting universal root access on the device.

Reproduction

The vulnerability can be reproduced by creating a PMR object and using the 'PVRSRVBridgeDevmemIntMapPages' function to map GPU virtual pages to physical pages. The 'DevmemIntMapPages' function fails to properly manage reference counts, allowing the physical pages to be freed while still mapped to GPU virtual pages. This mismanagement can be exploited by accessing the freed physical pages through OpenCL kernel functions.

Remediation

Google has informed Imagination Technologies of this vulnerability, and it has been assigned CVE-2023-35685.