Coordinated Disclosure Timeline
- 14/07/2020 Reported to Android security team as Issue 161156065, later assigned Android ID 161373974
- 17/07/2020 Told it was a Qualcomm issue and that the issue is forwarded to Qualcomm, but that Android Security team would still provide updates via the ticket system.
- 11/08/2020 Update from Android security team that Qualcomm had reproduced the issue.
- 24/09/2020 Update from Android security team that Qualcomm had rated it as High severity.
- 17/12/2020 Assigned CVE-2020-11261
- 01/01/2021 Fixed in January bulletin
- 22/03/2021 Android security bulletin updated with indications that this bug may be under limited, targeted exploitation.
Summary
Incorrect bounds checking in Qualcomm kgsl driver
Product
msm kernel
CVE
CVE-2020-11261
Tested Version
Pixel3a with build ID: QQ3A.200705.002
Details
When using the IOCTL_KGSL_MAP_USER_MEM ioctl of the kgsl driver with suitable parameters, it will eventually reach kgsl_iommu_set_svm_region [5] (via _map_usermem_addr [1] -> kgsl_setup_useradd [2] -> kgsl_setup_anon_useraddr [3] -> kgsl_mmu_set_svm_region [4]).
Apart from a check that is supposed to ensure the requested address does not lie within the global range, there is no range check on the parameter address range [gpuaddr, gpuaddr + size]:
if (ADDR_IN_GLOBAL(pagetable->mmu, gpuaddr) ||
ADDR_IN_GLOBAL(pagetable->mmu, gpuaddr + size))
return -ENOMEM;
Moreover, even this global range check itself is insufficient to prevent the address range [gpuaddr, gpuaddr + size] from overlapping with the global region:
The global region address is defined in kgsl_iommu.h as follows:
/*
* These defines control the address range for allocations that
* are mapped into all pagetables.
*/
#define KGSL_IOMMU_GLOBAL_MEM_SIZE (20 * SZ_1M)
#define KGSL_IOMMU_GLOBAL_MEM_BASE32 0xf8000000
#define KGSL_IOMMU_GLOBAL_MEM_BASE64 0xfc000000
with size 20M.
The check, however, only ensures that the start and end of the requested region does not lie inside the global range (KGSL_IOMMU_GLOBAL_MEM_BASE64/32, KGSL_IOMMU_GLOBAL_MEM_BASE64/32 + KGSL_IOMMU_GLOBAL_MEM_SIZE) By requesting a memory area larger than KGSL_IOMMU_GLOBAL_MEM_SIZE, the requested range can cover the entire global range and still passes this check.
The general lack of range check allows overlapping memory regions to be mapped by the iommu, which can be exploited in the same way as CVE-2023-33107.
Note: The original bug report submitted to Qualcomm only pointed out the range check error in the global address range check and wrongly concluded that the global region can be mapped over. In light of the more recently discovered CVE-2023-33107 and the fact that the vulnerability in this advisory (CVE-2020-11261) was also detected as exploited in the wild, this advisory is updated to include reference to CVE-2023-33107, which is a more likely vector to exploit this issue (CVE-2020-11261).
- https://android.googlesource.com/kernel/msm/+/28c696160049cdc45dd32643c5345be83f6bb59c/drivers/gpu/msm/kgsl.c#2718
- https://android.googlesource.com/kernel/msm/+/28c696160049cdc45dd32643c5345be83f6bb59c/drivers/gpu/msm/kgsl.c#2482
- https://android.googlesource.com/kernel/msm/+/28c696160049cdc45dd32643c5345be83f6bb59c/drivers/gpu/msm/kgsl.c#2292
- https://android.googlesource.com/kernel/msm/+/28c696160049cdc45dd32643c5345be83f6bb59c/drivers/gpu/msm/kgsl.c#2167
- https://android.googlesource.com/kernel/msm/+/28c696160049cdc45dd32643c5345be83f6bb59c/drivers/gpu/msm/kgsl_iommu.c#2417
CVE
- CVE-2020-11261
Impact
This issue can be exploited to gain kernel code execution from a userspace application similar to CVE-2023-33107.
Credit
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
Contact
You can contact the GHSL team at securitylab@github.com, please include the GHSL-2020-374 in any communication regarding this issue.