GHSL-2022-092: Physical memory access by untrusted app in Qualcomm Adreno GPU - CVE-2022-25664

Coordinated Disclosure Timeline

• 2021-11-25: Issue reported to Qualcomm.
• 2021-11-30: Qualcomm analyzed the issue but required further clarification about the potential impact.
• 2021-11-30: I provided a more detailed explanation of the impact and what I thought was happening.
• 2021-12-14: Qualcomm confirmed the vulnerability and is trying to established the root cause.
• 2021-12-15: Qualcomm identified the root cause and is working on a fix.
• 2021-12-16: I reported my investigation of the root cause (which I was fairly confident was due to coherent but could not confirm) to Qualcomm.
• 2021-12-16: Qualcomm confirmed that their analysis of the root cause agreed with mine.
• 2022-09-26: Qualcomm informed me that CVE-2022-25664 was assigned to the issue and that the patch was released to customers privately in April 2022, and should soon be published in the Android bulletin.
• 2022-10-03: Issue disclosed publicly in the Qualcomm security bulletin and in the Pixel update bulletin

Summary

A vulnerability in the Adreno GPU allows physical memory to be read by an untrusted app.

Product

Adreno GPU

Tested Version

Tested on Qualcomm phones, Pixel 4 up to September 2022 Patch.

Details

Memory coherent issue leads to GPU command leaking page memory (GHSL-2022-092)

Due to coherency between GPU and CPU memory, It is possible to retrieve contents of unmapped pages via the use of GPU commands. When a mmapped region is mapped to the Adreno GPU, the GPU still holds the stale content in the backing pages because the pages were initialized to zero in the CPU cache only, and the initialization is not synced with the physical memory until a cache flush happens. This allows the GPU to read the stale contents of these pages and results in an information leak as these stale contents may not belong to the process that just mmapped the page (the page can come from anywhere, another process or kernel).

Impact

This issue may lead to information leak.

CVE

• CVE-2022-25664

Credit

This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2022-092 in any communication regarding this issue.