Coordinated Disclosure Timeline
- 2021-11-25: Issue reported to Qualcomm.
- 2021-11-30: Qualcomm analyzed the issue but required further clarification about the potential impact.
- 2021-11-30: I provided a more detailed explanation of the impact and what I thought was happening.
- 2021-12-14: Qualcomm confirmed the vulnerability and is trying to established the root cause.
- 2021-12-15: Qualcomm identified the root cause and is working on a fix.
- 2021-12-16: I reported my investigation of the root cause (which I was fairly confident was due to coherent but could not confirm) to Qualcomm.
- 2021-12-16: Qualcomm confirmed that their analysis of the root cause agreed with mine.
- 2022-09-26: Qualcomm informed me that CVE-2022-25664 was assigned to the issue and that the patch was released to customers privately in April 2022, and should soon be published in the Android bulletin.
- 2022-10-03: Issue disclosed publicly in the Qualcomm security bulletin and in the Pixel update bulletin
A vulnerability in the Adreno GPU allows physical memory to be read by an untrusted app.
Tested on Qualcomm phones, Pixel 4 up to September 2022 Patch.
Memory coherent issue leads to GPU command leaking page memory (
Due to coherency between GPU and CPU memory, It is possible to retrieve contents of unmapped pages via the use of GPU commands. When a mmapped region is mapped to the Adreno GPU, the GPU still holds the stale content in the backing pages because the pages were initialized to zero in the CPU cache only, and the initialization is not synced with the physical memory until a cache flush happens. This allows the GPU to read the stale contents of these pages and results in an information leak as these stale contents may not belong to the process that just mmapped the page (the page can come from anywhere, another process or kernel).
This issue may lead to information leak.
This issue was discovered and reported by GHSL team member @m-y-mo (Man Yue Mo).
You can contact the GHSL team at
email@example.com, please include a reference to
GHSL-2022-092 in any communication regarding this issue.