Another day, another vulnerability exposed by Google's Project Zero. For those unaware, the security team is quite well-known for discovering vulnerabilities in the software developed by the company itself as well as those built by other firms. Its methodology involves identifying security flaws in software and privately reporting them to vendors, giving them 90 days to fix them before public disclosure. Depending upon the complexity of the fix required, it sometimes also offers additional days in the form of a grace period.
Over the past couple of years, the team has revealed major vulnerabilities in Windows 10 S, macOS kernel, and iOS, among others. Now, Google Project Zero has publicly announced a "high" severity security flaw in Qualcomm Adreno GPUs following a botched fix by the company.
You can view the nitty-gritty details of the bug present in Qualcomm's code in Google's listing here, but the gist of the matter relates to how GPU shared mappings are handled. The Adreno GPU driver links a private device structure for each kernel graphics support layer (KGSL) descriptor, which contains the page tables needed for context switching. This structure is associated to the process ID (PID) of the process which calls it but can be reused by other KGSL descriptors in the same process, likely to improve performance.
When the calling process forks to create a child process, the latter also inherits the private structure of a KGSL descriptor that was initially created for the parent process, rather than creating a new one. Essentially, this gives the child process - which could be an attacker - read access over subsequent GPU mappings that would be created by the parent process, without the parent knowing about it.
As can be seen, this is quite a complex attack and Google Project Zero says that in a real-world scenario, a successful exploitation would require the attacker to "loop the PID and then trigger either a well-timed intent or system service restart via a crashing bug. The exploit would then likely attempt to recover the contents of the victim's GPU compositing (or the results of other GPU operations)."
This issue was reported to Qualcomm on September 15, with suggestions to fix it, and the standard deadline of 90 days which would expire on December 14. On December 7, Qualcomm completed the fix and shared the information privately with OEMs. It told the Project Zero team that it will disclose details in a public bulletin in January 2021.
This is where it gets tricky: Google Project Zero explored Qualcomm's fix for validation purposes, and realized that it actually introduces a new issue that can lead to kernel privilege escalation. On December 10, this was communicated to Qualcomm along with the recommendation that it doesn't release its proposed patch until the new security flaw is fixed. Qualcomm responded on the same day saying that it is further investigating.
However, now that the deadline is up, Project Zero has publicly exposed the high severity flaw in the Adreno GPU driver. It's unclear why Qualcomm did not request an additional grace period to fix the flaw. If it did, the details are not mentioned in Google's bulletin. As it currently stands, the security bug is now public, which means that Qualcomm is now in a race against the clock to fix it as soon as possible before a wider range of attackers figure out vectors and attack surfaces to exploit it.