From 076fe11fe5c629a3bb05d7866b83a46c3369d9e7 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Thu, 15 Jan 2026 18:43:27 +0000 Subject: [PATCH] Add content from: Pixel 0-click (Part 2): Escaping the mediacodec sandbox via ... --- src/SUMMARY.md | 1 + ...x-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md | 11 +++-- ...gwave-bigo-job-timeout-uaf-kernel-write.md | 48 +++++++++++++++++++ 3 files changed, 56 insertions(+), 4 deletions(-) create mode 100644 src/binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md diff --git a/src/SUMMARY.md b/src/SUMMARY.md index 4879cb8a67a..ff4249f5054 100644 --- a/src/SUMMARY.md +++ b/src/SUMMARY.md @@ -886,6 +886,7 @@ - [Af Unix Msg Oob Uaf Skb Primitives](binary-exploitation/linux-kernel-exploitation/af-unix-msg-oob-uaf-skb-primitives.md) - [Arm64 Static Linear Map Kaslr Bypass](binary-exploitation/linux-kernel-exploitation/arm64-static-linear-map-kaslr-bypass.md) - [Ksmbd Streams Xattr Oob Write Cve 2025 37947](binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md) +- [Pixel Bigwave Bigo Job Timeout Uaf Kernel Write](binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md) - [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md) - [PS5 compromission](binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md) - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md) diff --git a/src/binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md b/src/binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md index 537abe45c59..0be7b29cdff 100644 --- a/src/binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md +++ b/src/binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md @@ -131,17 +131,20 @@ while (page_map[0] == 0x4242424242424242) flush_tlb(); -## Detection and hardening +## Detection -- Firmware/microcode: fix all sites masking $12 to use 0x7 (A7xx) and audit privileged packet gates -- Driver: validate effective IB level for privileged packets and enforce per-context allowlists - Telemetry: alert if CP_SMMU_TABLE_UPDATE (or similar privileged opcodes) appears outside RB/IB0, especially in SDS; monitor anomalous bursts of 4/8-byte CP_MEM_TO_MEM and excessive TLB flush patterns -- Kernel: harden pagetable metadata and detect user PTE corruption patterns ## Impact A local app with GPU access can execute privileged GPU packets, hijack the GPU SMMU, achieve arbitrary kernel physical/virtual R/W, disable SELinux and obtain root on affected Snapdragon A7xx devices (e.g., Samsung S23). Severity: High (kernel compromise). +### See also + +{{#ref}} +pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md +{{#endref}} + ## References - [CVE-2025-21479: Adreno A7xx SDS->RB privilege bypass to kernel R/W (Samsung S23)](https://xploitbengineer.github.io/CVE-2025-21479) diff --git a/src/binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md b/src/binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md new file mode 100644 index 00000000000..95fc2b7c24a --- /dev/null +++ b/src/binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md @@ -0,0 +1,48 @@ +# Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec + +{{#include ../../banners/hacktricks-training.md}} + +## TL;DR + +- From the SELinux-confined **mediacodec** context, `/dev/bigwave` (Pixel AV1 hardware accelerator) is reachable. A backlog of jobs makes `BIGO_IOCX_PROCESS` hit its **16s wait_for_completion_timeout()** and return while the worker thread concurrently dequeues the same inline `job` structure. +- Closing the FD immediately frees `struct bigo_inst` (which embeds `struct bigo_job`). The worker reconstructs `inst = container_of(job, ...)` and later uses freed fields such as **`job->regs`** inside `bigo_run_job()`, yielding a **Use-After-Free on the inline job/inst**. +- `bigo_pull_regs(core, job->regs)` performs `memcpy_fromio(regs, core->base, core->regs_size)`. By reclaiming the freed slab and overwriting `job->regs`, an attacker gets a **~2144-byte arbitrary kernel write** to a chosen address, with partial control of the bytes by pre-programming register values before the timeout. + +## Attack surface mapping (SELinux → /dev reachability) + +- Use tools like **DriverCartographer** to enumerate device nodes accessible from a given SELinux domain. Despite mediacodec’s constrained policy (software decoders should stay in an isolated context), `/dev/bigwave` remained reachable, exposing a large attack surface to post-media-RCE code. + +## Vulnerability: BIGO_IOCX_PROCESS timeout vs worker + +- Flow: ioctl copies user register buffer into `job->regs`, queues the inline `job`, then `wait_for_completion_timeout(..., 16s)`. On timeout it tries to dequeue/cancel and returns to userspace. +- Meanwhile `bigo_worker_thread` may have just dequeued the same `job`: + +```c +inst = container_of(job, struct bigo_inst, job); +bigo_push_regs(core, job->regs); +... +bigo_pull_regs(core, job->regs); // memcpy_fromio(regs, core->base, core->regs_size) +*(u32 *)(job->regs + BIGO_REG_STAT) = status; +``` + +- If userspace closes the FD after the timeout, `inst`/`job` are freed while the worker keeps using them → UAF. No synchronization ties FD lifetime to the worker thread’s job pointer. + +## Exploitation outline + +1. **Backlog + timeout:** Queue enough jobs so the worker is delayed, then issue `BIGO_IOCX_PROCESS` and let it hit the 16s timeout path. +2. **Free while in use:** As soon as ioctl returns, `close(fd)` to free `inst`/`job` while the worker is still running the dequeued job. +3. **Reclaim + pointer control:** Spray reclaimers (e.g., **Unix domain socket message** allocations) to occupy the freed slab slot and overwrite the inline `job`, especially `job->regs`. +4. **Arbitrary write:** When `bigo_pull_regs()` runs, `memcpy_fromio()` writes **core->regs_size (~2144 bytes)** from MMIO into the attacker-supplied address in `job->regs`, producing a large write-what-where without a KASLR leak. +5. **Data shaping:** Because registers are first programmed from user data (`bigo_push_regs`), set them so the hardware does not execute, keeping the copied-back register image close to attacker-controlled bytes. + +## Takeaways for driver reviewers + +- Inline per-FD job structs enqueued to async workers must hold references that survive timeout/cancel paths; **closing an FD must synchronize with worker consumption**. +- Any MMIO copy helpers (`memcpy_fromio`/`memcpy_toio`) that use buffer pointers from jobs should be validated or duplicated before enqueuing to avoid UAF→write primitives. + +## References + +- [Pixel 0-click (Part 2): Escaping the mediacodec sandbox via the BigWave driver](https://projectzero.google/2026/01/pixel-0-click-part-2.html) +- [Project Zero issue 426567975 – BigWave BIGO timeout UAF](https://project-zero.issues.chromium.org/issues/426567975) + +{{#include ../../banners/hacktricks-training.md}}