Technical details have been published about the vulnerability of the Arm Mali GPU, which leads to RCE in the kernel and the rooting of Pixel 6 devices using a malicious application installed on the target device.
Tracked as CVE-2022-38181 has a CVSS score of 8.8 and is a post-release usage bug that affects Arm Mali driver versions prior to r40p0 (released October 7, 2022).
The problem, as explained by GitHub Security Lab researcher Man Yue Mo, is related to a special type of GPU memory: JIT memory and a special function for sending job chains to the GPU.
Thanks to CVE-2022-38181, malicious code can be used to add an area of JIT memory to the preemption list, and then create a memory shortage to cause vulnerable preemption, resulting in the JIT area being freed without freeing the pointer.
The researcher discovered that the freed JIT area can be replaced with a fake object that can be used to potentially free arbitrary pages, and then use them to access arbitrary memory for reading and writing.
The attacker will need to map the kernel code to the address space of the GPU to get the execution of arbitrary kernel code, which can then be used to overwrite the credentials of our process to get root and disable SELinux.
Man Yue Mo reported the vulnerability to the Android security team in July 2022 along with PoC. Initially, the flaw was marked as having a high degree of severity, but then the report was forwarded to the Arm team.
According to the researcher, after the October Arm patch in 2022, Google included a fix for this vulnerability in the security update for Pixel devices from January 2023, but without mentioning the CVE identifier or the initial error data.