Qualcomm Adreno GPU Ringbuffer Corruption / Protected Mode Bypass

Posted by deepcore on September 9, 2020 – 9:23 am

The Qualcomm Adreno GPU shares a global mapping called a “scratch” buffer with the Adreno KGSL kernel driver. The contents of the scratch buffer can be overwritten by untrusted GPU commands. This results in a logic error in the Adreno driver’s ringbuffer allocation code, which can be used to corrupt ringbuffer data. A race condition exists between the ringbuffer corruption and a GPU context switch, and this results in a bypass of the GPU protected mode setting. This ultimately means that an attacker can read and write arbitrary physical addresses from userland by running GPU commands while protected mode disabled, which results in arbitrary kernel code execution.

This post is under “exploit” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Microsoft Windows StorageFolder Marshaled Object Access Check Bypass / Privilege Escalation Microsoft Windows CloudExperienceHostBroker Privilege Escalation »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Qualcomm Adreno GPU Ringbuffer Corruption / Protected Mode Bypass

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL