Android Universal Root: Exploiting Mobile GPU / Command Queue Drivers

Rooting modern Android devices using kernel bugs from an unprivileged process without any hardcoded offsets/addresses and with almost a 100% success rate is exceptionally rare. After reporting the in-the-wild CVE-2020-0069 in Mediatek's Command Queue device driver, we conducted a security review on ImgTec's PowerVR GPU device driver during which we discovered and reported several such rare vulnerabilities (e.g. GPU CVE-2021-39815). In total, we discovered 35+ exploitable bugs.This talk will primarily focus on GPU hacking. There have been many vulnerability reports about other GPUs like Mali and Adreno in the last few years, but Google only received a single report about ImgTec's PowerVR GPU. It appears that the security risks of ImgTec's PowerVR GPUs have been underexplored so far, even though ImgTec may have the largest GPU market share in the Android ecosystem as many affordable, popular devices ship with ImgTec's GPUs. In addition to Android devices, many Chromebooks also use PowerVR GPUs. This makes the discovered vulnerabilities and exploits truly cross-platform, plus 10 more OEMs are affected.In general, kernel memory management for CPUs and GPUs is complex, making it easy to produce unwanted or undefined outcomes. We will discuss the design & implementation of GPU driver technologies such as kernel APIs, memory management, kernel object lifetime, and the implementations of the OpenCL internal libraries.We will also highlight the latest SELinux policy for limiting unprivileged interaction with ImgTec's PowerVR GPUs on devices, and how to achieve a stable bypass. We will discuss the details of the exploit and show a demo rooting a well-known PowerVR device.