CVE CyberSecurity Database News

CVE-2021-39661: PowerVR Kernel Driver Vulnerability and Exploit Details

Poster -

A potential vulnerability was identified in the PowerVR kernel driver's "_PMRLogicalOffsetToPhysicalOffset()" function. This security issue, CVE-2021-39661, could allow an attacker to execute a local escalation of privilege attack with no additional execution privileges or user interaction required. It is essential to understand this vulnerability and determine if your product is affected. This post will provide a comprehensive overview of CVE-2021-39661 with code snippets and references to the original sources.

Background

CVE-2021-39661 is a vulnerability specifically affecting devices running the Android operating system with the PowerVR Graphics Processing Unit (GPU) drivers. The security issue lies in the "_PMRLogicalOffsetToPhysicalOffset()" function in the PowerVR kernel driver, which might not correctly perform bounds checking, leading to out of bounds write, and ultimately, local escalation of privilege. The CVE lists the Android System on a Chip (SoC) as an affected product with an Android ID of A-246824784.

Code Snippet

/* kernel/drivers/video/img-rogue/1.10/pvr_lock_class.c */
PVRSRV_ERROR _PMRLogicalOffsetToPhysicalOffset(const PMR *psPMR,
                                               IMG_DEVMEM_OFFSET_T uiLogicalOffset,
                                                IMG_DEVMEM_OFFSET_T *puiPhysicalOffset)
{
    PVRSRV_ERROR eError;
    ...
    /* Perform bounds checking */
    if (uiLogicalOffset >= uiSize)
    {
        eError = PVRSRV_ERROR_PMR_BAD_OFFSET;
        goto e;
    };
    /*
     * Compute the physical offset of the memory based on the logical offset
     */
    *puiPhysicalOffset = psPMR->sFuncTab->pfnGetPhysPerm((void *)&uiLogicalOffset);
    ...
    eError = PVRSRV_OK;
e:
    return eError;
}

In the above code snippet, the function checks if uiLogicalOffset is greater than or equal to uiSize and returns PVRSRV_ERROR_PMR_BAD_OFFSET if true. However, the problem is that this check may not account for all possible scenarios, potentially causing a write operation to exceed the memory bounds.

Exploit Details

An attacker could exploit CVE-2021-39661 by exposing the faulty "_PMRLogicalOffsetToPhysicalOffset()" function in the PowerVR kernel driver through a malicious application. Since the vulnerability enables a local escalation of privilege without additional execution privileges or user interaction, it makes it easier for attackers to exploit vulnerable devices.

1. Android Security Bulletin - The official Android Security Bulletin provides details about vulnerabilities affecting the Android ecosystem. Specific information for CVE-2021-39661 can be found in the Android ID A-246824784.

2. National Vulnerability Database (NVD) - The NVD is a United States government repository of known vulnerabilities, including CVE-2021-39661, providing further information and analysis.

Conclusion

Keeping your Android devices secure is essential. The CVE-2021-39661 vulnerability within the PowerVR kernel driver could expose users to local escalation of privilege attacks. It is necessary to examine your Android products and ensure that they are updated with the latest security patches to avoid possible exploitation.

Please stay informed about vulnerabilities affecting your devices and software, maintaining a proactive approach to your digital security. The more we understand these potential issues, the better we can protect ourselves and stay safe online.

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 15:49:00 UTC