Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

TL;DR

  • From the SELinux-confined mediacodec context, /dev/bigwave (Pixel AV1 hardware accelerator) is reachable. A backlog of jobs makes BIGO_IOCX_PROCESS hit its 16s wait_for_completion_timeout() and return while the worker thread concurrently dequeues the same inline job structure.
  • Closing the FD immediately frees struct bigo_inst (which embeds struct bigo_job). The worker reconstructs inst = container_of(job, ...) and later uses freed fields such as job->regs inside bigo_run_job(), yielding a Use-After-Free on the inline job/inst.
  • bigo_pull_regs(core, job->regs) performs memcpy_fromio(regs, core->base, core->regs_size). By reclaiming the freed slab and overwriting job->regs, an attacker gets a ~2144-byte arbitrary kernel write to a chosen address, with partial control of the bytes by pre-programming register values before the timeout.

Attack surface mapping (SELinux → /dev reachability)

  • Use tools like DriverCartographer to enumerate device nodes accessible from a given SELinux domain. Despite mediacodec’s constrained policy (software decoders should stay in an isolated context), /dev/bigwave remained reachable, exposing a large attack surface to post-media-RCE code.

Vulnerability: BIGO_IOCX_PROCESS timeout vs worker

  • Flow: ioctl copies user register buffer into job->regs, queues the inline job, then wait_for_completion_timeout(..., 16s). On timeout it tries to dequeue/cancel and returns to userspace.
  • Meanwhile bigo_worker_thread may have just dequeued the same job:
inst = container_of(job, struct bigo_inst, job);
bigo_push_regs(core, job->regs);
...
bigo_pull_regs(core, job->regs);   // memcpy_fromio(regs, core->base, core->regs_size)
*(u32 *)(job->regs + BIGO_REG_STAT) = status;
  • If userspace closes the FD after the timeout, inst/job are freed while the worker keeps using them → UAF. No synchronization ties FD lifetime to the worker thread’s job pointer.

Exploitation outline

  1. Backlog + timeout: Queue enough jobs so the worker is delayed, then issue BIGO_IOCX_PROCESS and let it hit the 16s timeout path.
  2. Free while in use: As soon as ioctl returns, close(fd) to free inst/job while the worker is still running the dequeued job.
  3. Reclaim + pointer control: Spray reclaimers (e.g., Unix domain socket message allocations) to occupy the freed slab slot and overwrite the inline job, especially job->regs.
  4. Arbitrary write: When bigo_pull_regs() runs, memcpy_fromio() writes core->regs_size (~2144 bytes) from MMIO into the attacker-supplied address in job->regs, producing a large write-what-where without a KASLR leak.
  5. Data shaping: Because registers are first programmed from user data (bigo_push_regs), set them so the hardware does not execute, keeping the copied-back register image close to attacker-controlled bytes.

Takeaways for driver reviewers

  • Inline per-FD job structs enqueued to async workers must hold references that survive timeout/cancel paths; closing an FD must synchronize with worker consumption.
  • Any MMIO copy helpers (memcpy_fromio/memcpy_toio) that use buffer pointers from jobs should be validated or duplicated before enqueuing to avoid UAF→write primitives.

References

Tip

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks