HackTricks
Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
TL;DR
- Kutoka katika muktadha wa SELinux uliowekwa chini ya mediacodec,
/dev/bigwave(Pixel AV1 hardware accelerator) inapatikana. Msongamano wa kazi unasababishaBIGO_IOCX_PROCESSkugonga 16s wait_for_completion_timeout() na kurudi wakati thread ya worker kwa wakati mmoja inaondoa (dequeue) muundo huo wa inlinejob. - Kufunga FD mara moja kunatoa
struct bigo_inst(ambayo ina embedstruct bigo_job). Worker inajenga upyainst = container_of(job, ...)na baadaye hutumia sehemu zilizotolewa kamajob->regsndani yabigo_run_job(), ikitoa Use-After-Free on the inline job/inst. bigo_pull_regs(core, job->regs)hufanyamemcpy_fromio(regs, core->base, core->regs_size). Kwa kuchukua tena slab iliyofutwa na kuandika juu yajob->regs, mshambuliaji anapata ~2144-byte arbitrary kernel write kwa anwani iliyochaguliwa, akiwa na udhibiti wa sehemu ya bytes kwa kuandaa mapema thamani za rejista kabla ya timeout.
Attack surface mapping (SELinux → /dev reachability)
- Tumia zana kama DriverCartographer kuorodhesha device nodes zinazoweza kupatikana kutoka kwa SELinux domain fulani. Licha ya sera iliyowekwa ya mediacodec (software decoders zinapaswa kubaki katika muktadha uliotengwa),
/dev/bigwaveilibaki inapatikana, ikifunua uso mkubwa wa mashambulizi kwa post-media-RCE code.
Vulnerability: BIGO_IOCX_PROCESS timeout vs worker
- Mtiririko: ioctl inakopa buffer ya rejista ya mtumiaji ndani ya
job->regs, inaweka foleni inlinejob, kishawait_for_completion_timeout(..., 16s). Kufikia timeout inajaribu kufuta kutoka foleni/kukatisha (dequeue/cancel) na kurudi kwa userspace. - Wakati huo huo
bigo_worker_threadinaweza kuwa imeondoa tujobile ile:
inst = container_of(job, struct bigo_inst, job);
bigo_push_regs(core, job->regs);
...
bigo_pull_regs(core, job->regs); // memcpy_fromio(regs, core->base, core->regs_size)
*(u32 *)(job->regs + BIGO_REG_STAT) = status;
- If userspace closes the FD after the timeout,
inst/jobare freed while the worker keeps using them → UAF. No synchronization ties FD lifetime to the worker thread’s job pointer.
Exploitation outline
- Backlog + timeout: Orodhesha jobs za kutosha ili worker achelewe, kisha tuma
BIGO_IOCX_PROCESSna uiruhusu ifike kwenye njia ya timeout ya 16s. - Free while in use: Mara ioctl inaporudi,
close(fd)ili kuachiliainst/jobwakati worker bado anafanya job iliyotolewa kutoka kwenye foleni. - Reclaim + pointer control: Piga spray reclaimers (kwa mfano, Unix domain socket message allocations) ili kuchukua slot ya slab iliyofunguliwa na kuandika upya inline
job, hasajob->regs. - Arbitrary write: Wakati
bigo_pull_regs()inapoendeshwa,memcpy_fromio()inaandika core->regs_size (~2144 bytes) kutoka MMIO ndani ya anwani iliyotolewa na mshambuliaji ndani yajob->regs, ikitengeneza write-what-where kubwa bila KASLR leak. - Data shaping: Kwa sababu registers kwanza zinaprogramwa kutoka kwa data ya mtumiaji (
bigo_push_regs), zipange ili hardware isitekeleze, ukihakikisha picha ya register iliyorudishwa iko karibu na bytes zinazodhibitiwa na mshambuliaji.
Mambo muhimu kwa wakaguzi wa driver
- Inline per-FD job structs enqueued kwa async workers lazima zishikilie references ambazo zinaweza kuishi kupitia njia za timeout/cancel; kufunga FD kunapaswa kusawazishwa na matumizi ya worker.
- Kila helper ya nakala ya MMIO (
memcpy_fromio/memcpy_toio) ambayo inatumia buffer pointers kutoka kwa jobs inapaswa kuthibitishwa au kuzalishwa nakala kabla ya kuwekewa foleni ili kuepuka UAF→write primitives.
References
- Pixel 0-click (Part 2): Escaping the mediacodec sandbox via the BigWave driver
- Project Zero issue 426567975 – BigWave BIGO timeout UAF
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.