CVE-2021-39661 - Understanding, Exploiting, and Securing the PowerVR PMRLogicalOffsetToPhysicalOffset Out-of-Bounds Write Vulnerability

In late 2021, a critical vulnerability surfaced in Android devices using PowerVR GPUs. Tracked as CVE-2021-39661, this bug lies within the PowerVR kernel driver, specifically the PMRLogicalOffsetToPhysicalOffset function. A missing bounds check made it possible for a malicious local app to corrupt kernel memory and potentially escalate its privileges, all without needing any extra permissions or direct user action.

This post breaks down what went wrong, shows what exploitation could look like, and shares how you should defend against it. We’ll give you references and even include code samples to illustrate the issue simply. This walkthrough is original and simplified for easy understanding.

Vulnerability Type: Out-of-bounds Write

- CVE: CVE-2021-39661
- Google Android Security ID: A-246824784

Explanation

The PowerVR kernel driver translates logical memory offsets to physical addresses for buffer management. In the affected code, the function did not check whether the provided offset was within allowed bounds. If an attacker supplies a large or negative value, the driver performs a memory write outside the intended area—potentially overwriting critical kernel data.

This is a “local privilege escalation”: any app running on the device can use this flaw to gain higher system rights.

Here’s a simplified C-like pseudocode (not the real source) demonstrating the bug

// Vulnerable: Lacks bounds check for logical_offset
int PMRLogicalOffsetToPhysicalOffset(PMR *pmr, size_t logical_offset, phys_addr_t *phys_addr) {
    // No check: logical_offset could be WAY out of range
    size_t chunk = logical_offset / CHUNK_SIZE;
    *phys_addr = pmr->physical_chunks[chunk] + (logical_offset % CHUNK_SIZE);
    return ;
}

What’s missing?
There’s no check to ensure chunk stays within the correct bounds (chunk < pmr->num_chunks). If logical_offset is too large, this accesses or writes where it shouldn’t.

Exploit Walkthrough

1. Prepare: Write an app that communicates with the PowerVR driver—normally via /dev/pvr.

Craft Malicious Offset: Send a logical_offset value much bigger than the allowed buffer.

3. Trigger Vulnerability: The driver computes an out-of-bounds write, possibly smashing kernel pointers, process structures, or enabling further kernel hacking.

Privilege Escalation:

If the attacker is lucky/skillful, they overwrite sensitive data (like a credential structure), granting themselves root permissions or other elevated capabilities.

This is a concept, not a working exploit

int fd = open("/dev/pvr", O_RDWR);
struct ExploitRequest req;
req.logical_offset = xFFFFFFFF; // Intentionally massive value
ioctl(fd, PVR_IOCTL_PMRLOGICAL_TO_PHYSICAL, &req);
// If unpatched, kernel now wrote outside intended memory

*Note: The actual exploit may use specific IOCTL numbers and extra steps, but this shows the main idea.*

Google Security Bulletin (March 2022):

https://source.android.com/security/bulletin/2022-03-01

NIST NVD Entry:

https://nvd.nist.gov/vuln/detail/CVE-2021-39661

Imagination Technologies Security Advisory:

*(No public link for this specific bug, but keep up with Imagination Tech’s security)*

The fix is simple: add the missing bounds check. Here’s what secure code might look like

// Secure: Checks if 'chunk' is valid before access
int PMRLogicalOffsetToPhysicalOffset(PMR *pmr, size_t logical_offset, phys_addr_t *phys_addr) {
    size_t chunk = logical_offset / CHUNK_SIZE;
    if (chunk >= pmr->num_chunks) {
        return -EINVAL; // Error: invalid offset
    }
    *phys_addr = pmr->physical_chunks[chunk] + (logical_offset % CHUNK_SIZE);
    return ;
}

If you look at later updates or vendor trees, you’ll see a check ensuring the offset (and chunk index) is never out of range, preventing crashes and privilege escalation.

Summary Table

|                    | Before Patch           | After Patch (March 2022+)   |
|--------------------|-----------------------|-----------------------------|
| Bounds Check?      | ❌ No                  | ✅ Yes                      |
| Privilege Escalation Risk | ✅ Yes        | ❌ No                        |
| User Interaction   | ❌ Not Needed          | ❌ Not Needed               |

Conclusion

CVE-2021-39661 was a dangerous vulnerability in PowerVR GPU drivers, making it easy for any app on an affected Android device to gain escalated privileges via a simple programming oversight. The bug highlights the importance of proper bounds checks, even in low-level graphics code.

If you’re a developer, always validate inputs—especially when dealing with kernel interfaces. If you’re a user, keep your device updated to benefit from critical security patches like this one.

If you want to learn more, start by reading the official Google Android Security Bulletin, and dive deeper into kernel exploitation research if you’re interested in the technical side of Android security.

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 15:49:00 UTC