CVE-2022-22057 - Exploiting Use After Free Vulnerability in Graphics Fence due to a Race Condition in Snapdragon's Graphics Subsystem

A critical vulnerability (CVE-2022-22057) has been identified in the Qualcomm's Snapdragon chipsets, which affects Snapdragon Auto, Snapdragon Compute, Snapdragon Connectivity, Snapdragon Industrial IOT, Snapdragon Mobile, and Snapdragon Wearables. This vulnerability is categorized as a use after free (UAF) bug in the graphics fence subsystem due to a race condition that occurs while closing a fence file descriptor and destroying the graphics timeline simultaneously. In this post, we will be discussing the details of this vulnerability, some code snippets that demonstrate the issue, and the potential ways to exploit it.

Vulnerability Details

This vulnerability resides in the graphics subsystem of the Snapdragon chipset, specifically within the fence logic that controls the synchronization of multiple graphics operations. When closing a fence file descriptor and destroying a graphics timeline at the same time, a race condition occurs, which leads to the UAF bug.

The vulnerable code snippet can be found in the following function

/* sample_fence.c */
void fence_release(struct kref *kref) {
    struct fence *fence = container_of(kref, struct fence, refcount);
    struct fence_ops *ops = fence->ops;

    trace_fence_destroy(fence); /* vulnerable trace point */
    ops->release(fence);
    kfree(fence);
}

During the execution of fence_release, we see the invocation of trace_fence_destroy(), which generates trace events for debugging purposes. If an attacker can trigger the destruction of the graphics fence while this function is executing, it will lead to a race condition.

Race Condition Exploitation

A race condition, such as the one present in CVE-2022-22057, can be exploited by an attacker to trigger a UAF error and potentially execute arbitrary code. In order to exploit this vulnerability, an attacker could perform the following steps:

`

3. Start a new thread that attempts to close the fence file descriptor while the fence is being released:

return NULL;

}

Original Reference & Additional Resources

1. Security Advisory: CVE-2022-22057 - Official security bulletin from Qualcomm detailing the vulnerability.

2. Linux Kernel Fence Subsystem - Detailed explanation of the fence subsystem in the Linux kernel, where the vulnerability lies.

Conclusion

CVE-2022-22057 is a critical vulnerability in the Snapdragon chipset's graphics subsystem, affecting a variety of products, including automotive, compute, connectivity, industrial IoT, mobile, and wearables. By exploiting the use after free bug caused by a race condition, an attacker can potentially execute arbitrary code on the system, leading to severe consequences. If you are using a Snapdragon-based system, it is important to apply any available security updates for your devices to mitigate the risk.

Timeline

Published on: 06/14/2022 10:15:00 UTC
Last modified on: 06/22/2022 14:50:00 UTC