Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

TL;DR

• From the SELinux-confined mediacodec context, /dev/bigwave (Pixel AV1 hardware accelerator) is reachable. A backlog of jobs makes BIGO_IOCX_PROCESS hit its 16s wait_for_completion_timeout() and return while the worker thread concurrently dequeues the same inline job structure.
• Closing the FD immediately frees struct bigo_inst (which embeds struct bigo_job). The worker reconstructs inst = container_of(job, ...) and later uses freed fields such as job->regs inside bigo_run_job(), yielding a Use-After-Free on the inline job/inst.
• bigo_pull_regs(core, job->regs) performs memcpy_fromio(regs, core->base, core->regs_size). By reclaiming the freed slab and overwriting job->regs, an attacker gets a ~2144-byte arbitrary kernel write to a chosen address, with partial control of the bytes by pre-programming register values before the timeout.
• Tracked as CVE-2025-36934; fixed in the 2026-01-05 Pixel/2025-12-01 ASB builds.

Attack surface mapping (SELinux → /dev reachability)

• Tumia zana kama DriverCartographer kuorodhesha device nodes zinazopatikana kutoka kwa kikoa cha SELinux kilichotengwa. Licha ya sera iliyozuiliwa ya mediacodec (decoder za programu zinapaswa kubaki katika muktadha uliotengwa), /dev/bigwave ilibaki inaweza kufikiwa, ikifichua uso mkubwa wa mashambulizi kwa code iliyopata post-media-RCE.

Vulnerability: BIGO_IOCX_PROCESS timeout vs worker

• Mtiririko: ioctl inakopisha buffer ya register ya mtumiaji ndani ya job->regs, inaweka kwenye foleni inline job, kisha inaitwa wait_for_completion_timeout(..., 16s). Kwa timeout inajaribu kuondoa katika foleni/kufuta na kurejea kwa userspace.
• Wakati huo huo bigo_worker_thread inaweza kuwa imeondoa tu foleni ya job ile ile:

inst = container_of(job, struct bigo_inst, job);
bigo_push_regs(core, job->regs);
...
bigo_pull_regs(core, job->regs);   // memcpy_fromio(regs, core->base, core->regs_size)
*(u32 *)(job->regs + BIGO_REG_STAT) = status;

• Ikiwa userspace inafunga FD baada ya timeout, inst/job zinarudishwa wakati worker bado anazitumia → UAF. Hakuna ulandanishaji unaomhusisha uhai wa FD na job pointer ya worker thread.

Muhtasari wa Exploitation

1. Backlog + timeout: Queue job za kutosha ili worker achelewe, kisha tuma BIGO_IOCX_PROCESS na uruhusu ifike kwenye njia ya timeout ya 16s.
2. Free while in use: Mara tu ioctl inaporudisha, piga close(fd) kuifreesha inst/job wakati worker bado anaendesha job iliyotolewa.
3. Reclaim + pointer control: Spray reclaimers (e.g., Unix domain socket message allocations) ili kuchukua freed slab slot na kuandika upya inline job, hasa job->regs.
4. Arbitrary write: Wakati bigo_pull_regs() inafanya kazi, memcpy_fromio() inaandika core->regs_size (~2144 bytes) kutoka MMIO kwenye anwani iliyotolewa na mshambuliaji katika job->regs, ikitoa write-what-where kubwa bila KASLR leak.
5. Data shaping: Kwa sababu registers zinawekwa kwanza kutoka kwa data ya user (bigo_push_regs), weka hizo ili hardware isitekeleze, ukihakikisha picha ya register iliyorudishwa iko karibu na byte zinazodhibitiwa na mshambuliaji.

Minimal PoC skeleton (blocking backlog + reclaim)

int fd = open("/dev/bigwave", O_RDWR);
for (int i = 0; i < 64; i++) submit_job(fd, regs_buf);   // fill worker queue
submit_job(fd, regs_buf);                                // victim job
auto t0 = now();
while (now() - t0 < 17000ms) sched_yield();              // hit 16s timeout
close(fd);                                               // free inst/job
spray_uds_msgs(payload_pointing_to_target, spray_count); // reclaim slab
sleep(1);                                                // let worker memcpy_fromio

• regs_buf inapaswa kuandaa BigWave ili iwe katika hali ya kutokuwa na kazi (kwa mfano, kuweka control bits ili kupitisha utekelezaji) ili picha ya rejista iliyorejeshwa (copied-back) ibaki ikitabirika.

Hitimisho kwa wakaguzi wa dereva

• Miundo ya job za inline kwa kila FD zinazoingizwa kwa async workers lazima ziwe na marejeo yanayodumu kupitia njia za timeout/cancel; kufunga FD kunapaswa kusawazishwa na matumizi ya worker.
• Kila helper ya kunakili MMIO (memcpy_fromio/memcpy_toio) inayotumia buffer pointers kutoka kwa jobs inapaswa kuthibitishwa au kuonekana (duplicated) kabla ya kuingizwa kwa queue ili kuepuka UAF→write primitives.

References

• Pixel 0-click (Part 2): Escaping the mediacodec sandbox via the BigWave driver
• Project Zero issue 426567975 – BigWave BIGO timeout UAF
• CVE-2025-36934 entry (BigWave driver)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.