Pixel 0-click (Part 2) Escaping the mediacodec sandbox via t...

src/SUMMARY.md

@@ -886,6 +886,7 @@
 - [Af Unix Msg Oob Uaf Skb Primitives](binary-exploitation/linux-kernel-exploitation/af-unix-msg-oob-uaf-skb-primitives.md)
 - [Arm64 Static Linear Map Kaslr Bypass](binary-exploitation/linux-kernel-exploitation/arm64-static-linear-map-kaslr-bypass.md)
 - [Ksmbd Streams Xattr Oob Write Cve 2025 37947](binary-exploitation/linux-kernel-exploitation/ksmbd-streams_xattr-oob-write-cve-2025-37947.md)
+- [Pixel Bigwave Bigo Job Timeout Uaf Kernel Write](binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md)
 - [Linux kernel exploitation - toctou](binary-exploitation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
 - [PS5 compromission](binary-exploitation/freebsd-ptrace-rfi-vm_map-prot_exec-bypass-ps5.md)
 - [Windows Exploiting (Basic Guide - OSCP lvl)](binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)

src/binary-exploitation/linux-kernel-exploitation/adreno-a7xx-sds-rb-priv-bypass-gpu-smmu-kernel-rw.md

@@ -131,17 +131,20 @@ while (page_map[0] == 0x4242424242424242) flush_tlb();
 
 </details>
 
-## Detection and hardening
+## Detection
 
-- Firmware/microcode: fix all sites masking $12 to use 0x7 (A7xx) and audit privileged packet gates
-- Driver: validate effective IB level for privileged packets and enforce per-context allowlists
 - Telemetry: alert if CP_SMMU_TABLE_UPDATE (or similar privileged opcodes) appears outside RB/IB0, especially in SDS; monitor anomalous bursts of 4/8-byte CP_MEM_TO_MEM and excessive TLB flush patterns
-- Kernel: harden pagetable metadata and detect user PTE corruption patterns
 
 ## Impact
 
 A local app with GPU access can execute privileged GPU packets, hijack the GPU SMMU, achieve arbitrary kernel physical/virtual R/W, disable SELinux and obtain root on affected Snapdragon A7xx devices (e.g., Samsung S23). Severity: High (kernel compromise).
 
+### See also
+
+{{#ref}}
+pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md
+{{#endref}}
+
 ## References
 
 - [CVE-2025-21479: Adreno A7xx SDS->RB privilege bypass to kernel R/W (Samsung S23)](https://xploitbengineer.github.io/CVE-2025-21479)

src/binary-exploitation/linux-kernel-exploitation/pixel-bigwave-bigo-job-timeout-uaf-kernel-write.md

@@ -0,0 +1,48 @@
+# Pixel BigWave BIGO timeout race UAF → 2KB kernel write from mediacodec
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## TL;DR
+
+- From the SELinux-confined **mediacodec** context, `/dev/bigwave` (Pixel AV1 hardware accelerator) is reachable. A backlog of jobs makes `BIGO_IOCX_PROCESS` hit its **16s wait_for_completion_timeout()** and return while the worker thread concurrently dequeues the same inline `job` structure.
+- Closing the FD immediately frees `struct bigo_inst` (which embeds `struct bigo_job`). The worker reconstructs `inst = container_of(job, ...)` and later uses freed fields such as **`job->regs`** inside `bigo_run_job()`, yielding a **Use-After-Free on the inline job/inst**.
+- `bigo_pull_regs(core, job->regs)` performs `memcpy_fromio(regs, core->base, core->regs_size)`. By reclaiming the freed slab and overwriting `job->regs`, an attacker gets a **~2144-byte arbitrary kernel write** to a chosen address, with partial control of the bytes by pre-programming register values before the timeout.
+
+## Attack surface mapping (SELinux → /dev reachability)
+
+- Use tools like **DriverCartographer** to enumerate device nodes accessible from a given SELinux domain. Despite mediacodec’s constrained policy (software decoders should stay in an isolated context), `/dev/bigwave` remained reachable, exposing a large attack surface to post-media-RCE code.
+
+## Vulnerability: BIGO_IOCX_PROCESS timeout vs worker
+
+- Flow: ioctl copies user register buffer into `job->regs`, queues the inline `job`, then `wait_for_completion_timeout(..., 16s)`. On timeout it tries to dequeue/cancel and returns to userspace.
+- Meanwhile `bigo_worker_thread` may have just dequeued the same `job`:
+
+```c
+inst = container_of(job, struct bigo_inst, job);
+bigo_push_regs(core, job->regs);
+...
+bigo_pull_regs(core, job->regs);   // memcpy_fromio(regs, core->base, core->regs_size)
+*(u32 *)(job->regs + BIGO_REG_STAT) = status;
+```
+
+- If userspace closes the FD after the timeout, `inst`/`job` are freed while the worker keeps using them → UAF. No synchronization ties FD lifetime to the worker thread’s job pointer.
+
+## Exploitation outline
+
+1. **Backlog + timeout:** Queue enough jobs so the worker is delayed, then issue `BIGO_IOCX_PROCESS` and let it hit the 16s timeout path.
+2. **Free while in use:** As soon as ioctl returns, `close(fd)` to free `inst`/`job` while the worker is still running the dequeued job.
+3. **Reclaim + pointer control:** Spray reclaimers (e.g., **Unix domain socket message** allocations) to occupy the freed slab slot and overwrite the inline `job`, especially `job->regs`.
+4. **Arbitrary write:** When `bigo_pull_regs()` runs, `memcpy_fromio()` writes **core->regs_size (~2144 bytes)** from MMIO into the attacker-supplied address in `job->regs`, producing a large write-what-where without a KASLR leak.
+5. **Data shaping:** Because registers are first programmed from user data (`bigo_push_regs`), set them so the hardware does not execute, keeping the copied-back register image close to attacker-controlled bytes.
+
+## Takeaways for driver reviewers
+
+- Inline per-FD job structs enqueued to async workers must hold references that survive timeout/cancel paths; **closing an FD must synchronize with worker consumption**.
+- Any MMIO copy helpers (`memcpy_fromio`/`memcpy_toio`) that use buffer pointers from jobs should be validated or duplicated before enqueuing to avoid UAF→write primitives.
+
+## References
+
+- [Pixel 0-click (Part 2): Escaping the mediacodec sandbox via the BigWave driver](https://projectzero.google/2026/01/pixel-0-click-part-2.html)
+- [Project Zero issue 426567975 – BigWave BIGO timeout UAF](https://project-zero.issues.chromium.org/issues/426567975)
+
+{{#include ../../banners/hacktricks-training.md}}