CVE-2016-2503

Nexus 5X and 6P devices • Qualcomm GPU driver before 2016-07-05 • Use after free due to race conditions leads to LPE
Reported on 4-Apr-16 by Adam Donenfeld
CPR-ID: 1021
Upload Date: 19-Jun-19

Information

Two threads can pass the kgsl_syncsource_get call before starting the refcount reduction technique. This drops the refcount of a syncsource object below 0, thus exposing itself to a use-after-free attack.

References:
https://source.android.com/security/bulletin/2016-07-01
https://blog.checkpoint.com/2016/08/07/quadrooter/

Share this: