CVE-2022-22057 on huawei phone #715
Replies: 28 comments 62 replies
-
I assume you are referring to https://github.blog/2022-06-16-the-android-kernel-mitigations-obstacle-race/ . |
Beta Was this translation helpful? Give feedback.
-
I noticed ion_heap_phys_addr and ion_heap_size is specific to Z flip3, |
Beta Was this translation helpful? Give feedback.
-
@mengxipeng1122 |
Beta Was this translation helpful? Give feedback.
-
bugreport-VNE-AN00-HONORVNE-AN00-2022-11-14-22-58-15.zip The attached file is bug report file I pulled from one play30. |
Beta Was this translation helpful? Give feedback.
-
Thank you anyway , have a great day |
Beta Was this translation helpful? Give feedback.
-
@m-y-mo I am trying to port this to Galaxy Z Fold 3 running 5.4 kernel.... is there any way to glean the necessary information from a decompiled kernel? I have the kernel.elf decompiled in Ghidra. |
Beta Was this translation helpful? Give feedback.
-
gives you the field offset of |
Beta Was this translation helpful? Give feedback.
-
awesome, i appreciate your help! i dont have access to a rooted device but
maybe i could get that info from a kernel elf theoretically right?
…On Wed, Jun 21, 2023, 5:07 AM Man Yue Mo ***@***.***> wrote:
VMEMMAP is a macro defined in arch/arm64/include/asm/pgtable.h:
https://elixir.bootlin.com/linux/latest/source/arch/arm64/include/asm/pgtable.h#L27
You can track the various definitions in the kernel source code. It's
quite tedious because it depends on the architecture and you need to make
sure you're looking at the arm64 code. As far as I remember, they are
pretty stable so you probably can use the one in the POC.
For the other offsets, they are not in kernel log. The ion_cma_ops offset
(ION_HEAP_OPS_OFF) should be simple. For example, you can get it from
/proc/kallsyms on a rooted device (or the same way that you get the other
symbol offsets from). To get the field offsets, for example, you can do
something like this with gdb:
(gdb) p &(((struct ion_heap*)0)->ops)
gives you the field offset of ops in ion_heap (ION_HEAP_OPS_OBJ_OFF).
—
Reply to this email directly, view it on GitHub
<#715 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD3BYMXHIYH7TWH3KYUBPWLXMK2TZANCNFSM6AAAAAAR2KY3KI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Yes, something like that should probably work too. If your debugger can't find the symbols to get the field offsets, you can try to download and compile the kernel from the source code that corresponds to your firmware: https://opensource.samsung.com/uploadList?menuItem=mobile&classification1=mobile_phone&searchValue=SM-F926 and then load the |
Beta Was this translation helpful? Give feedback.
-
amazing... thank you. that gives me plenty to start with
…On Wed, Jun 21, 2023, 5:41 AM Man Yue Mo ***@***.***> wrote:
Yes, something like that should probably work too. If your debugger can't
find the symbols to get the field offsets, you can try to download and
compile the kernel from the source code that corresponds to your firmware:
https://opensource.samsung.com/uploadList?menuItem=mobile&classification1=mobile_phone&searchValue=SM-F926
and then load the vmlinux output file into gdb to get the field offsets.
The compiled kernel is not exactly the same as the one that is shipped in
the firmware, so it's no good for getting the kallsyms offsets, but
should be close enough to get the field offsets.
—
Reply to this email directly, view it on GitHub
<#715 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AD3BYMUMYXDMA5NAGAGDVXLXMK6WJANCNFSM6AAAAAAR2KY3KI>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Beta Was this translation helpful? Give feedback.
-
@m-y-mo so good news, I compiled the kernel and got the offsets using the gdb commands you gave. it turns out that the address/offsets are the exact same! ... unfortunately, when running the exploit, i get the following output:
the only 2 addresses I have no explicitly verified are VMEMMAP and KERNEL_PBASE. I am not sure how to get KERNEL_PBASE. However, I am making some assumptions that they should be the same as yours and no changes needed since everything else has been the same |
Beta Was this translation helpful? Give feedback.
-
It really is only the difference between |
Beta Was this translation helpful? Give feedback.
-
@m-y-mo would it be the linux,cma entry (line 4) showm below by any chance?
|
Beta Was this translation helpful? Give feedback.
-
No, |
Beta Was this translation helpful? Give feedback.
-
okay, using vmlinux-to-elf, i was able to obtain
i'll have to figure out how these translate to |
Beta Was this translation helpful? Give feedback.
-
The fact that you're able to progress to the point of getting a reasonably looking info leak makes me think that the macros in The numbers you got doesn't look right. I remember having a similar problem before because the block alignment and address width in the symbol table has changed and some of the older scripts didn't work. Try adding the I think there is a also newer tool that gives you more options to change these parameters. Try to search "extract kallsyms" in the xda forum and ask around. You probably need to play around with the settings a bit to get it right. |
Beta Was this translation helpful? Give feedback.
-
tried: I will keep trying! |
Beta Was this translation helpful? Give feedback.
-
It looks like for some reason, the kallsyms you get using
and
and |
Beta Was this translation helpful? Give feedback.
-
Have you also changed |
Beta Was this translation helpful? Give feedback.
-
Have you changed the offsets in
The
similarly, you can get |
Beta Was this translation helpful? Give feedback.
-
This will be my last comment as to not spam the thread, but I think i found the relevant kernel panic logs... there is much more than this but i will post snippets. This should be the exact moment of crash because phone was able to stay on for a long time but as soon as inturned the screen on it crashed and these are the log entires after the screen on entries:
...
...
...
...
...
...
|
Beta Was this translation helpful? Give feedback.
-
You can try to use the command and steps here: https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Qualcomm/NPU to create a reverse shell. I remember there was some problems and you needed to go back and forth between the phone and the computer to get a reverse shell. You may be able to make permanent changes to some packages, and you may also be able to do a bootless, non persistent Magisk that makes it more convenient to use. You probably won't be able to unlock bootloader with this, and if you want to make permanent changes, make sure you understand exactly what you're doing, or you're likely to hard brick or wipe the device. |
Beta Was this translation helpful? Give feedback.
-
Yes, I've tried a few methods, yours is interesting. I don't understand why it doesnt seem to be working, but i'll figure it out
Yes, totally understand. I know enough to know the dangers. I think non-persistant magisk is the best way to go. Trying to modify /system and/or kernel and not tripping the security measures in place to prevent that is vastly beyond my knowledge... it would require another exploit from someone as far as im aware
This is dynamic right? like i couldn't just do digging and find it once and fix it and its always the same thing... it would change each run. I was quite certain from the link I posted it was because of
Oh i totally get that, this was posted as a CVE/security concern, not a method to obtain stable root, so no worries at all.
While definitely not ideal, I tested this and you are 100% correct. I am going to have to find a good way to implement this though. Android is so quick to kill apps process', I did a quick test since yesterday and my phone has kernel panicked once from android killing the terminal app i ran the code in (even though I removed all optimization/battery saving). Only once is not bad, but I would say probably not useable. I'd have to find a way to keep process alive unless extreme low memory circumstances. I'll have to look at how android processes work and go from there. Off the top of my head i know adbd runs pretty close to the core of the process tree, so making an app that links with adbd but forks the process away from the app? I am not sure that even makes sense to someone who knows better. Shizuku may be helpful as well. I am sure there is some clever trick |
Beta Was this translation helpful? Give feedback.
-
Yes, there is a check to make sure that the binary/script that is run is whitelisted (See: https://github.com/vngkv123/articles/blob/main/Galaxy's%20Meltdown%20-%20Exploiting%20SVE-2020-18610.md |
Beta Was this translation helpful? Give feedback.
-
I was able to run custom scripts. If you just copy a script over, you'll need to do |
Beta Was this translation helpful? Give feedback.
-
Actually, it's not related to the current discussion it's about Mali exploits @m-y-mo Can we port the Mali based exploits that u developed to other android devices such as Samsung or Motorola? Actually, I am trying to port it and it's prints result 49 on sometimes and sometimes reboots. Do u think it may be able to use on these devices? if that the case what are things needed to be change? Devices working with: |
Beta Was this translation helpful? Give feedback.
-
Hello
@diabl0w would you please share us how you found these numbers? by reading dmsg logs? or just try and catch? I would appreciate it if you could help me with my problems. |
Beta Was this translation helpful? Give feedback.
-
I tested CVE-2022-22057 POC on a Huawei phone, but it always reboots after printing 'read pipe finished ',
How to fix this issue.
huawei phone Info:
Model VNE-AN00 , honor play30
8+128G memory
Android 11
kernel version 5.4.86
Android security patch level: April 1. 2022
POC log:
heap_id_mask 40
ion region 0x787c5e0000
region start addr: ffffff8071800000
fence kernel addr: ffffff8071fe0040 192
created fake slab at ffffff8071840100
[+] reallocation data initialized!
[ ] initializing reallocation threads, please wait...
[+] 40 reallocation threads ready!
readpipe start
timeline_wait start
destroy start
readpipe
Caught signal: 10
wait complete -1
readpipe finished
< phone reboot >
Beta Was this translation helpful? Give feedback.
All reactions