1、#BHUSA BlackHatEventsThe Way to Android Root:Exploiting Your GPU On SmartphoneXuan XingEugene RodionovXiling Gong#BHUSA BlackHatEventsWhoamiIncrease Android and Pixel security by attacking key components and features,identifying critical vulnerabilities before adversariesOffensive Security Reviews t
2、o verify(break)security assumptionsScale through tool development(e.g.continuous fuzzing)Develop proof of concepts to demonstrate real-world impactAssess the efficacy of security mitigations#BHUSA BlackHatEventsAgendaBackground IntroductionQualcomm Adreno GPU IntroductionCVE-2024-23380 and Exploitat
3、ionVulnerability and Methodology Discussion#BHUSA BlackHatEventsBackgroundWhy Android GPU Driver?No Permission RequiredPowerful FunctionsHigh ComplexityWhy Qualcomm Adreno GPU?Qualcomm is one of the most important smartphone SoC vendorsAdreno is the GPU used in most of the Qualcomm SoCsEvolved archi
4、tecture recently Unprivileged appKGSL GPU kernel moduleInterconnectDRAMCPUShared memory/dev/kgsl-#Graphics client API(GLES,Vk,)GPU MMU ManagerShared memory ManagerGPUEL0EL1HWIOMMUFW#BHUSA BlackHatEventsAdreno Driver IssuesSource:https:/ BlackHatEventsAdreno Driver Issues2019 TiYunZong Exploit Chain-
5、Gong Guang2020 Attacking the Qualcomm Adreno GPU-Project Zero2022 The Android kernel mitigations obstacle race-Man Yue Mo2023 code in user-writable mapping is executed in non-protected mode-Project Zero#BHUSA BlackHatEventsRecent Issues-Qualcomm Security BulletinBulletinCVERatingDate ReporterTech Ar
6、eaExploitability2024 JulyCVE-2024-23380High12/13/2023Xiling GongVBO IOMMU-Use After FreeYes-Easy-StableCVE-2024-23373High12/18/2023Man Yue Mo IOMMU-Use After FreeYes-Medium-StableCVE-2024-23372High12/12/2023Fish of Pangu TeamVBO IOMMU-Integer OverflowYes-Easy-Stable2024 JuneCVE-2024-21478High11/03/2