This article provides an in-depth analysis of CVE-2023-6241, a vulnerability in the Arm Mali GPU, how it was exploited to gain arbitrary kernel code execution on an MTE-enabled Pixel 8 device, the role of Memory Tagging Extension (MTE) in mitigating memory corruption vulnerabilities, and its limitations. The author provides insights into the technical details of the vulnerability, its exploitation, and the implications for device security in the presence of advanced mitigations like MTE.
Main Points
CVE-2023-6241 explanation
CVE-2023-6241 is a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone.
Exploitation and impact details
The vulnerability is exploit heads for various attack scenarios explored in-depth blog, impacting strategical hardware and software
Insights
Memory tagging is used to mitigate common types of memory corruptions by using higher bits in an address to store a tag that checks against the tag stored in the associated memory block.
The main idea of memory tagging is to use these higher bits in an address to store a “tag” that can then be used to check against the other tag stored in the memory block associated with the address. The helps to mitigate common types of memory corruptions as follows:
In the case of a linear overflow, a pointer is used to dereference an adjacent memory block that has a different tag compared to the one stored in the pointer. By checking these tags at dereference time, the corrupted dereference can be detected. For use-after-free type memory corruptions, as long as the tag in a memory block is cleared every time it is freed and a new tag reassigned when it is allocated, dereferencing an already freed and reclaimed object will also lead to a discrepancy between pointer tag and the tag in memory, which allows use-after-free to be detected.
MTE introduces checks that effectively turn unsafe memory language into one that is memory safe, albeit probabilistically.
The main reason that memory tagging is different from previous mitigations, such as Kernel Control Flow Integrity (kCFI) is that, unlike other mitigations, which disrupts later stages of an exploit, MTE is a very early stage mitigation that tries to catch memory corruption when it first happens. As such, it is able to stop an exploit in a very early stage before the attacker has gained any capabilities and it is therefore very difficult to bypass. It introduces checks that effectively turns an unsafe memory language into one that is memory safe, albeit probabilistically.
Links
- CVE-2023-6241
- r47p0
- March security update
- Command Stream Frontend (CSF)
- Memory Tagging Extension (MTE)
- these instructions
- this article
- whitepaper
- v8.5a version
- MTE As Implemented
- enable MTE in the developer options
- Mali (GPU) Wikipedia entry
- another issue
- kbase_context
- kbase_va_region
- kbase_kcpu_command_queue
- kbase_jit_allocate
- The life cycle of JIT memory
- kbase_mmu_page_fault_worker
- here
- MTE As Implemented, Part 3: The Kernel
URL
https://github.blog/2024-03-18-gaining-kernel-code-execution-on-an-mte-enabled-pixel-8/