GPU Advanced Forensics (GPUAF) researchers have unveiled two novel exploitation chains that enable reliable rooting of Android devices powered by Qualcomm chipsets.
Their findings, scheduled for discussion at BlackHat USA 2024, center on a sequence of kernel vulnerabilities in the Qualcomm GPU driver, culminating in powerful arbitrary address read/write primitives and full device compromise-even on models with the latest mitigation strategies.
Exploitation Chain in Qualcomm GPU
The Qualcomm Adreno GPU driver, widely deployed in premium Android devices-including Samsung Galaxy S models (non-Exynos), Honor, Xiaomi, and Vivo phones-manages user memory through structures like kgsl_mem_entry and variants such as VBOs.
These facilitate diverse memory mappings between GPU and CPU, but their complexity introduces exploitable race conditions.
The attack leverages multiple bugs, notably CVE-2024-23380-a race condition in VBO buffer mapping.
Prior work demonstrated exploitation for page use-after-free (UaF); GPUAF researchers, however, advanced the research by chaining two additional flaws (including CVE-2024-23373 and a reference counting error) to create memory and page table inconsistencies.
By orchestrating overlapping thread operations on memory mapping and unmapping routines, the exploit can reclaim freed pages for sensitive kernel structures, opening the door to arbitrary address read/write (AARW) at the physical memory level.
Post-Exploitation: Two Paths to Root
Once AARW access is achieved, GPUAF outlines two techniques to escalate privileges and gain persistent root access:
- Page Table Manipulation: By reclaiming UaF pages as page tables via anonymous memory spraying, attackers gain direct control over page table entries (PTEs). This allows modification of kernel memory permissions-including marking areas as read-write-execute (RWX)-and writing shellcode into executable memory. With knowledge of kernel memory layout, the exploit can disable SELinux by overwriting
selinux_stateand inject malicious code into critical processes likeinit, thereby spawning privileged reverse shells or bind shells at will. - Pipe Buffer Forgery: By targeting the Linux kernel’s
pipe_bufferstructure, the exploit achieves arbitrary memory access through page reclamation and pipe operations. Forgedpipe_bufferobjects can then be used to read or overwrite target addresses, including security variables or process code segments, again facilitating root access through similar injection tactics.
Despite countermeasures like enhanced SELinux, Samsung’s KNOX (hypervisor-level integrity), DEFEX, and physical address ASLR, the attackers demonstrate practical bypasses.
For instance, they exploit limitations in SELinux’s permissive flags and DEFEX’s user-space process injection to circumvent root restrictions.
Physical address layout randomization (PhyASLR) proves weak due to predictable alignment and kernel mapping schemes, easily brute-forced or bypassed using exploit primitives.
According to the Report, these advanced exploitation techniques showcase the persistent risk stemming from complex memory management in GPU drivers, particularly with the widespread adoption of Qualcomm hardware.
The ability to chain subtle race conditions into stable root exploits-despite multiple layers of defense-underscores the necessity for rigorous kernel hardening, attack surface minimization, and ongoing vendor collaboration to address such systemic vulnerabilities.
GPUAF’s research not only exposes the intricacies of GPU driver exploitation but also provides a blueprint for future mitigations, emphasizing the need for security mechanisms to evolve in tandem with emerging exploitation strategies.
As device vendors work to patch these flaws, the findings are a critical alert for the Android ecosystem to re-examine the assumptions underpinning “state-of-the-art” mobile security.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
 researchers have unveiled two novel exploitation chains that enable reliable rooting of Android devices.){kind=link}