Rooting with root cause: finding a variant of a Project Zero bug

The blog post by Man Yue Mo explores the intricacies of a security vulnerability, CVE-2022-46395, in the Arm Mali GPU driver used in Android devices, specifically on a Pixel 6. This vulnerability allows unauthorized access to kernel code execution and root privileges through a race condition in memory management. The issue is a variant of Project Zero's CVE-2022-36449 and involves a tight race window that can be exploited using advanced techniques to manipulate memory pages. The post details how the vulnerability stemmed from improper handling of shared memory regions, specifically KBASE_MEM_TYPE_IMPORTED_USER_BUF, which can lead to a use-after-free condition. The author demonstrates the exploitation of this race condition by widening the race window with strategic interrupt timing, ultimately enabling arbitrary kernel code execution. This case study underscores the importance of thorough root cause analysis in identifying and understanding security vulnerabilities, even those with seemingly limited exploitability.