The Android kernel mitigations obstacle race

The article delves into the exploitation of a use-after-free (UAF) vulnerability, CVE-2022-22057, found in the Qualcomm GPU driver affecting devices with Snapdragon 888 chipsets, such as the Samsung Galaxy Z Flip3. This vulnerability allowed for arbitrary kernel memory read and write, enabling the disabling of SELinux and execution of commands as root. Despite the existence of various security mitigations like Samsung's Realtime Kernel Protection (RKP) and Kernel Control Flow Integrity (kCFI), which complicated the exploitation, the author successfully bypassed these by using techniques such as exploiting race windows and manipulating kernel scheduling. The article highlights the challenges posed by kCFI and automatic variable initialization but demonstrates the power of arbitrary memory read/write capabilities. It also critiques Qualcomm's disclosure practices, highlighting how patch gapping can potentially expose vulnerabilities before they are publicly disclosed, thereby offering a window for exploitation by skilled attackers.