Rooting, the process of obtaining privileged control over an Android device’s operating system, has long been a method for users and attackers to bypass manufacturer and carrier restrictions. Recently, mobile security researchers Pan Zhenpeng and Jheng Bing Jhong from STAR Labs unveiled a novel technique named GPUAF (GPU Use-After-Free), which exploits vulnerabilities in Qualcomm’s GPU drivers to achieve root access on a wide range of Android devices.
Understanding the GPUAF Technique
The GPUAF method leverages multiple vulnerabilities within Qualcomm’s GPU drivers to gain complete system control. The researchers identified three critical flaws:
1. CVE-2024-23380: A race condition in the Kgsl VBO map buffer.
2. CVE-2024-23373: A Use-After-Free vulnerability triggered when unmap operations fail.
3. An additional bug involving premature destruction of page table entries.
By chaining these vulnerabilities, inconsistencies arise between the GPU driver’s internal structures and the Input-Output Memory Management Unit (IOMMU) mappings. This manipulation allows freed memory pages to remain accessible through the GPU, setting the stage for further exploitation.
Exploitation Paths to Root Access
The researchers demonstrated two primary methods to exploit these vulnerabilities:
1. Page Table Manipulation: In this approach, attackers reclaim freed memory pages as ARM64 page tables. By altering these tables, they can modify protection bits to change read-only memory into writable memory. This manipulation enables the disabling of SELinux by overwriting the `selinux_state` structure, ultimately granting root privileges.
2. Pipe Buffer Exploitation: Here, freed memory pages are reclaimed as `pipe_buffer` structures. By manipulating these structures, attackers achieve arbitrary read and write capabilities through specific functions when certain flags are set.
Impacted Devices and Security Implications
The GPUAF technique affects a broad spectrum of devices, including:
– Samsung Galaxy S series (non-Exynos variants)
– Honor devices (e.g., x9b, 90 series)
– Xiaomi devices (e.g., 14, 14 Pro, Redmi Note 13 Pro)
– Vivo devices (e.g., iQOO Z9s Pro, T3 Pro)
Notably, the researchers demonstrated the ability to bypass advanced security features such as Samsung’s Enhanced SELinux and KNOX hypervisor protections operating at Exception Level 2 (EL2). This capability underscores the severity of the vulnerabilities and the potential for attackers to gain complete control over affected devices, access sensitive data, and install persistent malware.
Mitigation and Recommendations
In response to these findings, Qualcomm has released patches addressing the identified vulnerabilities. Users are strongly advised to update their devices promptly to mitigate potential exploitation risks. This incident highlights the critical importance of robust, multi-layered mobile security defenses and the need for continuous vigilance in the face of evolving cyber threats.
