One Article Review
| Source |  ProjectZero |
|---|---|
| Identifiant | 8625888 |
| Date de publication | 2024-12-15 22:11:23 (vue: 2024-12-16 07:07:54) |
| Titre | The Qualcomm DSP Driver - Unexpectedly Excavating an Exploit |
| Texte | Posted by Seth Jenkins, Google Project ZeroThis blog post provides a technical analysis of exploit artifacts provided to us by Google\'s Threat Analysis Group (TAG) from Amnesty International. Amnesty’s report on these exploits is available here. Thanks to both Amnesty International and Google\'s Threat Analysis Group for providing the artifacts and collaborating on the subsequent technical analysis!IntroductionEarlier this year, Google\'s TAG received some kernel panic logs generated by an In-the-Wild (ITW) exploit. Those logs kicked off a bug hunt that led to the discovery of 6 vulnerabilities in one Qualcomm driver over the course of 2.5 months, including one issue that TAG reported as ITW. This blog post covers the details of the original artifacts, each of the bugs discovered, and the hypothesized ITW exploit strategy gleaned from the logs.ArtifactsUsually when successfully reverse-engineering an ITW exploit, Project Zero/TAG have had access to the exploit sample itself, making determining what vulnerability was exploited primarily a matter of time and effort. However, in this particular case, we received several kernel panic logs but unfortunately not the exploit sample. This meant we could not directly reproduce crashes or reverse engineer what bug was being exploited.Accurately determining what vulnerability an exploit uses working only off of crash logs and without the exploit itself can range in difficulty from highly plausible to impossible. I decided to give it a try and see what I could learn. Out of the 6 panics we received, 4 panics in particular contained potentially useful information:Log 1:[ 47.223480] adsprpc: fastrpc_init_process: untrusted app trying to attach to privileged DSP PD[ 47.254494] adsprpc: mapping not found to unmap fd 0xffffffff, va |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | #define k &ctx &fl &map &me “compatibility && ctx && ctx && map &ctx &fl &map &me &mmap &p &ctx 0 ctx fastrpc mflags mmap struct fastrpc unsigned long arg const unsigned char *file struct fsnotify struct inode *inode u32 mask ud /* remove if /* skip unmap if adsprpc ctx err = copy |
| Tags | Vulnerability Threat Mobile Technical |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.