Rooting with root cause: finding a variant of a Project Zero bug

1.0The GitHub Bloghttps://github.blogMan Yue Mohttps://github.blog/author/mymo/Rooting with root cause: finding a variant of a Project Zero bugrich600338<blockquote class="wp-embedded-content" data-secret="97QzREnzKc"><a href="https://github.blog/security/vulnerability-research/rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/">Rooting with root cause: finding a variant of a Project Zero bug</a></blockquote><iframe sandbox="allow-scripts" security="restricted" src="https://github.blog/security/vulnerability-research/rooting-with-root-cause-finding-a-variant-of-a-project-zero-bug/embed/#?secret=97QzREnzKc" width="600" height="338" title="“Rooting with root cause: finding a variant of a Project Zero bug” — The GitHub Blog" data-secret="97QzREnzKc" frameborder="0" marginwidth="0" marginheight="0" scrolling="no" class="wp-embedded-content"></iframe><script> /*! This file is auto-generated */ !function(d,l){"use strict";l.querySelector&&d.addEventListener&&"undefined"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!/[^a-zA-Z0-9]/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret="'+t.secret+'"]'),o=l.querySelectorAll('blockquote[data-secret="'+t.secret+'"]'),c=new RegExp("^https?:$","i"),i=0;i<o.length;i++)o[i].style.display="none";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute("style"),"height"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):"link"===t.message&&(r=new URL(s.getAttribute("src")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener("message",d.wp.receiveEmbedMessage,!1),l.addEventListener("DOMContentLoaded",function(){for(var e,t,s=l.querySelectorAll("iframe.wp-embedded-content"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute("data-secret"))||(t=Math.random().toString(36).substring(2,12),e.src+="#?secret="+t,e.setAttribute("data-secret",t)),e.contentWindow.postMessage({message:"ready",secret:t},"*")},!1)))}(window,document); //# sourceURL=https://github.blog/wp-includes/js/wp-embed.min.js </script> https://github.blog/wp-content/uploads/2023/04/1200.630-Global@2x-1.png?fit=1200%2C6301200630In this blog, I’ll look at CVE-2022-46395, a variant of CVE-2022-36449 (Project Zero issue 2327), and use it to gain arbitrary kernel code execution and root privileges from the untrusted app domain on an Android phone that uses the Arm Mali GPU. I’ll also explain how root cause analysis of CVE-2022-36449 led to the discovery of CVE-2022-46395.