tags:androidlpekernelOOB_writerace_conditionuafdouble_free original link: Driving forward in Android drivers newsletter link: exploits.club Weekly Newsletter 26


Exploits Club Summary:

Babe, wake up P0 just posted. This week, @__sethJenkins released a blog post for Project Zero, which explores the fragmented world of vendor-specific drivers on Android. The post first explores how to enumerate the drivers accessible directly from the untrusted_app context. It then walks through two vulnerabilities identified in the MediaTek JPEG Decoding Accelerator. The first of these bugs is a straightforward OOB write (CVE-2023-32837), while the second (CVE-2023-32832) is a fun race condition leading to a UAF or double free. The blog then goes into exploitation, focusing specifically on the second bug and on a “novel exploit technique” to demonstrate exploitability in the face of potential future mitigations such as SLAB_VIRTUAL mitigation.