Figure 1. The rooting app reaches 1.5 million downloadsAn infamous rooting app team found that the vulnerability still existed in Android, and implemented it as a successor rooting solution when PingPongRoot was no longer working. For now, we are currently monitoring in-the-wild exploits and are expecting more exploits to rely on this vulnerability.
Figure 2. Race condition to trigger pipe_iov_copy_from_user redo
Figure 3. Spray iovec struct with target kernel address to write
The vulnerability can be traced back to the Linux kernel file fs/pipe.c function pipe_iov_copy_to_user. If pipe_iov_copy_to_user fails, the function goes to a redo routine that uses the same source buffer and copies it after the last position where the failed copy. This makes the destination iovec array overrun with the size of data the first step copied.
Figure 4. iovec overrunThis situation of overrun causes an undefined memory access which leads to a denial of service. However, the exploit uses tricks which can prevent system crash. For instance, if the total length of iovec array is set larger than the source buffer size which in default equals to PIPE_BUF of 4096 bytes, overrun can be avoided in redo routine.
Figure 5. Preventing crash in the redoThis then continues the “for” loop to enter pipe_iov_copy_to_user for a third time to copy the remaining data. This time, it triggers the overrun accessing data beyond the end of the iovec buffer which is sprayed with iovec and iov_base set to a kernel address. Unlike a redo routine, this step uses __copy_to_user_inatomoc instead of protective copy_to_user to achieve kernel memory arbitrary write. This is the reason why it did not trigger the overrun in the redo.
Figure 6. Vulnerable codesMitigations Although this has been viewed as a denial of service bug, if an exploit code becomes available in the wild, it can compromise the security of the Android device. A cybercriminal can gain root privileges which allows them to do a wide-array of malicious activities on the device. To secure your device, it is best to install apps from the official Google Play store. You can also install Trend Micro Mobile Security Personal Edition, which detects malicious apps.