Nexus 9’s kernel (
tegra kernel tree) exposes a
debugfs file entry that
allows a privileged attacker write arbitrary values within kernel space.
The nvhost GPU driver for the Tegra kernel contains a heap overflow in the
ioctl command. The bug results from an
integer overflow that makes the kernel allocate a small heap buffer, and
eventually overruns it with an attacker controllable payload. The current
sepolicy allows any
untrusted_app to trigger it.
We wanted to exploit
CVE-2014-3100 - a stack based buffer overflow in Android’s
We needed to bypass the stack canary.
Long story short, we devised probablistic attacks that enables an attacker to
predict random bytes that are extracted from the
underlying entropy pool of
/dev/urandom during device boot, such as
Keystore’s canary value.