Two Bugs With One PoC: Rooting Pixel 6 From Android 12 to Android 13

Pixel 6 is the first phone to rock the new Tensor chip, fully designed and developed by Google. Shipping with Linux kernel 5.10, there are many new changes and challenges for rooting. However, there is little change in the attack surfaces.In this talk, I will first review an old and public vulnerability exploited in the wild, and detail how to create the PoC step by step. Even without Variable Analysis, you can find another similar issue and create a new PoC in less than 10 minutes. The same PoC implicitly triggers another Use-After-Free vulnerability without the kernel panic. Before diving into how to exploit those two bugs, I will briefly discuss the changes and challenges for rooting Android 12/13 devices. Then, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations (KASLR, UAO, PAN, etc), and root Pixel 6 from Android 12 to Android 13 with a 100% success rate.During the presentation, I will give the exploit demo of rooting Pixel 6. In summary, the vulnerabilities and the ideas of exploitation have not been thoroughly presented in any previous talks.