Pixel 6 Pro on 办公AI智能小助手 https://blog.qife122.com/tags/pixel-6-pro/ Recent content in Pixel 6 Pro on 办公AI智能小助手 Hugo zh-cn qife Mon, 12 Jan 2026 16:30:12 +0800 单漏洞提权:Pixel 6 Pro Mali GPU内核漏洞分析与利用 https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/ Mon, 12 Jan 2026 16:30:12 +0800 https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/ <h1 id="solo-a-pixel-6-pro-story-当仅需一个漏洞时--star-labs">Solo: A Pixel 6 Pro Story (当仅需一个漏洞时) | STAR Labs</h1> <p><strong>June 5, 2025 · 36 min · Lin Ze Wei</strong></p> <h2 id="目录">目录</h2> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#root-cause-analysis">Root Cause Analysis</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#cve-2023-48409">CVE-2023-48409</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#what-is-config_hardened_usercopy">What is CONFIG_HARDENED_USERCOPY?</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#the-missing-piece-cve-2023-26083">The Missing Piece: CVE-2023-26083</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#one-bug-to-root">One Bug to Root</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#physmap-spraying">Physmap Spraying</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#pagetable-spraying">Pagetable Spraying</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#from-physical-to-virtual-converting-our-primitive">From Physical to Virtual: Converting Our Primitive</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#androids-unique-challenges">Android&rsquo;s Unique Challenges</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#bypassing-androids-app-sandbox">Bypassing Android&rsquo;s App Sandbox</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#disabling-selinux-enforcement">Disabling SELinux Enforcement</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#a-surprise-discovery">A Surprise Discovery</a> <ul> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#understanding-the-timeline-stream-leak">Understanding the Timeline Stream Leak</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#command-stream-frontend">Command Stream Frontend</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#the-golden-object-kbase_context">The Golden Object: kbase_context</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#cleaning-up-making-the-exploit-practical">Cleaning Up: Making the Exploit Practical</a></li> </ul> </li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#conclusion">Conclusion</a></li> <li><a href="https://blog.qife122.com/p/%E5%8D%95%E6%BC%8F%E6%B4%9E%E6%8F%90%E6%9D%83pixel-6-pro-mali-gpu%E5%86%85%E6%A0%B8%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E4%B8%8E%E5%88%A9%E7%94%A8/#references">References</a></li> </ul> <h2 id="root-cause-analysis">Root Cause Analysis</h2> <h3 id="cve-2023-48409">CVE-2023-48409</h3> <p>在12月2023年的Pixel安全公告中提到了该漏洞。通过回滚设备版本至UP1A.231005.007进行验证。漏洞描述为:在<code>gpu_pixel_handle_buffer_liveness_update_ioctl</code>函数中,由于整数溢出可能导致越界写入,本地攻击者无需额外权限即可提权。</p>