Share
## https://sploitus.com/exploit?id=5110EFE8-0F4F-5A2A-8D86-979A9CD10ED6
# GhostLock CVE-2026-43499 โ€” Xiaomi Pad 7 Ultra (jinghu)

## Overview

Port of the [GhostLock](https://nebusec.ai/research/ionstack-part-2) stack-UAF exploit to Xiaomi Pad 7 Ultra (codename jinghu, XRing O1 SoC, Android 16 / HyperOS 3.0, kernel 6.6.77-android15-8).

CVE-2026-43499 is a **stack Use-After-Free** in the Linux futex subsystem โ€” specifically in `rt_mutex_cleanup_proxy_lock`, which skips `remove_waiter` when `owner == current`, leaving `task->pi_blocked_on` dangling after the syscall returns.

## Device info

| Component | Value |
|-----------|-------|
| Device | Xiaomi Pad 7 Ultra |
| SoC | XRing O1 |
| RAM | 12 GB |
| Kernel | 6.6.77-android15-8 (Clang 18 LTO+PGO+BOLT+MLGO) |
| Android | 16 (SDK 36), HyperOS 3.0.301.0 |
| SELinux | Enforcing |
| Root | None |
| VA_BITS | 39 |
| Page size | 4 KB |
| KASLR | Enabled |
| CONFIG_UBSAN_TRAP | y |
| CONFIG_PANIC_ON_OOPS | y |

## Exploit flow

```
waiter_thread:
  1. FUTEX_LOCK_PI(f_pi_chain)
  2. FUTEX_WAIT_REQUEUE_PI(f_wait โ†’ f_pi_target)
     โ†’ rt_mutex_wait_proxy_lock โ†’ blocks
  3. owner releases f_pi_target โ†’ waiter acquires lock
     โ†’ remove_waiter SKIPPED โ†’ pi_blocked_on DANGLES
  4. futex_wait_requeue_pi returns ret=0
  5. pselect() overwrites waiter stack with fd_set + saved registers
  6. waiter->lock = &pselect_user_lock (user-space readfds pointer)

consumer_thread:
  7. sched_setattr โ†’ rt_mutex_adjust_pi โ†’ rt_mutex_adjust_prio_chain
  8. Reads UAF waiter โ†’ lock=&pselect_user_lock โ†’ owner=fake_task|1
  9. Hop to sprayed fake_task โ†’ fake_task.pi_waiters
 10. rb_erase_cached + rb_insert_color โ†’ write *ASHMEM_MISC_FOPS = fake_fops
```

## Structure offsets (jinghu kernel 6.6.77)

See `src/targets/jinghu/target.h` for the full offset table.

## Files

| File | Purpose |
|------|---------|
| `src/main.c` | Thread orchestration (waiter/owner/consumer) |
| `src/fops.c` | pselect fd_set layout, try_cfi_stage |
| `src/util.c` | SLUB spray payload, configfs read/write |
| `src/slide.c` | boot_id leak via slide pselect |
| `src/pipe.c` | pipe-physrw (post-FOPS-swap) |
| `src/root.c` | Root installation |
| `src/targets/jinghu/target.h` | Offset table for jinghu |

## Build

Requires Android NDK r27d. Edit `build.bat` to set `NDK` path.

```
build.bat
adb push preload.so /data/local/tmp/
adb shell LD_PRELOAD=/data/local/tmp/preload.so id
```

## Current status

- [x] KernelSnitch mm_struct leak
- [x] Stack-UAF trigger (fwq ret=0)
- [x] PI chain via sched_setattr (40ร— success)
- [x] PAN bypass (user-space lock accessible via ldxr/casa)
- [x] EBADF avoidance (empty readfds word0)
- [ ] FOPS write (owner hop reaches fake_task but exits at pi_blocked_on)
- [ ] pipe-physrw
- [ ] Root + SELinux off

The remaining blocker: `fake_task+0x938` (pi_blocked_on) must point to a valid
waiter structure whose +0x58 field equals `&pselect_user_lock`. Currently
the chain walk exits prematurely.