A combination of weaknesses in the android GPU driver (kgsl) and ion as
deployed on snapdragon devices allow access to physical memory to non-
privileged user.
This effects snapdragon devices with adreno 3xx, with per-process pagetables
enabled (CONFIG_KGSL_PER_PROCESS_PAGE_TABLE=y). I have not checked if adreno
2xx devices are vulnerable to similar sort of attack.
It is not an easy attack, but I believe it should be taken seriously as it
could allow root access on a wide range of devices.
A proof of concept is enclosed, which writes "Kilroy was here" to a dummy
buffer (victim) with a known physical address, for purposes of concept.
deployed on snapdragon devices allow access to physical memory to non-
privileged user.
This effects snapdragon devices with adreno 3xx, with per-process pagetables
enabled (CONFIG_KGSL_PER_PROCESS_PAGE_TABLE=y). I have not checked if adreno
2xx devices are vulnerable to similar sort of attack.
It is not an easy attack, but I believe it should be taken seriously as it
could allow root access on a wide range of devices.
A proof of concept is enclosed, which writes "Kilroy was here" to a dummy
buffer (victim) with a known physical address, for purposes of concept.
more here...........https://github.com/robclark/kilroy