Pwning the all Google phone with a non-Google bug (CVE-2022-38181)¶
Aynı bug/CVE: bkz. canonical Mali GPU IOMMU race (CVE-2022-38181 / GHSL-2022-054).
Mechanism¶
Aynı Arm Mali kbase JIT-eviction use-after-free'i. Tam mekanizma — KBASE_REG_NO_USER_FREE invariant'ı, KBASE_IOCTL_MEM_FLAGS_CHANGE + DONT_NEED ile eviction, shrinker reclaim ve freed backing page'lerin GPU PGD'leri olarak yeniden kullanımı — canonical not'ta: Mali GPU IOMMU race.
Walkthrough¶
Tam walkthrough canonical not'ta: Mali GPU IOMMU race.