The write up can be found [here](https://github.blog/2022-07-27-corrupting-memory-without-memory-corruption/). This is a bug in the Arm Mali kernel driver that I reported in January 2022. The bug can be used to gain arbitrary kernel code execution from the untrusted app domain, which is then used to disable SELinux and gain root.
4
6
5
7
The exploit is tested on the Google Pixel 6 and supports patch levels from Novmember 2021 to Feburary 2022. It is easy to add support for other firmware by changing a few image offsets. For reference, I used the following command to compile with clang in ndk-21: