Get the latest tech news
Driving forward in Android drivers
Posted by Seth Jenkins, Google Project Zero Introduction Android's open-source ecosystem has led to an incredible diversity of manufactu...
Nevertheless, inspired by previous similar efforts on hardware like Samsung’s NPU, I performed research on the EdgeTPU driver - Google’s tensor processing unit for doing ML related tasks on the Pixel series of devices. Those stale pointers can (and in practice often do) point to other freed objects which may be allocated from a different slab cache entirely, potentially including the generic kmalloc slab-caches. This is absolutely correct, and one would expect that in an exploit where exceptional reliability is a priority, it may be necessary to perform some heap shaping in order to bury this freed struct file deeply in the allocator freelists.
Or read this on Hacker News
/cdn.vox-cdn.com/uploads/chorus_asset/file/24993392/DSC05762.jpg)