Gaining kernel code execution on an MTE-enabled Pixel 8

CVE-2023-6241 is a significant vulnerability in the Arm Mali GPU that allows a malicious Android app to execute arbitrary kernel code and gain root access, particularly affecting devices like Google's Pixel 7 and Pixel 8. The flaw, a logic bug in the GPU's memory management unit, can bypass the Memory Tagging Extension (MTE) mitigation, which is designed to detect memory corruption. This vulnerability arises when a race condition occurs during the allocation and freeing of Just-In-Time (JIT) memory, leading to inconsistencies in memory mapping that can be exploited to access freed memory pages. The exploit leverages the GPU to directly access physical memory, effectively bypassing MTE, which typically protects against memory corruption through early-stage detection. Despite MTE's effectiveness in mitigating many memory vulnerabilities, this case highlights the security challenges posed by coprocessors and their kernel drivers, suggesting they will remain critical attack vectors in the future.