Android KASLR Bypass - Pixel Kernel Mapping Weakness

Android KASLR bypass research from Google Project Zero reveals that Pixel devices can expose stable kernel addresses even when exploit developers lack a traditional leak. The analysis focuses on the Linux kernel's linear mapping region on arm64 Android builds, where memory hot-plugging and address-space limits force the linear map to start at a predictable virtual base. On affected Pixels, the bootloader consistently decompresses the kernel image at physical address 0x80010000, and memstart_addr is effectively fixed at 0x80000000. Combined with a static phys_to_virt calculation, this turns the linear mapping into a reliable reference for computing kernel virtual addresses purely from physical offsets. Investigators demonstrate how exported symbols like memstart_addr and stext can be correlated with kernel .data entries such as modprobe_path to compute an invariant linear map address that remains valid across reboots. Even though KASLR nominally randomizes the kernel text mapping, this stable linear map allows an attacker with an arbitrary write primitive to modify key kernel data structures via their linear aliases. The work highlights how configuration choices like CONFIG_MEMORY_HOTPLUG and three-level paging interact with layout decisions to silently erode KASLR guarantees on mobile devices. While the technique itself does not provide initial code execution, it dramatically lowers the bar for post-exploitation privilege escalation and persistence on vulnerable Pixel phones.