The Qualcomm Adreno GPU shares a global mapping called a
"scratch" buffer with the Adreno KGSL kernel driver. The contents
of the scratch buffer can be overwritten by untrusted GPU commands.
This results in a logic error in the Adreno driver's ringbuffer
allocation code, which can be used to corrupt ringbuffer data. A
race condition exists between the ringbuffer corruption and a GPU
context switch, and this results in a bypass of the GPU protected
mode setting. This ultimately means that an attacker can read and
write arbitrary physical addresses from userland by running GPU
commands while protected mode disabled, which results in arbitrary
kernel code execution.
