Defeating KASLR by Doing Nothing at All

This research demonstrates that the Linux kernel linear mapping on arm64 is effectively non-randomized (PHYS_OFFSET and linear map placement are static) and that Pixel devices load the kernel at a fixed physical address, enabling attackers to compute stable kernel virtual addresses (e.g. using base 0xffffff8000010000). Using an arbitrary read/write primitive, an attacker can reference kernel.data reliably through the linear map (which is mapped read/write) and place attacker-controlled physical pages at predictable kernel virtual addresses, substantially weakening KASLR and simplifying kernel exploitation. The issues were reported to upstream and Google, but both behaviors are currently treated as intended, leaving practical mitigation limited.