Man Yue Mo: Gaining kernel code execution on an MTE-enabled Pixel 8

Man Yue Mo explains
how to compromise a Pixel 8 phone even when the Arm memory-tagging extension is in use, by taking
advantage of the Mali GPU.

So, by using the GPU to access physical addresses directly, I'm
able to completely bypass the protection that MTE
offers. Ultimately, there is no memory safe code in the code that
manages memory accesses. At some point, physical addresses will
have to be used directly to access memory.