The crosshatch kernel repository (github.com/GrapheneOS/ker) is now used for the Pixel 3a and Pixel 3a XL in addition to the Pixel 3 and Pixel 3 XL. GrapheneOS will still use specialized kernel builds for each device with varying modules to improve CFI and reduce attack surface.
Conversation
Replying to
You have been speaking much of kernel insecurity, and i jsut read the news today about new 0-day ---thehackernews.com/2019/10/androi
Btw Pixel 3 seems not to be invloled...
PLs can u tell if Pixel 3a have same kernel security as Pixel 3?
1
1
Replying to
Pixel 3 and 3a have comparable security and use the same kernel source tree. This issue was also mitigated on GrapheneOS by CONFIG_DEBUG_LIST + CONFIG_PANIC_ON_DATA_CORRUPTION. Please see what I've written about this issue:
Quote Tweet
In the past, when GrapheneOS was in a better state, the latest kernel.org LTS branches were promptly merged along with additional fixes not included in the upstream branches. The fix for the bug now assigned CVE-2019-2215 was already applied for the Pixel 1 and 2.
Show this thread
2
1
3
Quote Tweet
twitter.com/DanielMicay/st
It's worth noting that CONFIG_DEBUG_LIST is enabled in GrapheneOS with panic on data corruption, which according to bugs.chromium.org/p/project-zero breaks the exploit primitive. However, this is just one vulnerability, and many won't be mitigated like that.
Show this thread