Android is smarter than setuid + system partitions aren't writable.

System partitions being non-writable has nothing to do with the vulnerability - it allows modifying the cache of any file that you can open for reading.

Not using setuid anywhere means you'd have to build a slightly more clever exploit, but it's still trivial - just modify some binary you know will run as root "soon".

But... I didn't check, but IIRC the untrusted_app secontext that apps run in is not allowed to open AF_ALG sockets - so you can't directly trigger the vulnerability as a malicious app. Although it might be possible in some roundabout way (requesting some more privileged crypto service to do so).

	▲	int0x29 3 hours ago \| parent \| next [-]
		Edit: Ignore this I overlooked calling order. It is indeed blocked ~~My allegedly fully patched pixel 8 pro allowed an AF_ALG socket to open under termux without virtualization so I'm not sure the last but is true~~
	▲	zb3 2 hours ago \| parent \| prev [-]
		Ah, I blindly assumed such memory would be mapped readonly...

▲

int0x29 3 hours ago | parent | prev [-]

Its not writing to the partition though is it? It is polluting the cache page via a write with a buffer overrun in the kernel. I don't think buffer overruns follow permissions.

	▲	zb3 2 hours ago \| parent [-]
		I assumed such memory would be mapped readonly (PROT_READ), without actually looking into it..