[lightedman]

"No chance of DMA access"

The USB URB structure have a field named 'dma_addr_t transfer_dma', used for DMA access. I've abused that to chain vulnerabilities. To boot, it is possible to develop an I2C-B2C or SPI bus master which is capable of DMA toward the host memory. Linux 2.5 kernels and later, USB device drivers have additional control over how DMA may be used to perform I/O operations.

Do any of these guys actually read the hardware specs or do any real hardware hacking?