The usermode audio subsystem for the "Samsung Android Professional Audio" is 
based on JACK, which appears to be designed for single-user usage. The common 
JACK configuration on Linux systems appears to be a JACK server running under 
the current user account, and interacting with JACK clients from the same user 
account; so with a minimal privilege difference; this is not the case with the 
configuration on Android, where the JACK service runs as a more privileged user 
in a less restrictive SELinux domain to the clients that can connect to it.

The JACK shared memory implementation uses the struct jack_shm_info_t defined in
/common/shm.h to do some bookkeeping

PRE_PACKED_STRUCTURE
struct _jack_shm_info {
    jack_shm_registry_index_t index;       /* offset into the registry */
    uint32_t size;
#ifdef __ANDROID__
    jack_shm_fd_t fd;
#endif
    union {
        void *attached_at;  /* address where attached */
        char ptr_size[8];
    } ptr;  /* a "pointer" that has the same 8 bytes size when compling in 32 or 64 bits */
} POST_PACKED_STRUCTURE;

typedef struct _jack_shm_info jack_shm_info_t;

This struct is stored at the start of every JackShmAble object.

/*!
\brief
A class which objects possibly want to be allocated in shared memory derives from this class.
*/

class JackShmMemAble
{
    protected:

        jack_shm_info_t fInfo;

    public:

        void Init();

        int GetShmIndex()
        {
            return fInfo.index;
        }

        char* GetShmAddress()
        {
            return (char*)fInfo.ptr.attached_at;
        }

        void LockMemory()
        {
            LockMemoryImp(this, fInfo.size);
        }

        void UnlockMemory()
        {
            UnlockMemoryImp(this, fInfo.size);
        }

};

This means that whenever the JACK server creates an object backed by shared 
memory, it also stores a pointer to that object (in the address space of the 
JACK server), allowing a malicious client to bypass ASLR in the JACK server 
process. 

The PoC provided for the other reported JACK issue uses this to bypass ASLR in 
the JACK server process.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.