tl;dr

• The patch adds a vulnerable virtio device
• The device accesses pointers without bound check
• Abuse OOB pointer access to setup arb r/w primitive
• Craft open,read,write ropchain on heap
• Overwrite virtqueue handler with stack pivoting gadget