ARM GPU kernel drivers are vulnerable and under active exploitation

[srcds0706]

Summary

On October 2nd, 2023, ARM disclosed three security vulnerabilities for the Mali GPU Kernel Driver. The security vulnerabilities affect a significant amount of devices, and there are indications that one vulnerability may be under limited, targeted exploitation. Patches may not be available for all devices.

 

Quotes

 

Quote

Arm warned on Monday of active ongoing attacks targeting a vulnerability in device drivers for its Mali line of GPUs, which run on a host of devices, including Google Pixels and other Android handsets, Chromebooks, and hardware running Linux.

“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Arm officials wrote in an advisory. “This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. There is evidence that this vulnerability may be under limited, targeted exploitation. Users are recommended to upgrade if they are impacted by this issue.”

The advisory continued: “A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn could give them access to already freed memory.”

(...)

 

The most prevalent platform affected by the vulnerability is Google’s line of Pixels, which are one of the only Android models to receive security updates on a timely basis. Google patched Pixels in its September update against the vulnerability, which is tracked as CVE-2023-4211. Google has also patched Chromebooks that use the vulnerable GPUs. Any device that shows a patch level of 2023-09-01 or later is immune to attacks that exploit the vulnerability. The device driver on patched devices will show as version r44p1 or r45p0.

CVE-2023-4211 is present in a range of Arm GPUs released over the past decade. The Arm chips affected are:

• Midgard GPU Kernel  Driver: All versions from r12p0 - r32p0
• Bifrost GPU Kernel Driver: All versions from r0p0 - r42p0
• Valhall GPU Kernel Driver: All versions from r19p0 - r42p0
• Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 - r42p0

Devices believed to use the affected chips include the Google Pixel 7, Samsung S20 and S21, Motorola Edge 40, OnePlus Nord 2, Asus ROG Phone 6, Redmi Note 11, 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro, and Reno 8 Pro and some phones from Mediatek.

- Ars Technica

 

On October 2nd, 2023, ARM disclosed three security vulnerabilities in their GPU kernel drivers. The security vulnerabilities affect a wide range of ARM GPU drivers, including multiple different architectures and versions. For specific information on affected drivers, please see ARM's Specifications Page.

 

The vulnerabilities have been addressed in Android's latest security patches (2023-10-05 or higher).

 

According to Google's Android Security Bulletin for October 2023, there are indications that one vulnerability (CVE-2023-4211) may be under limited, targeted exploitation.

 

For more information regarding the vulnerabilities and security updates, you should check with your device manufacturer. Assuming, of course, that your device is still supported...

 

Note: for Google Pixel owners, this vulnerability has been addressed in the September security update (2023-09-01).

 

My thoughts

 

I'm not an expert in this area so I can't say this with confidence, but it seems like a LOT of devices are going to be affected by this... including devices that are not supported anymore. Not only are Mali GPUs used by many manufacturers, the security vulnerabilities seem to be included in many driver versions. Look at their Bifrost architecture drivers, for example. ARM says that kernel driver versions from r0p0 to r42p0 are affected, and going by what's on ARM's developer page, that's every kernel driver before March 24th, 2023... and r0p0 was released in June 2016. Nearly seven years worth of drivers are affected, and who knows how many phones can't update due to discontinued support?

 

Also, my current phone is a Galaxy S9+, which uses ARM's Mail-G72 GPU... which is based on ARM's 2nd generation Bifrost architecture... and Samsung doens't offer updates for the S9 anymore.

Time for a new phone... I guess?

 

 

Sources

ARM Security Bulletin

https://developer.arm.com/Arm Security Center/Mali GPU Driver Vulnerabilities

 

Android Security Bulletin - October 2023

https://source.android.com/docs/security/bulletin/2023-10-01

 

Ars Technica

https://arstechnica.com/security/2023/10/vulnerable-arm-gpu-drivers-under-active-exploitation-patches-may-not-be-available/

[Fasterthannothing]

Bro how can they have a patch dated 10-5 and claim it's released c'mon 

[Quackers101]

As to a reason why support should be longer.

And how many will feel that over these "covid years" now suddenly your device is unsupported and might need some patching.

I guess another reason to make an attractive upgrade path for work phones too, everyone gets a new one.

[PocketNerd]

9 hours ago, Fasterthannothing said:

Bro how can they have a patch dated 10-5 and claim it's released c'mon 

Probably because some areas of the world it's 10-5?

[captain_to_fire]

So I'm guessing the Apple devices aren't affected because they use an in-house designed GPU?

[Zodiark1593]

15 hours ago, captain_to_fire said:

So I'm guessing the Apple devices aren't affected because they use an in-house designed GPU?

Correct. Snapdragon devices should also be fine as well, as Adreno (unless something changed majorly in the last few years I’d been under a rock for) is an in-house design as well. And for that matter, Nvidia Tegra devices. 

[E-waste]

I'll let you know when my device gets malware!

 

This whole thing is a scam, a planned scam, full of greed and electronic waste.  Can any current malware affect the factory firmware image to the point that a software reset will not erase the malware?

 

And what is the current rate of android malware infection vs the 3+ billion android devices in use?  Until there is a huge, massive outbreak of malware which overtakes the stock image, then I could care less.

[wanderingfool2]

On 10/3/2023 at 5:57 PM, PocketNerd said:

Probably because some areas of the world it's 10-5?

Looks at the date it was posted...sure, keep telling yourself that.  Your post was on Oct 3 at 5:57PM pacific.  That means at best it can only be Oct 4th at the time of the post anywhere in the world.

 

Overall I have a feeling that we are going to be getting more and more vulnerabilities found as technology gets more and more complex (and more and more building on top of the work we already have)

[jagdtigger]

31 minutes ago, E-waste said:

Can any current malware affect the factory firmware image to the point that a software reset will not erase the malware?

As soon as it gets root privileges (which the exploit is used for) it can do whatever it wants. Including the modification of the flash and thus "Download Mode" rendering removal impossible because it will reinfect whatever you are installing in that mode.

This is just another example why phones should have a firmware similar to computers (minus the BS NVRAM), that way it would be possible to load something clean from external storage and wipe the malware.....

Edited October 11, 2023 by jagdtigger

[PocketNerd]

26 minutes ago, wanderingfool2 said:

Looks at the date it was posted...sure, keep telling yourself that.

I'm just guessing, no need for the hostility

[E-waste]

On 10/11/2023 at 1:33 PM, PocketNerd said:

I'm just guessing, no need for the hostility

There are 24 timezones on Earth, for a nearly 24 hour day.  When one half of the Earth is dark, the other side is lit by the Sun.

 

So the most time ahead an area can be, is 23 hours, as that area has already rotated for their day, whereas the "behind" timezone hasn't yet rotated toward the sun for that date.