Several Android smartphones from manufacturers including Google, Samsung, Xiaomi, Oppo, and others are vulnerable to a set of five exploitable vulnerabilities in ARM’s Mali GPU driver.
These flaws despite being fixed by the chip maker months ago still remain unpatched by the Android device manufacturers.
According to a report published by Google’s Project Zero (GPZ), the GPZ team discovered five exploitable vulnerabilities related to the ARM Mali GPU driver between June and July 2022.
The five vulnerabilities were identified as 2325, 2327, 2331, 2333, and 2334. While one of these issues (2334) leads to kernel memory corruption, the other one (2331) leads to physical memory addresses being disclosed to user space.
Further, the remaining three issues (2325, 2327, 2333) lead to a physical page use-after-free condition. These would enable an attacker to continue to read and write physical pages after they had been returned to the system.
All the above issues were fixed “promptly” by ARM in July and August 2022, who disclosed them as security issues on their Arm Mali Driver Vulnerabilities page (assigning CVE-2022-36449). They also published the patched driver source on their public developer website.
Another Mali GPU bug ARM that was fixed is tracked as CVE-2022-33917, which allows a non-privileged user to make improper GPU processing operations to gain access to already freed memory. The vulnerability affects Arm Mali GPU kernel drivers, Valhall r29p0 to r38p0.
Project Zero’s researcher Ian Beer refers to both the bugs in his report as the “patch gap” by Android smartphone vendors, which normally takes several months for firmware security updates to trickle downstream to affected Android devices.
In line with GPZ’s 2021 disclosure policy update, the team waited for an additional 30 days before derestricting their Project Zero tracker entries between late August and mid-September 2022. However, on a recent check, Project Zero found that every test device which used Mali is still vulnerable to these issues.
“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” Beer explained in the patch gap report.
“Minimizing the ‘patch gap’ as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch.
“Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”
Since the fixes are not applied by the Android smartphone vendor to their Android builds, smartphone users too cannot apply the patch released by ARM for the ARM Mali GPU driver.
As a result, many Android smartphones are still vulnerable to the five exploits. Thankfully, as of this week, Google’s Pixel team and Android team are working to resolve the issue.
“The fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. Android OEM partners will be required to take the patch to comply with future SPL requirements,” wrote GPZ researcher, Tim Willis quoting someone from the Android and Pixel teams.