Broken ARM: Mali Malware Pwns Phones
Yet more use-after-free vulns in Arm’s Mali GPU driver.
Google’s found a trio of nasty bugs in the Android GPU driver for the ARM Mali component. It affects flagship phones such as the Samsung Galaxy S20, Google Pixel 6 and 7, plus countless ChromeBooks.
There’s a patch upstream. In today’s SB Blogwatch, we wonder if it’ll ever get delivered to our phones.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: meng-Kate.
In the Wild
What’s the craic? Bill Toulas reports—“Arm warns of Mali GPU flaws likely exploited”:
“Availability of a patch”
[The] vulnerability, affecting the widely-used Mali GPU drivers, … is currently tracked as CVE-2023-4211. [It] was discovered and reported to Arm by researchers of Google’s Threat Analysis Group (TAG) and Project Zero.
…
The security issue is described as an improper access to freed memory, a problem that could allow compromising or manipulating sensitive data. … Other flaws Arm disclosed in the same bulletin are CVE-2023-33200 and CVE-2023-34970, which allow a non-privileged user … to access already freed memory.
…
The availability of a patch for a vulnerable device depends on how quickly the device maker and vendor manage to integrate it in a reliable update. As the complexities of the supply chain vary, some users will receive the fix sooner than others.
Which phones? Nick Farrell is a bit arm-wavy—“Mali GPUs under attack”:
“Malicious code”
Arm has warned of active ongoing attacks targeting a vulnerability in device drivers for its Mali line of GPUs, which run on various devices, including Google Pixels and other Android handsets, Chromebooks, and hardware running Linux. … Google patched Pixels in its September update against the vulnerability. … Google has also patched Chromebooks that use the vulnerable GPUs.
…
Accessing system memory that’s no longer in use is a common mechanism for loading malicious code into a location an attacker can then execute. … Attackers often gain local access to a mobile device by tricking users into downloading malicious applications from unofficial repositories.
So, where are these patches? LucretiusNaturale has the 411:
This has been fixed with the Sept patch for Android and ChromeOS devices. … The issue is for any device that no longer gets OS level security patches and unfortunately there are too many of those still in use. If in the Android/ChromeOS world, be sure to use a device that continues to get security patch updates.
Such as? Not Samsung, apparently. Vlad_the_Inhaler weeps:
I have a Samsung and – as far as I can see – I am potentially affected. I looked up the specs for my device and it has a “Mali-G72 MP3” GPU, looking at “About phone” under Settings, “Software information” is the next to last entry there and my “Android security patch level” is 1 August 2023. My last Android update was 11 days ago. … Hopefully Samsung are going to post another Software update soon.
Something-something open source—something-something all bugs are shallow. rossy is really bothered:
As a new Pixel 7 owner, it really bothers me that Google went from championing the open source kernel drivers on their Snapdragon-based phones to using the proprietary Mali stack on their Google Tensor-based phones. This isn’t the first Mali vulnerability to affect these allegedly security-focused devices.
Déjà vu? Man Yue Mo has seen it all before—“‘Not-Google’ bug in the ‘all-Google’ phone”:
“Still easy to pwn Android”
The Arm Mali GPU is a “device-specific” hardware component which can be integrated into various devices, ranging from Android phones to smart TV boxes. For example, all of the international versions of the Samsung S series phones, up to S21 use the Mali GPU, as well as the Pixel 6 [and 7] series.
…
GPU drivers on Android are a very attractive target for an attacker, as they can be reached directly from the untrusted app domain and most Android devices use either Qualcomm’s Adreno GPU, or the Arm Mali GPU, meaning that relatively few bugs can cover a large number of devices. … Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code.
…
The year is 2023 A.D., and it’s still easy to pwn Android with N-days entirely. … Yes, entirely.
Abandon ship! Move to iOS? hecksagon is the bestagon:
Apple just had an extremely critical vulnerability patched last month that only required a user to open a text message containing a specially crafted image. That’s way worse than having to install or sideload an app since it is completely passive.
Should future devices switch from ARM to RISC-V? Not so fast, says caseih:
RISC-V has all the same problems: … The GPUs that vendors choose to put in their RISC-V SoCs are just as proprietary, closed-spec, and secret as any ARM SoC, and all the same problems of boot loaders, binary blobs, and mesa and kernel forks that ARM does. If Mali is a thorn in your side, you’ll have the same thorn with RISC-V, and I don’t expect this to change soon.
Meanwhile, u/unique_ptr is a little disappointed:
A little disappointed they didn’t come up with a stupid gimmicky name for it like ArmAndALeg or ElbowBleed.
And Finally:
Hat tip: sjvn
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi, @richij or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Markus Spiske (via Unsplash; leveled and cropped)