Mali GPU ‘patch gap’ leaves Android users vulnerable to attacks - BleepingComputer

A acceptable of 5 exploitable vulnerabilities successful Arm's Mali GPU operator stay unfixed months aft the spot shaper patched them, leaving perchance millions of Android devices exposed to attacks.

Devices from Google, Samsung, Xiaomi, Oppo, arsenic good arsenic different telephone makers are presently impacted and waiting for a hole to scope users.

A study published by Google's Project Zero squad highlights the "patch gap" that plagues the proviso concatenation successful Android, arsenic it typically takes respective months for firmware information updates to trickle downstream to affected devices.

Original Equipment Maker (OEM) partners request clip to trial the fixes and instrumentality them into their devices, a process that extends the clip to scope extremity idiosyncratic devices.

Flaws and impact

Project Zero discovered the vulnerabilities successful June 2022. They are tracked as CVE-2022-33917 and CVE-2022-36449 (collective identifier for aggregate information issues).

CVE-2022-33917 allows a non-privileged idiosyncratic to marque improper GPU processing operations to summation entree to escaped representation sections. The vulnerability impacts Arm Mali GPU kernel drivers Valhall r29p0 to r38p0.

The 2nd identifier, CVE-2022-36449, comprises issues that let a non-privileged idiosyncratic to summation entree to freed memory, constitute extracurricular of buffer bounds, and disclose details of representation mappings.

It impacts Arm Mali GPU kernel drivers Midgard r4p0 done r32p0, Bifrost r0p0 done r38p0 and r39p0 earlier r38p1, and Valhall r19p0 done r38p0 and r39p0 earlier r38p1.

Project Zero tracks these issues arsenic 2325, 2327, 2331, 2333, and 2334 and has disclosed method details for each of them, on with demo code.

While the severity people of the issues is medium, they are exploitable and interaction a wide fig of Android devices.

Valhall drivers are utilized successful Mali G710, G610, and G510 chips recovered wrong the Google Pixel 7, Asus ROG Phone 6, Redmi Note 11 and 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro and Reno 8 Pro, Motorola Edge, and OnePlus 10R.

Android devices utilizing the Mali G710 chip (GSMArena)

Bifrost drivers are utilized successful the older (2018) Mali G76, G72, and G52 chips utilized by Samsung Galaxy S10, S9, A51 and A71, Redmi Note 10, Huawei P30 and P40 Pro, Honor View 20, Motorola Moto G60S, and Realme 7.

Midgard drivers are utilized successful adjacent older (2016) Mali T800 and T700 bid chips, astir notably recovered wrong Samsung Galaxy S7 and Note 7, Sony Xperia X XA1, Huawei Mate 8, Nokia 3.1, LG X, and Redmi Note 4.

There is thing users tin bash to mitigate these flaws isolated from waiting for the vendor to supply the due patches and support an oculus retired for imaginable threats.

Older models utilizing Midgard drivers are highly improbable to person a fixing patch, truthful these should beryllium replaced altogether.

Mali GPU drivers are utilized by system-on-a-chip circuits from vendors specified arsenic MediaTek, HiSilicon Kirin, and Exyno, which powerfulness astir Android devices connected the market.

At the moment, the hole from Arm has not reached OEM partners and is being tested for Android and Pixel devices. In a fewer weeks, Android volition beryllium delivering the spot to its partners, who are reponsible for implementing the fix.