All posts by admin

CVE-2024-11863, CVE-2024-11864 and CVE-2024-9413: Three different CVEs were discovered that expose the System Control Processor (SCP) to attack threats. (16th Jan 2025)

Preface: SCMI is a message driven interface between an SCMI agent (client) and an SCMI host (server)

Background: SCP Firmware provides a software reference implementation for the System Control Processor (SCP) and Manageability Control Processor (MCP) components found in several Arm Compute Sub-Systems. Power Control System Architecture (PCSA) defines the concept of a System Control Processor (SCP), a specialized processor that abstracts power and system management tasks from the application processor.

A small area of SRAM is reserved for SCMI communication between application processors and SCP. Entity that sends commands to the platform using SCMI. For example, the OSPM running on an AP or an on-chip management controller.

Vulnerability details:

CVE-2024-9413 – The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.

CVE-2024-11863 and CVE-2024-11864 – Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP

Official announcement: For detail, please refer to link –

https://developer.arm.com/Arm%20Security%20Center/SCP-Firmware%20Vulnerability%20CVE-2024-11863-11864

About CVE-2024-0135, CVE-2024-0136 & CVE-2024-0137 – NVIDIA Container Toolkit and NVIDIA GPU Operator contains an improper isolation vulnerability (13th Jan 2025)

Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Background: The NVIDIA container stack is architected so that it can be targeted to support any container runtime in the ecosystem. The components of the stack include:

-The NVIDIA Container Runtime (nvidia-container-runtime)

-The NVIDIA Container Runtime Hook (nvidia-container-toolkit / nvidia-container-runtime-hook)

-The NVIDIA Container Library and CLI (libnvidia-container1, nvidia-container-cli)

The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit.

The NVIDIA Container Toolkit is a key component in enabling Docker containers to leverage the raw power of NVIDIA GPUs. This toolkit allows for the integration of GPU resources into your Docker containers.

Remark: The Podman command can be used with remote services using the –remote flag. Connections can be made using local unix domain sockets, ssh

Vulnerability details:

CVE-2024-0135 – NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to modification of a host binary. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

CVE-2024-0136 – NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code obtaining read and write access to host devices. This vulnerability is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

CVE-2024-0137 – NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code running in the host’s network namespace. This vulnerability is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit of this vulnerability may lead to denial of service and escalation of privileges.

Official announcement: Please refer to the vendor announcement for detail – https://nvidia.custhelp.com/app/answers/detail/a_id/5599

CVE-2024-43064: Permissions, Privileges, and Access Controls issue in Automotive OS Platform (14-01-2025)

Preface: QNX is also used in devices where failure is not an option. Fault tolerance was and is the biggest priority for the QNX operating system. A great example from the past is that the SpaceX Falcon rockets used the QNX Real-Time Operating System.

Background: An SMMU performs a task like that of an MMU in a PE. It translates addresses for DMA requests from system I/O devices before the requests are passed into the system interconnect. The SMMU only provides translation services for transactions from the client device, not for transactions to the client device. Transactions from the system or PE to the client device are managed by other means, for example, the PE MMUs. The role of an SMMU shows the role of an SMMU in a system.

Vulnerability details: Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-43064

CVE-2024-45550 – Improper Validation of Array Index in DSP Services (13th Jan 2025)

Preface: IOCTL handlers allow users to communicate with the driver via the ioctl syscall. This is a prime attack surface because the driver is going to be handling userland-provided data within kernel space.

Background: dxgkrnl is a driver for Hyper-V virtual compute devices, such as vGPU devices, which are projected to a Linux virtual machine (VM) by a Windows host. dxgkrnl works in context of WDDM (Windows Display Driver Model)for GPU or MCDM (Microsoft Compute Driver Model) for non-GPU devices.

WDDM/MCDM consists of the following components:

Graphics or Compute applications

A graphics or compute user mode API (for example OpenGL, Vulkan, OpenCL, OpenVINO, OneAPI, CUDA, DX12, …)

User Mode Driver (UMD), written by a hardware vendor

optional libdxg library helping UMD portability across Windows and Linux

dxgkrnl Linux kernel driver (this driver)

Kernel mode port driver on the Windows host (dxgkrnl.sys / dxgmms*.sys)

Kernel Mode miniport driver (KMD) on the Windows host, written by a hardware vendor running on the Windows host and interfacing with the hardware device.

Vulnerability details: Memory corruption occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-45550

CVE-2024-43704: improper GPU system calls to gain access to the graphics buffers of a parent process. (10th Jan 2025)

Preface: PowerVR is a division of Imagination Technologies (formerly VideoLogic) that develops hardware and software for 2D and 3D rendering, and for video encoding, decoding, associated image processing and DirectX, OpenGL ES, OpenVG, and OpenCL acceleration. 

Background: Imagination maintains DDKs for Android, Linux and Windows operating systems, ensuring they have access to the latest APIs and popular extensions.

To build the Android kernel and other kernel artifacts (modules, boot images, etc.), they provide a framework called “Kleaf”. • One part of Kleaf is the Driver Development Kit (DDK) which is used to build external modules.

Vulnerability details: Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.

PVRSRVAcquireProcessHandleBase can cause psProcessHandleBase reuse when PIDs are reused, said imagination Technologies.

Official announcement: Please refer to the link for details –

https://source.android.com/docs/security/bulletin/2025-01-01

CVE-2024-20154: Stack overflow in Modem (9th Jan 2024)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: Chipsets affected by this vulnerability: MT2735, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6880T, MT6880U, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791T, MT8795T, MT8797, MT8798

An example: The MediaTek MT8791T integrates Bluetooth, FM, WLAN, and GPS modules and is a highly integrated baseband platform that includes a modem and application processing subsystem to support LTE/5G/NR and C2K tablet applications. The chip integrates two Arm®Cortex-A78 cores running at up to 2.6 GHz, six Arm®Cortex-A55 cores running at up to 2.0 GHz, and a powerful multi-standard video codec. In addition, an extensive set of interfaces and connectivity peripherals for connecting cameras, touchscreen displays, and UFS/MMC/SD cards are included.

Vulnerability details: In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link below for details –

https://corp.mediatek.com/product-security-bulletin/January-2025

CVE-2024-21464 – msm: ipa3: adding a preventive check for holb stats (8th JAN 2025)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: IPA Capabilities

● Presented by its driver as a network device

● Performs checksum offload, packet aggregation

○ Reduces processing and interrupt load on the main CPU

● Also implements integrated IPA filtering, routing, and NAT

○ These features are not supported by the upstream driver (yet!)

● Capable of operation independent while AP is asleep

○ Tethered operation (WiFi hotspot)

○ Requires much less power than operating AP

○ This mode is not supported upstream either

Vulnerability details: Memory corruption while processing IPA statistics, when there are no active clients registered.

[CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)]

In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

An Android security bulletin was published on January 6, 2025, which disclosed multiple vulnerabilities but did not provide details (7th Jan 2025)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: CUPS provides the “cups” library to talk to the different parts of CUPS and with Internet Printing Protocol (IPP) printers. The “cups” library functions are accessed by including the <cups/cups.h> header. CUPS is based on the Internet Printing Protocol (“IPP”), which allows clients (applications) to communicate with a server (the scheduler, printers, etc.) to get a list of destinations, send print jobs, and so forth. You identify which server you want to communicate with using a pointer to the opaque structure http_t. The CUPS_HTTP_DEFAULT constant can be used when you want to talk to the CUPS scheduler.

Vulnerability details: Five critical Android fixes (CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, CVE-2024-49748) were released in the January 2025 Security Advisory Bulletin. We are aware that the above vulnerability advisory was released on December 3, 2024. But why not provide details?

Perhaps it related to CUPS. When android install this opensource system, Android itself cannot protect itself.So, it bring out the vulnerabilities.

I speculated the vulnerability exchange CVE reference numbers on CUPS to Android is shown as below:

Android CVE-2024-43096 – CVE-2024-47076 (CUPS)

Android CVE-2024-49747 – CVE-2024-47175 (CUPS)

Android CVE-2024-49748 – CVE-2024-47176

Android CVE-2024-43770 – CVE-2024-47176 (CUPS): When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

Android CVE-2024-43771 – CVE-2024-47177 (CUPS)

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

CVE-2025-0222 A vulnerability was found in IObit Protected Folder up to 13.6.0.5. (6th Jan 2025)

Preface: Dereferencing just means accessing the memory value at a given address. So when you have a pointer to something, to dereference the pointer means to read or write the data that the pointer points to.

Background: IObit Uninstaller is one of the free software uninstallers for Windows thanks to a batch uninstall feature, an installation monitor, support for most Windows versions, and a quick install itself. Every piece of an application is searched for and removed completely, leaving no useless, junk files behind.

IObit Protected Folder is designed to password-protect your folders and files from being seen, read or modified in Windows OS platform. It works like a safety box, just drag and drop the folders or files you want to hide or protect into Protected Folder, then no one can see, read or modify them.

IObit have 20 free trials of Protected Folder. When the trials end, end user require click on the Register button in the left corner and then click Purchase Online to buy a license code.

If you forget your Iobit protected folder password, so you have to use a  tool (uninstall). It allow local user uninstall Iobit Protected software without password.

Vulnerability details: A vulnerability was found in IObit Protected Folder up to 13.6.0.5 and classified as problematic. This issue affects the function 0x8001E000/0x8001E004 in the library IUProcessFilter.sys of the component IOCTL Handler. The manipulation leads to null pointer dereference. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-0222

Machine learning: From basics to GPU-related INT8( 3rd Jan 2025)

Preface: If a living thing wants to survive, his life involve competition. For example, hunting and defense. During this process, he started learning. that’s the nature of it.

Remember this is the basic principle. When non-human beings on Earth can enter into the learning process. He will be humanity’s rival. In fact, who will rule the earth depends entirely on the wisdom of the opponent?

Integer Arithmetic for machine learning: INT8 uses 8 bits, which allows for 256 possible values, while INT4 uses 4 bits, which allows for 16 possible values. In comparison, floating-point precision, such as FP32, uses 32 bits to represent a wide range of values.

The advantage of int over float is computational speed. Integers are represented in memory as a fixed value. Floats, on the other hand are stored as a mathematical construct, mantissa and exponent so there is computation involved just in assessing the value.

Integers are the simplest numerical data types (Numeric data types). Because of this, their storage space is much less, and their processing is much faster than floating point types.

An integer (known also as int) is a whole number without a decimal part. It can be positive, negative, or zero. Examples of integers are -3, 0, 5, 100, and so on. The integer data type is used to represent values such as counting, indexing, or storing quantities that can only be whole numbers.

Float (floating-point number) is a number that includes a decimal part. Examples of floating-point numbers are -3.14, 2.71828, 0.5, 1.0, and so on. The float data type is used to represent values that can have a decimal part or require high precision, such as measurements, calculations involving decimal values, or scientific computations.

Summary: Integer represents whole numbers without a decimal part, while float represents floating-point numbers with a decimal part. Integer has exact precision and a larger range, whereas float has limited precision and can represent numbers with a decimal part.

Technical article: Is Integer Arithmetic Enough for Deep Learning Training? Please refer to link –  https://proceedings.neurips.cc/paper_files/paper/2022/file/af835bd1b5b689c3f9d075ae5a15bf3e-Paper-Conference.pdf