Preface: The Go language is also developed on fsnotify, but the file extension is fsnotify[.]go. fsnotify is a Go library to provide cross-platform filesystem notifications on Windows, Linux, macOS, BSD, and illumos. Go 1.17 or newer is .

Background: In Linux, fsnotify is actually implemented based on the inotify system call. inotify is a subsystem of Linux VFS, which can monitor changes in the file system. When the file system changes, the kernel will notify the user space of these changes, and the user space can do something based on these changes.

Vulnerability details: Fix ordering of iput() and watched_objects decrement. Ensure the superblock is kept alive until we’re done with iput(). Holding a reference to an inode is not allowed unless we ensure the superblock stays alive, which fsnotify does by keeping the watched_objects count elevated, so iput() must happen before the watched_objects decrement. This can lead to a UAF of something like sb->s_fs_info in tmpfs, but the UAF is hard to hit because race orderings that oops are more likely, thanks to the CHECK_DATA_CORRUPTION() block in generic_shutdown_super(). Also, ensure that fsnotify_put_sb_watched_objects() doesn’t call fsnotify_sb_watched_objects() on a superblock that may have already been freed, which would cause a UAF read of sb->s_fsnotify_info.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-53143

Preface: Yes, it is possible to develop an Android app using C++. While Java and Kotlin are the recommended languages for Android development. Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.

Background: Skia Graphics Library (SGL) is an open source graphics library written in C++. It was originally developed by Skia Company and was open sourced under the New BSD License after being acquired by Google. The first product developed by Skia is the Skia Graphics Library, which can render high-quality 2D graphics on low-end devices such as mobile phones. As of 2017, it is used in Android, Google Chrome, Chrome OS, Chromium OS, Mozilla Firefox, Firefox OS, and Sublime Text.

Vulnerability details: This vulnerability lead to remote code execution with no additional execution privileges needed. It is related to size overflow when allocating SkMask data.

Official announcement: Please see the link below for details –

https://source.android.com/docs/security/bulletin/2024-12-01

Preface: Primitive types such as `int`, `double`, `char`, and `boolean` are stored directly in stack memory. Each time you declare a primitive variable, the JVM allocates a specific size of memory for it.

Background: Returns the available average/minimum GPU headroom in percentage for last ‘duration’ seconds. The get_gpu_headroom() API is used by applications to get feedback on the historical application rendering workload to know if the workload is GPU bound on the SoC. The purpose of this API is to help provide GPU performance information for the application content and help drive the workload, and other APIs to ensure smooth and sustained UX performance (minimize frame drops, reduce UI sluggishness). The application can monitor thermal. If the mobile device is approaching thermal limits; it can further check if the workload is GPU bound to decide if reducing the GPU load helps to reduce thermal status (<= LIGHT) and hence improve sustained performance.

Vulnerability details: Memory corruption when invalid input is passed to invoke GPU Headroom API call.

Remark: A stack–based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-43048

Preface: What is a buffer over-read? The opposite of a buffer overflow is a buffer overread. In this case, the program requests data from outside the buffer. Because data read from outside the buffer is irrelevant to the program, it may cause the program to crash or behave unexpectedly.

Background: Qualcomm SoC chips are divided into 4 layers, including EL3, EL2, EL1 and EL0. Both EL3 and EL2 are handled by Qualcomm. However, EL 1 is divided into two regions. The Linux core is open source. The remaining non-secure and secure areas will be the responsibility of Qualcomm. The upper level (ELO) is the developer application area (Except the secure area).

Vulnerability details: Memory corruption when allocating and accessing an entry in an SMEM partition continuously.

Remark: The MProc component located inside the kernel is responsible for managing inter-processor communication.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-33056

Preface: The Qualcomm Hypervisor provides a modern virtualization framework that allows multiple operating systems to run independently and concurrently, delivering high performance. The Qualcomm Type 1 Hypervisor facilitates the hosting of multiple trusted execution environments for secure use cases.

Background: On some Qualcomm platforms, the hypervisor emulates more than 128 SMR (Stream Matching Register) groups. This doesn’t conform to the ARM SMMU architecture specification which defines the range of 0-127. Moreover, the emulated groups don’t exhibit the same behavior as the architecture supported ones.

For instance, emulated groups will not detect the quirky behavior of some firmware versions intercepting writes to S2CR register, thus skipping the quirk implemented in the driver and causing boot crash.

Vulnerability details: Memory corruption while Configuring the SMR/S2CR register in Bypass mode.

Official announcement: Please see the link below for details –

https://www.tenable.com/cve/CVE-2024-33044

Preface: Preface: Imagination Technologies Group Limited is a British semiconductor and software design company owned by Canyon Bridge Capital Partners, a private equity fund based in Beijing that is ultimately owned by the Chinese government. With its global headquarters in Kings Langley, England, its primary business is in the design of PowerVR mobile graphics processors (GPUs), neural network accelerators for AI processing, and networking routers. The company was listed on the London Stock Exchange until it was acquired by Canyon Bridge in November 2017.

Background: Why system calls are needed to set up shared memory between two processes?

To share memory between two processes, the MMU must be modified. That’s privileged – you can’t let a process just help itself to whatever memory it wants! Being privileged means the kernel is involved, hence system calls.

Remark: A memory management unit (MMU), sometimes called paged memory management unit (PMMU), is a computer hardware unit that examines all memory references on the memory bus, translating these requests, known as virtual memory addresses, into physical addresses in main memory.

Vulnerability details: Software installed and run as a non-privileged user may conduct improper GPU system calls to achieve unauthorised reads and writes of physical memory from the GPU HW.

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-43703

Preface: A zero-day exploit targeting a use-after-free (UAF) vulnerability in the Linux Kernel. Staying Alert!

Slab–use–after–free vulnerabilities occur when memory that’s been previously freed is accessed again, often leading to unpredictable behavior or system crashes. KernelAddressSANitizer (KASAN) is a dynamic memory error detector designed to find out-of-bound and use–after–free bugs.

Background: The Controller Area Network (CAN bus) is a message-based protocol designed to allow the Electronic Control Units (ECUs) found in today’s automobiles, as well as other devices, to communicate with each other in a reliable, priority-driven fashion.

The Broadcast Manager protocol provides a command based configuration interface to filter and send (e.g. cyclic) CAN messages in kernel space. Filtering messages in kernel space may significantly reduce the load in an application. A BCM socket is not intended for sending individual CAN frames.

Vulnerability details: KernelAddressSANitizer (KASAN) is a dynamic memory error detector. It provides a fast and comprehensive solution for finding use-after-free and out-of-bounds bugs.

BUG: KASAN: slab-use-after-free in bcm_proc_show+0x969/0xa80 Read of size 8 at addr ffff888155846230 by task cat/7862.

Please refer to the official announcement for details

Official announcement: Please see the link below for details –

https://nvd.nist.gov/vuln/detail/CVE-2023-52922