Preface: Android devices that act as both peripheral and central devices can communicate with other BLE peripherals while sending advertisements in peripheral mode. Devices supporting Bluetooth 4.1 and earlier can only use BLE in central mode. Older device chipsets may not support BLE peripheral mode.

Background: A BLE device sends out a repetitive packet of information over one of three channels with random delays of up to 10 milliseconds. The repetition period between each packet of information is called the ‘advertising interval’.

For Bluetooth 4.0, the BLE Radio is capable of transmitting 1 symbol per microsecond and one bit of data can be encoded in each symbol. This gives a raw radio bitrate of 1 Megabit per second (Mbps).

Vulnerability details: Fix an OOB write bug in “attp_build_value_cmd”.

Official announcement: Please refer to the link for details https://source.android.com/docs/security/bulletin/2024-03-01

Preface: Use after free errors sometimes have no effect and other times cause a program to crash. While it is technically feasible for the freed memory to be re-allocated and for an attacker to use this reallocation to launch a buffer overflow attack.

Background: Systems with Mali GPUs typically have a shared memory, so you are not required to copy data. This parameter CL_MEM_ALLOC_HOST_PTR is the best way to avoid a copy.

This is a hint to the driver indicating that the buffer is accessed on the host side. To use the buffer on the application processor side, you must map this buffer and write the data into it. This is the only method that does not involve copying data. If you must fill in an image that is processed by the GPU. This is the best way to avoid copy.

Vulnerability details: A local non-privileged user can exploit a software race condition to perform improper memory processing operations. If the system’s memory is carefully prepared by the user and the system is under heavy load, then this in turn cause a use-after-free.

Resolution: This issue is fixed in the Bifrost Kernel Driver in r19p0, in the Valhall and Arm 5th Gen GPU Architecture Kernel Drivers in r47p0. Users are recommended to upgrade if they are impacted by this issue. Please contact Arm support for Midgard GPUs.

Official announcement: Please refer to the link for details – https://developer.arm.com/Arm%20Security%20Center/Mali%20GPU%20Driver%20Vulnerabilities

Preface: The Memory Management (MM) subsystem is an important cornerstone of the Linux kernel. It provides the necessary utilities for the underlying memory hardware (especially RAM) to meet the different needs of other kernel components and user-space processes.

Background: About two months ago, larger anonymous mappings are now THP aligned. When a malloc library allocates a 2MB or larger arena, that arena can now be mapped with THPs right from the start, which can result in better TLB hit rates and execution time.

Ref: Align larger anonymous memory mappings on THP boundaries by going through thp_get_unmapped_area if THPs are enabled for the current process.

Vulnerability details: mm: huge_memory: don’t force huge page alignment on 32 bit.

mm: huge_memory: don’t force huge page alignment on 32 bit

(“mm: align larger anonymous mappings on THP boundaries”) caused two issues reported on 32 bit system or compat userspace. The issues shown as below:

[1] https://lore.kernel.org/linux-mm/d0a136a0-4a31-46bc-adf4-2db109a61672@kernel.org/

[2] https://lore.kernel.org/linux-mm/CAJuCfpHXLdQy1a2B6xN2d7quTYwg2OoZseYPZTRpU0eHHKD-sQ@mail.gmail.com/

Official announcement: Please refer to the official announcement for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-26621

Preface: DRM and KMS

DRM stands for Direct Rendering Manager and was introduced to deal with graphic cards embedding GPUs

KMS stands for Kernel Mode Setting and is a sub-part of the DRM API

Background: The AMDgpu display manager, amdgpu_dm (or even simpler, dm) sits between DRM and DC. It acts as a liaison, converting DRM requests into DC requests, and DC responses into DRM responses.

Drm[/]amd[/]display – Display Core (DC): Because it is partially shared with other operating systems, the Display Core Driver is divided in two pieces.

-Display Core (DC) contains the OS-agnostic components. Things like hardware programming and resource management are handled here.

-Display Manager (DM) contains the OS-dependent components. Hooks to the amdgpu base driver and DRM are implemented here.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: drm[/]amd[/]display: Wake DMCUB before sending a command

[Why] We can hang in place trying to send commands when the DMCUB isn’t powered on.

[How] For functions that execute within a DC context or DC lock we can wrap the direct calls to dm_execute_dmub_cmd[/]list with code that exits idle power optimizations and reallows once we’re done with the command submission on success. For DM direct submissions the DM will need to manage the enter[/]exit sequencing manually. We cannot invoke a DMCUB command directly within the DM execution helper or we can deadlock.

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52485

Preface: The Linux framebuffer and a GPU’s memory serve different purposes in the context of graphics processing. The Linux framebuffer is a simple, low-level graphics interface that allows applications to draw graphics directly to the screen.

Background: The DRM/KMS framework is dedicated to the management of the display, graphic and composition subsystems. With the help of other Linux multimedia frameworks and applications, the DRM/KMS framework is typically used: to compose animated contents taking advantages of the hardware acceleration.

Remark: Kernel Mode Setting (KMS) is a method for setting display resolution and depth in the kernel space rather than user space.

Vulnerability details: NVIDIA GPU Display Driver for Linux contains a vulnerability where an attacker may access a memory location after the end of the buffer. A successful exploit of this vulnerability may lead to denial of service and data tampering.

Official announcement: Please refer to the official announcement for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5520

Preface: Kernel extensions – VMWare as well as Qemu also enable you to install a device driver in your host operating system that enables them to speed up execution of kernel code and device accesses by directly executing in kernel mode.

Background: VMware Fusion is a software hypervisor developed by VMware for macOS systems. It allows Macs with Intel or the Apple M series of chips to run virtual machines with guest operating systems, such as Microsoft Windows, Linux, or macOS, within the host macOS operating system.

Vulnerability details: VMware Workstation and Fusion contain an out-of-bounds read vulnerability in the USB CCID (chip card interface device). VMware has evaluated the severity of this issue to be in the Moderate severity range with a maximum CVSSv3 base score of 5.9.

Known Attack Vectors: A malicious actor with local administrative privileges on a virtual machine may trigger an out-of-bounds read leading to information disclosure.

Official announcement: Please refer to the official announcement for details – https://www.vmware.com/security/advisories/VMSA-2024-0005.html

Preface: Compared to pageable memory, pinned memory has only 1 memory transfer. Hence memory transfer time is less for pinned memory than pageable memory. In mapped memory, the address is mapped to the device address space. Hence there is no explicit memory transfer.

Background: InfiniBand is a network architecture that is designed for the large-scale interconnection of computing and I/O nodes through a high-speed switched fabric.

Vulnerability details: hfi1 user SDMA request processing has two bugs that can cause data corruption for user SDMA requests that have multiple payload iovecs where an iovec other than the tail iovec does not run up to the page boundary for the buffer pointed to by that iovec.a

Here are the specific bugs:

1. user_sdma_txadd() does not use struct user_sdma_iovec->iov.iov_len. Rather, user_sdma_txadd() will add up to PAGE_SIZE bytes from iovec to the packet, even if some of those bytes are past iovec->iov.iov_len and are thus not intended to be in the packet.

2. user_sdma_txadd() and user_sdma_send_pkts() fail to advance to the next iovec in user_sdma_request->iovs when the current iovec is not PAGE_SIZE and does not contain enough data to complete the packet. The transmitted packet will contain the wrong data from the iovec pages.

Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2023-52474

Preface: In the modern digital world. Digital signatures replace traditional handwritten signatures for identity verification. In the past, pattern matching methods were used to confirm signature integrity through human observation. The integrity of digital signatures is ensured through the Elliptic Curve Digital Signature Algorithm (ECDSA).

Background: Elliptic Curve Digital Signature Algorithm (ECDSA) is a cryptographic algorithm used by Bitcoin to ensure that funds can only be used by their legitimate owners. The private key is a secret number known only to the person who generated it.

Is bitcoinlib popular? The python package bitcoinlib receives a total of 7,081 weekly downloads. As such, bitcoinlib popularity was classified as a recognized.

Fastecdsa efficient faster than the ecdsa package. There are several examples, how to use fastecdsa package. It proven that fastecdsa capable work with bitcoinlib.

In security point of view, fastecdsa are secure.There is no nonce reuse, no branching on secret material, and all points are validated before any operations are performed on them. Timing side challenges are mitigated via Montgomery point multiplication. Nonces are generated per RFC6979. The default curve used throughout the package is P256 which provides 128 bits of security.

Vulnerability details: Versions of the package fastecdsa before 2.3.2 are vulnerable to Use of Uninitialized Variable on the stack, via the curvemath_mul function in src/curveMath.c, due to being used and interpreted as user-defined type. Depending on the variable’s actual value it could be arbitrary free(), arbitrary realloc(), null pointer dereference and other. Since the stack can be controlled by the attacker, the vulnerability could be used to corrupt allocator structure, leading to possible heap exploitation. The attacker could cause denial of service by exploiting this vulnerability.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-21502