Category Archives: Cell Phone (iPhone, Android, windows mobile)

CVE-2025-0096 – Fix malloc buffer size (6th Feb 2025)

Original release date: February 3, 2025

Preface: The Hardware Abstraction Layer (HAL) is not outdated with Android 15. In fact, HAL continues to play a crucial role in the Android architecture. Android 15 includes improvements and updates to various HAL components, ensuring they remain relevant and effective for modern hardware and software requirements.

Background: Android 15 continues to use hal_fwlog[.]cc because it remains a crucial component for logging firmware-related events and activities within the Hardware Abstraction Layer (HAL). The HAL provides a standardized interface for hardware vendors, allowing the Android operating system to communicate with hardware components without needing to know the specifics of the hardware. This ensures compatibility and stability across various devices and hardware configurations.

Maintaining hal_fwlog[.]cc helps in diagnosing and troubleshooting hardware issues, ensuring that the system can log and monitor firmware activities effectively. This is essential for maintaining the overall reliability and performance of the Android operating system.

Vulnerability details: Fix malloc buffer size in hal_fwlog[.]cc

The hal_fwlog[.]cc file in Android is part of the Hardware Abstraction Layer (HAL). This file is typically used for logging firmware-related events and activities. The HAL provides a standard interface for hardware vendors to implement, allowing the Android operating system to communicate with hardware components without needing to know the specifics of the hardware.

Official announcement: Please refer to the link for details – https://source.android.com/docs/security/bulletin/2025-02-01

CVE-2025-0098 : Prevent activity token leaked to another process (3rd Feb 2025)

Preface: Android frameworks deliver an environment where you already have access to libraries, best practices, and extensive help documentation. As a matter of fact, there are well over ten android frameworks.

Background: TaskFragmentOrganizerController[.]java is a part of the Android Open Source Project (AOSP). It is located in the services/core/java/com/android/server/wm directory of the Android framework. This file is responsible for managing the organization and lifecycle of task fragments within the Android window management system.

The TaskFragmentOrganizerController works closely with the TaskFragmentOrganizer class, which provides an interface for controlling task fragments. These task fragments allow for more flexible and dynamic UI layouts by enabling parts of an activity to be managed independently.

In the context of TaskFragmentOrganizerController[.]java, a token typically refers to an identifier used to manage and track task fragments within the Android window management system. These tokens are often used to ensure that operations on task fragments are performed securely and correctly.

For example, a temporary token might be generated to allow an organizer to reparent an activity through a WindowContainerTransaction. This helps maintain the integrity and security of the task fragments being managed.

Remark: WindowContainerTransaction represents a collection of operations on some WindowContainer that should be applied at once.

Vulnerability details: Malicious app could register the organizer via one-way binder call to disguise as running on pid 0.

Official announcement: Please refer to the link for details – https://source.android.com/docs/security/bulletin/2025-02-01

CVE-2024-11863, CVE-2024-11864 and CVE-2024-9413: Three different CVEs were discovered that expose the System Control Processor (SCP) to attack threats. (16th Jan 2025)

Preface: SCMI is a message driven interface between an SCMI agent (client) and an SCMI host (server)

Background: SCP Firmware provides a software reference implementation for the System Control Processor (SCP) and Manageability Control Processor (MCP) components found in several Arm Compute Sub-Systems. Power Control System Architecture (PCSA) defines the concept of a System Control Processor (SCP), a specialized processor that abstracts power and system management tasks from the application processor.

A small area of SRAM is reserved for SCMI communication between application processors and SCP. Entity that sends commands to the platform using SCMI. For example, the OSPM running on an AP or an on-chip management controller.

Vulnerability details:

CVE-2024-9413 – The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.

CVE-2024-11863 and CVE-2024-11864 – Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP

Official announcement: For detail, please refer to link –

https://developer.arm.com/Arm%20Security%20Center/SCP-Firmware%20Vulnerability%20CVE-2024-11863-11864

CVE-2024-43704: improper GPU system calls to gain access to the graphics buffers of a parent process. (10th Jan 2025)

Preface: PowerVR is a division of Imagination Technologies (formerly VideoLogic) that develops hardware and software for 2D and 3D rendering, and for video encoding, decoding, associated image processing and DirectX, OpenGL ES, OpenVG, and OpenCL acceleration. 

Background: Imagination maintains DDKs for Android, Linux and Windows operating systems, ensuring they have access to the latest APIs and popular extensions.

To build the Android kernel and other kernel artifacts (modules, boot images, etc.), they provide a framework called “Kleaf”. • One part of Kleaf is the Driver Development Kit (DDK) which is used to build external modules.

Vulnerability details: Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.

PVRSRVAcquireProcessHandleBase can cause psProcessHandleBase reuse when PIDs are reused, said imagination Technologies.

Official announcement: Please refer to the link for details –

https://source.android.com/docs/security/bulletin/2025-01-01

CVE-2024-20154: Stack overflow in Modem (9th Jan 2024)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: Chipsets affected by this vulnerability: MT2735, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6880T, MT6880U, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791T, MT8795T, MT8797, MT8798

An example: The MediaTek MT8791T integrates Bluetooth, FM, WLAN, and GPS modules and is a highly integrated baseband platform that includes a modem and application processing subsystem to support LTE/5G/NR and C2K tablet applications. The chip integrates two Arm®Cortex-A78 cores running at up to 2.6 GHz, six Arm®Cortex-A55 cores running at up to 2.0 GHz, and a powerful multi-standard video codec. In addition, an extensive set of interfaces and connectivity peripherals for connecting cameras, touchscreen displays, and UFS/MMC/SD cards are included.

Vulnerability details: In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link below for details –

https://corp.mediatek.com/product-security-bulletin/January-2025

CVE-2024-21464 – msm: ipa3: adding a preventive check for holb stats (8th JAN 2025)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: IPA Capabilities

● Presented by its driver as a network device

● Performs checksum offload, packet aggregation

○ Reduces processing and interrupt load on the main CPU

● Also implements integrated IPA filtering, routing, and NAT

○ These features are not supported by the upstream driver (yet!)

● Capable of operation independent while AP is asleep

○ Tethered operation (WiFi hotspot)

○ Requires much less power than operating AP

○ This mode is not supported upstream either

Vulnerability details: Memory corruption while processing IPA statistics, when there are no active clients registered.

[CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)]

In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

An Android security bulletin was published on January 6, 2025, which disclosed multiple vulnerabilities but did not provide details (7th Jan 2025)

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: CUPS provides the “cups” library to talk to the different parts of CUPS and with Internet Printing Protocol (IPP) printers. The “cups” library functions are accessed by including the <cups/cups.h> header. CUPS is based on the Internet Printing Protocol (“IPP”), which allows clients (applications) to communicate with a server (the scheduler, printers, etc.) to get a list of destinations, send print jobs, and so forth. You identify which server you want to communicate with using a pointer to the opaque structure http_t. The CUPS_HTTP_DEFAULT constant can be used when you want to talk to the CUPS scheduler.

Vulnerability details: Five critical Android fixes (CVE-2024-43096, CVE-2024-43770, CVE-2024-43771, CVE-2024-49747, CVE-2024-49748) were released in the January 2025 Security Advisory Bulletin. We are aware that the above vulnerability advisory was released on December 3, 2024. But why not provide details?

Perhaps it related to CUPS. When android install this opensource system, Android itself cannot protect itself.So, it bring out the vulnerabilities.

I speculated the vulnerability exchange CVE reference numbers on CUPS to Android is shown as below:

Android CVE-2024-43096 – CVE-2024-47076 (CUPS)

Android CVE-2024-49747 – CVE-2024-47175 (CUPS)

Android CVE-2024-49748 – CVE-2024-47176

Android CVE-2024-43770 – CVE-2024-47176 (CUPS): When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

Android CVE-2024-43771 – CVE-2024-47177 (CUPS)

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

CVE-2024-33063 – OOB : read/writes in ML probe generation  (15-Dec 2024)

Preface: A patch published June 2023, adds parsing of the data and adding/updating the BSS using the received elements. Doing this means that userspace can discover the BSSes using an ML probe request and request association on these links.

Background: IE provides information on channel usage by AP, so that smart wireless stations can decide better AP for connectivity. Station count, Channel utilization, and Available admission capacity are the information available in this IE.

The term QBSS is used in wireless networks supporting the IEEE 802.11e Quality of Service enhancement. It defines a Basic Service Set supporting a QAP and a number of QSTA.

When enabled, appends QBSS IE in Management frames. This IE provides information of channel usage by AP, so that smart wireless station can decide better AP for connectivity. Station count, Channel utilization and Available admission capacity are the information available in this IE.

Vulnerability details: Transient DOS while parsing the ML IE when a beacon with common info length of the ML IE greater than the ML IE inside which this element is present.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-33063

CVE-2024-38424 Use After Free in GPS (14-12-2024)

Preface: There are four global satellite navigation systems, currently GPS (United States), GLONASS (Russian Federation), Beidou (China) and Galileo (European Union).

Background: Android Opensource is called HLOS. Qualcomm’s proprietary one is called non-HLOS.

The Android on Snapdragon architecture is built to allow for common feature adoption across devices with Snapdragon. It represents the software features and functionalities available on Qualcomm® reference devices and provided to OEMs for design into their Android mobile devices and tablets.

Global Navigation Satellite System ( GNSS ) refers to any satellite constellation that provides global positioning, navigation, and timing services. Several GNSS are currently available: BeiDou (China) , Galileo (EU), GPS (USA) and GLONASS (Russia). On Oct 2022, Rx Networks, Inc., a GNSS data services company, announced the availability of TruePoint.io precise location services on Qualcomm’s Snapdragon 8 Gen 1 and Snapdragon 888 5G Mobile Platforms.

Vulnerability details: Memory corruption during GNSS HAL process initialization.

Technology Area: GPS HLOS Driver

CWE-416: Use After Free

Official announcement: Please refer to the official announcement for details – https://nvd.nist.gov/vuln/detail/CVE-2024-38424

CVE-2024-38403 – Buffer Over-read in WLAN Firmware (8th Nov 2024)

Preface: BSS Transition Management enables an AP to request a voice client to transition to a specific AP, or suggest a set of preferred APs to a voice client, due to network load balancing or BSS termination.

Background: A STA receiving a BSS Transition Management Request frame may respond with a BSS Transition Management Response frame.

The BSS Termination Included (bit 3) field indicates that the BSS Termination Duration field is included, the BSS or the AP MLD is shutting down and the STA or the non-AP MLD will be disassociated. The AP or AP MLD sets the BSS Termination Included bit in the Request mode field to 1 to indicate that the BSS or AP MLD is shutting down.

The BSS Termination Included bit is 0 if no BSS Termination Duration information is included in the BSS Transition Management Request frame.

Vulnerability details: Transient DOS while parsing BTM ML IE when per STA profile is not included.

Official announcement: Please refer to the vendor announcement for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/november-2024-bulletin.html