Category Archives: Cell Phone (iPhone, Android, windows mobile)

CVE-2024-21468 – iommu: Fix missing return check of arm_lpae_init_pte (8th Apr 2024)

Preface: This vulnerability was posted on April 1 2024. For details, please refer to the Qualcomm April 2024 Security Bulletin.

Background: EL1 can access most system registers, EL2 has additional privileges, and EL3 has all privileges. The only way that the processor can change from one exception level to a higher level is when an exception occurs.

In computing, an input–output memory management unit is a memory management unit connecting a direct-memory-access–capable I/O bus to the main memory. Like a traditional MMU, which translates CPU-visible virtual addresses to physical addresses, the IOMMU maps device-visible virtual addresses to physical addresses.

Qualcomm “B” family devices which are not compatible with arm-smmu have a similar looking IOMMU but without access to the global register space, and optionally requiring additional configuration to route context irqs to non-secure vs secure interrupt line.

Vulnerability details: Use After Free in Kernel. UAF scenario may occur in clients with EL1 privileges for iova mappings when we miss to check the return value of arm_lpae_init_pte which may lead to an PTE be counted as it was set even if it was already existing. This can cause a dangling IOMMU PTE to be left mapped pointing to a freed object and cause UAF in the client if the dangling PTE is accessed after a failed unmap operation.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/april-2024-bulletin.html

What are the security updates for 17.4.1? Apple, as always, won’t tell you the details of the vulnerability! (22-03-2024)

Preface: iPhone XS is powered by the A12 Bionic processor. iPhone 13 and iPhone 13 Mini use the Apple-designed A15 Bionic chip system. Additionally, the iPhone 15 is powered by a six-core Apple A16 Bionic processor. All above Bionic processors have common point. They are 64-bit ARM-based system on a chip (SoC) designed by Apple Inc.

Speculation: If you remember, a vulnerability related to AMD on 15th Mar, 2024.(CVE-2024-21930) Specter v1 variant inheriting the Specter v1 vulnerability. So called GhostRace. But this design weakness not only to AMD. For example, ARM Limited do not announce they do not impact with this vulnerability. So, do you think, Apple Inc. might worries about this vulnerability thus in priority to update Firmware and Linux base OS to mitigate this risk?

Official announcement: Please refer to the link for details  – https://support.apple.com/en-us/HT201222

CPU hardware utilizing speculative execution may be vulnerable to speculative race conditionshttps://www.kb.cert.org/vuls/id/488902

CVE-2024-23278: An app may be able to break out of its sandbox (11thMar 2024)

Vulnerability CVE-2024-23278 was released on March 7, 2024. Apple didn’t reveal specific details, so let’s see if we can dig out any clues.

Preface: XPC has a sizeable portion of undocumented functionality, including its implementation (for example, the main project libxpc is closed source). XPC provides a public API at two levels: low-level and Foundation wrappers.

Background: XPC is the enhanced IPC framework used in macOS/iOS. Since its introduction in version 10.7/5.0, its use has exploded. XPC has a fairly large undocumented portion of its functionality, which includes its implementation (the main project libxpc, for example, is closed source). XPC provides public APIs on two levels: the low level and the Foundation wrappers.

Vulnerability details: The issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.6.5, macOS Sonoma 14.4, iOS 17.4 and iPadOS 17.4, watchOS 10.4, iOS 16.7.6 and iPadOS 16.7.6, tvOS 17.4. An app may be able to break out of its sandbox.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23278

CVE-2023-28582 Buffer Copy Without Checking Size of Input in Data Modem (8th Mar 2024)

This issue was fixed on 2023/09/04. But the vendor did not announce the vulnerability until today (March 8, 2024).

Preface: Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery.

Background: 5G security standards bring enhancements to air interface and transport security mechanisms used in 4G.

In terms of transport security, the N2/N3 interfaces connecting the access and core networks and Xn interfaces connecting base stations use IPsec in 4G for transport security. 5G additionally supports Datagram Transport Layer Security (DTLS) over Stream Control Transmission Protocol (SCTP) to secure signaling transmission on the control plane, ensuring transport security between RANs and core networks. Operators can select a transport security protection scheme based on security requirements to prevent data breach and attacks on the transport network.

Vulnerability details: Memory corruption in Data Modem while verifying hello-verify message during the DTLS handshake.

Official announcement: https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2024-bulletin.html

CVE-2023-49100: TF-A before 2.10 has a potential read out-of-bounds in the SDEI service (21-02-2024)

Preface: Trusted Firmware-A (TF-A) provides a reference implementation of secure world software for Armv7-A, Armv8-A and Armv9-A, including a Secure Monitor executing at Exception Level 3 (EL3) and a Secure Partition Manager running at Secure EL2 (S-EL2) of the Arm architecture.

Background: Software Delegated Exception Interface (SDEI) provides a mechanism for registering and servicing system events from system firmware. This specification defines a standard interface that is vendor-neutral, interoperable, and software portable. The interface is offered by a higher Exception level to a lower Exception level, in other words, by a Secure platform firmware to hypervisor or hypervisor to OS or both.

System events are high priority events, which must be serviced immediately by an OS or hypervisor. These events are often orthogonal to normal OS operation and the events can be handled, even when the OS is executing within its own critical section with interrupts masked. System events can be provided to support: Platform error handling (RAS), Software watchdog timer, Sample-based profiling & Kernel debugger.

Vulnerability details: Trusted Firmware-A (TF-A) before 2.10 has a potential read out-of-bounds in the SDEI service. The input parameter passed in register x1 is not validated well enough in the function sdei_interrupt_bind. The parameter is passed to a call to plat_ic_get_interrupt_type. It can be any arbitrary value passing checks in the function plat_ic_is_sgi. A compromised Normal World (Linux kernel) can enable a root-privileged attacker to issue arbitrary SMC calls. Using this primitive, he can control the content of registers x0 through x6, which are used to send parameters to TF-A. Out-of-bounds addresses can be read in the context of TF-A (EL3). Because the read value is never returned to non-secure memory or in registers, no leak is possible. An attacker can still crash TF-A, however.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-49100

CVE-2023-33072: Buffer copy without checking size of Input in Core (6th Feb 2024)

Preface: The title states that Buffer does not check the size of the input in Core when copying. But I believe it is more important to avoid unauthorized copying.

Background: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

OpenCL supports buffer and image objects (and pipe objects from OpenCL 2.0). The one-dimensional buffer objects are a natural choice for many developers due to their simplicity and flexibility, such as the support of pointers, byte-addressable access, etc. For instance, using images allows hardware to handle out-of-boundaries read automatically.

Ref: An OpenCL Buffer is a 1D or 2D or 3D array in global memory. Its an abstract object that can be addressed thru a pointer. Buffers are Read-Only or Write_only or Read-Write. An Image buffer represents GPU Texture memory. It represents an array of pixels that can be access via functions specifying pixel x,y,z coordinates. There is no pointer access to Image Pixels on the GPU.

Vulnerability details: The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

Date Reported        2022/12/20

Customer Notified Date   2023/08/07

Official details: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2024-bulletin.html

CVE-2023-5643: Mali GPU Kernel Driver allows improper GPU memory processing operations (5th Feb 2024)

Preface: Out-of-bounds writes, a common explanation, are the consequences of writing to memory outside the boundaries of the buffer or to invalid memory when the root cause is not sequential copying of too much data from a fixed starting position. This may include issues such as incorrect pointer arithmetic, access to invalid pointers due to incomplete initialization or memory deallocation.

Background: Arm Mali-G71 is the first high-end GPU to implement the Mali Bifrost architecture. Bifrost enables high-end mobile GPUs to provide additional computing performance. This additional performance is used to solve the increasingly complex problems of modern use cases such as VR and high-fidelity gaming.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel Driver, and if the system’s memory is carefully prepared by the user, then this in turn could write to memory outside of buffer bounds.

Affected products:

Bifrost GPU Kernel Driver: All versions from r41p0 – r45p0

Valhall GPU Kernel Driver: All versions from r41p0 – r45p0

Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r45p0

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5643

CVE-2023-33036: NULL Pointer Dereference in Hypervisor (26th Jan 2024)

This Qualcomm security bulletin was originally published on 1st January 2024.

Preface: One method of conducting these PDoS attacks is commonly referred to as phlashing. During such an attack, an attacker bricks a device or destroys firmware, rendering the device or an entire system useless. This is one method to exploit vulnerabilities and replace a device’s basic software with a corrupt firmware image.

Background: The ARM Trusted Firmware implements a subset of the Trusted Board Boot Requirements (TBBR) Platform Design Document (PDD) for ARM reference platforms. The TBB sequence starts when the platform is powered on and runs up to the stage where it hands-off control to firmware running in the normal world in DRAM. This is the cold boot path.

The ARM Trusted Firmware also implements the Power State Coordination Interface (PSCI) PDD as a runtime service. PSCI is the interface from normal world software to firmware implementing power management use-cases (for example, secondary CPU boot, hotplug and idle). Normal world software can access ARM Trusted Firmware runtime services via the ARM SMC (Secure Monitor Call) instruction.

Vulnerability details: Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call.

Vulnerability Type : CWE-476 NULL Pointer Dereference

My observation: I speculated that Linux initiate various CPU-centric power operations will be affected.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2024-bulletin.html

CVE-2024-23212: Apple Neural Engine design has weakness in memory handling. (25th January 2024)

This announcement was originally published on January 22nd 2024

Preface: Neural networks, also known as artificial neural networks (ANNs) or simulated neural networks (SNNs), are a subset of machine learning and are at the heart of deep learning algorithms.

Recent advances in artificial intelligence systems, such as voice or facial recognition programs, have benefited from neural networks, densely interconnected meshes of simple information processors that learn to perform tasks by analyzing large amounts of training data.

Background: The Apple Neural Engine (or ANE) is a type of NPU, which stands for Neural Processing Unit. It’s like a GPU, but instead of accelerating graphics an NPU accelerates neural network operations such as convolutions and matrix multiplies.

Beyond image generation from text prompts, developers are also discovering other creative uses for Stable Diffusion, such as image editing, in-painting, out-painting, super-resolution, style transfer and even color palette generation.  Getting to a compelling result with Stable Diffusion can require a lot of time and iteration, so a core challenge with on-device deployment of the model is making sure it can generate results fast enough on device. As a result, we require the Apple Neural Engine.

Vulnerability details: Apple security advisory shown that the vulnerability belongs to Apple Neural Engine.

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

Official announcement: Please refer to the link for details – https://support.apple.com/en-us/HT214059

CVE-2023-5091: Mali GPU Kernel Driver allows improper GPU processing operations (8th Jan 2024)

Preface: According to news in October 2023, experts speculated that commercial spyware exploited a security vulnerability in the Arm Mali GPU driver to compromise some people’s devices. The vulnerability was claimed to be a local attack. But how do attacker plant malware on a smartphone without remote access? Hard to say! Phishing and social engineering techniques may be involved.

Background: About four years ago, the mainstream GPUs are PowerVr, Mali, and Adreno (Qualcomm). Apple used a customized version of PowerVr in the early days. However, as Apple develops its own GPU, PowerVr software design now owned by Canyon Bridge Capital Partners. Mali is the graphics acceleration IP of ARM. Mali is actually ARM’s Mali series IP core.

The first version of the Mali microarchitecture is called Utgard. Later there were versions called Midgard (second generation), Bifrost (third generation), and Valhall (fourth generation). Valhall was launched in the second quarter of 2019. The main series are Mali-G57 and Mali-G77.

However, commercial spyware has exploited a security hole in Arm’s Mali GPU drivers to compromise some people’s devices, according to news from Oct 2023.

ARM decided last September (2023) not to disclose any details of CVE-2023-5091 to the public. The official announcement published on January 8, 2024 finally.

Vulnerability details: Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r37p0 through r40p0.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5091