Category Archives: Cell Phone (iPhone, Android, windows mobile)

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-38401: Use After Free in Qualcomm IPC (3rd Sep 2024)

Leave a comment

Preface: Race conditions arise when multiple threads attempt to access a shared resource without proper synchronization, often leading to vulnerabilities such as concurrent use-after-free. To mitigate their occurrence, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc.

Background: The Qualcomm Type 1 Hypervisor facilitates the hosting of multiple trusted execution environments for secure use cases. The figure shows the architecture of the Qualcomm Hypervisor software stack, its components, and virtual machines (VM). This figure includes an example of one guest VM using the Linux kernel.

Interprocess communication (IPC), This includes shared memory, message passing (IPC) APIs, and virtual interrupts. The ioctl function performs the generic I/O operation command on filedes . A third argument is usually present, either a single number or a pointer to a structure.

Ref: EL2 provides support for virtualization

Vulnerability details: Use After Free in Qualcomm IPC, Memory corruption while processing concurrent IOCTL calls.

Official announcement: Please refer to the vendor announcement for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/september-2024-bulletin.html

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

About CVE-2024-20084 and CVE-2024-20085: MediaTek’s System-on-Chip Design weakness (2nd Sep 2024)

Leave a comment

Preface: When an out-of-bounds read occurs, typically the product has already made a separate mistake, such as modifying an index or performing pointer arithmetic that produces an out-of-bounds address.

Background: MediaTek JPEG Decoder is the JPEG decode hardware present in MediaTek SoCs. The jpeg decoder hardware device node which should be added as subnodes to the main jpeg node.

IOMMU is the so-called SMMU, which can organize discontinuous physical memory into a continuous virtual memory (this makes sense for many drivers).

Vulnerability details:

CVE-2024-20084 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

CVE-2024-20085 – In power, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the vendor announcement for details – https://corp.mediatek.com/product-security-bulletin/September-2024

AI and ML, Application Development, Blockchain, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), Potential Risk of CVE

Get closer look CVE-2024-39920: About “SnailLoad” issue (5-Jul-2024)

Leave a comment

NVD Published Date: 07/03/2024

Preface: How is RTT measured in TCP? Measures the time from sending a packet to getting an acknowledgment packet from the target host.

Background: A new technology standard called “RFC 9293” was released on August 18, 2022.

Highlight:

-Acknowledgment Number:  32 bits – If the ACK control bit is set, this field contains the value of the next sequence number the sender of the segment is expecting to receive.  Once a connection is established, this is always sent.

-There are also methods of “fingerprinting” that can be used to infer the host TCP implementation (operating system) version or platform
information. These collect observations of several aspects, such as
the options present in segments, the ordering of options, the
specific behaviors in the case of various conditions, packet timing,
packet sizing, and other aspects of the protocol that are left to be
determined by an implementer, and can use those observations to
identify information about the host and implementation.

Vulnerability details: The TCP protocol in RFC 9293 has a timing side channel that makes it easier for remote attackers to infer the content of one TCP connection from a client system (to any server), when that client system is concurrently obtaining TCP data at a slow rate from an attacker-controlled server, aka the “SnailLoad” issue. For example, the attack can begin by measuring RTTs via the TCP segments whose role is to provide an ACK control bit and an Acknowledgment Number.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-39920

AI and ML, Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-20081: Out-of-bounds write in gnss, response by Mediatek security advisory. (2nd July 2024)

Leave a comment

Preface: GPS traditionally refers to the North American Global Positioning System, or satellite positioning system. GNSS is the term for the international multi-constellation satellite system. Therefore, GNSS typically includes GPS, GLONASS, Baidu, Galileo, and any other constellation system.

Background: GNSS positioning modules or chips, as the core component of In-vehicle Infotainment systems, provide position, speed, and time information. GNSS position and speed measurements are integral, especially with respect to moving map navigation.

GNSS are used in all forms of transportation: space stations, aviation, maritime, rail, road and mass transit. Positioning, navigation and timing (PNT) play a critical role in telecommunications, land surveying, law enforcement, emergency response, precision agriculture, mining, finance, scientific research…etc.

Vulnerability details: In gnss service, there is a possible escalation of privilege due to improper certificate validation. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS08720039; Issue ID: MSV-1424.

Official announcement: For detail, please refer to link –

https://corp.mediatek.com/product-security-bulletin/July-2024

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

CVE-2024-38663: blk-cgroup – fix list corruption from resetting io stat (25-June-2024)

Leave a comment

Preface: Android uses cgroups to control and account for system resources such as CPU and memory usage and allocation, with support for Linux kernel cgroups v1 and cgroups v2.

Background: New IO stats are stored in the percpu iostat_cpu within blkcg_gq (blkg). There are multiple blkg’s (one for each block device) attached to each blkcg. The rstat code keeps track of which cpu has IO stats updated, but it doesn’t know which blkg has the updated stats. If there are many block devices in a system, the cost of iterating all the blkg’s to flush out the IO stats can be high. To reduce such overhead, a set of percpu lockless lists (lhead) per blkcg are used to track the set of recently updated iostat_cpu’s since the last flush. An iostat_cpu will be put onto the lockless list on the update side [blk_cgroup_bio_start()] if not there yet and then removed when being flushed [blkcg_rstat_flush()].

References to blkg are gotten and then put back in the process to protect against blkg removal.

Vulnerability details: blk-cgroup: fix list corruption from resetting io stat. Since commit 3b8cc6298724 (“blk-cgroup: Optimize blkcg_rstat_flush()”), each iostat instance is added to blkcg percpu list, so blkcg_reset_stats() can’t reset the stat instance by memset(), otherwise the llist may be corrupted.

Fix the issue by only resetting the counter part.

Official announcement: For detail, please refer to link – https://nvd.nist.gov/vuln/detail/CVE-2024-38663

AI and ML, Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-26926: Kernel – The vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed (6 Jun 2024)

Leave a comment

Preface: In linux distributions the term ‘upstream’ (also applied to kernel) refers to the original version (as is released by software developers) of a program/software (kernel in your case) while ‘downstream’ refers to the software provided by linux distribution.

Background: There are many ways to communicate with IPC, such as: Shared Memory, Message Queue, PIPE, FIFO, Unix Socket, etc. A process cannot access another process’s memory. However, the kernel has control over all processes and therefore can expose an interface that enables IPC. In Binder, this interface is the /dev/binder device, which is implemented by the Binder kernel driver.

Ref: A Mutex is a Mutually exclusive flag. It acts as a gate keeper to a section of code allowing one thread in and blocking access to all others.

Vulnerability details:

Kernel -The vulnerability in this section could lead to local escalation of privilege in the kernel with no additional execution privileges needed.

Official announcement: For detail, please refer to link –

https://source.android.com/docs/security/bulletin/2024-06-01

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

Apple security updates on 20th May 2024, But it has not published CVE entries. Observe how Apple handled in the past, maybe you can find it in a CVE few months from now. (27-05-2024)

Leave a comment

Preface: Apple released iOS 17.5 and iPadOS 17.5 on May 20, 2024, which fixed multiple security vulnerabilities.  I heard that some users found that photos they had deleted years ago suddenly appeared in recent albums as new photos.

Background: The attached pictures document some rare occurrences. For example, which IOS version still support 32 bit applications last year. Perhaps there is a difference regarding to offical announcement. And suspected that may be is the reason to unsupport 32 bits apps.

Official announcement: Why does deleting pictures return?

According to Apple, the photos that did not fully delete from a user’s device were not synced to iCloud Photos. Those files were only on the device itself. However, the files could have persisted from one device to another when restoring from a backup, performing a device-to-device transfer, or when restoring from an iCloud Backup but not using iCloud Photos.

As for vulnerabilities details in security updates, I will pay close attention to see if they can be found.

There are no published CVE entries for this update.  Please refer to the link for details – https://support.apple.com/en-hk/HT201222

AI and ML, Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-23354 Memory corruption when the IOCTL call is interrupted by a signal. (24May 2024)

Leave a comment

Originally published on May 6, 2024

Preface: The Snapdragon 8 Gen 2 Mobile Platform defines a new premium standard for connected computing. Intelligently engineered with groundbreaking AI across the board, this AI marvel enables truly extraordinary experiences.

Background: A vertex buffer object (VBO) is an OpenGL feature that provides methods for uploading vertex data (position, normal vector, color, etc.) to the video device for non-immediate-mode rendering.

KGSL allocates GPU-shared memory from its own page pool. A VBO is a buffer of memory which the gpu can access. That’s all it is. A VAO is an object that stores vertex bindings. This means that when you call glVertexAttribPointer and friends to describe your vertex format that format information gets stored into the currently bound VAO.

Vulnerability details: Memory corruption when the IOCTL call is interrupted by a signal.

Remedy: The VBO bind operation is often synchronous, and needs to be waited on by the ioctl thread. Allocate the completion struct used to synchronize between the ioctl and bind operation on the heap for simplicity.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-23354

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-21474: Qualcomm did not disclose technical details. Could this situation cause this problem? (6th May 2024)

Leave a comment

Preface: The Qualcomm Snapdragon X65 5G Modem is the baseband chipset used in the iPad Pro (11-inch) (4th generation), iPad Pro (12.9-inch) (6th generation), iPhone 14, iPhone 14 Plus, iPhone 14 Pro and iPhone 14 Pro Max.

Background: A power management integrated circuit (PMIC) is used to manage power on an electronic devices or in modules on devices that may have a range of voltages. The PMIC manages battery power charging and sleep modes, DC-to-DC conversion, scaling of voltages down or up, among others.

Vulnerability details: Memory corruption when size of buffer from previous call is used without validation or re-initialization.

Vulnerability Type: CWE-121 Stack-based Buffer Overflow

Official announcement: Please refer to the link for details –

https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2024-bulletin.html

https://nvd.nist.gov/vuln/detail/CVE-2024-21474

Cell Phone (iPhone, Android, windows mobile), IoT, Potential Risk of CVE

Android Security Bulletin – May 2024 There’s a lot you can explore (9 May 2024)

Leave a comment

Preface: Heard that Long-term support (LTS) for Linux kernels is being reduced from six to two years now.

Background: Greg Kroah-Hartman is a major Linux kernel developer. As of April 2013, he is the Linux kernel maintainer for the -stable branch, the staging subsystem, USB, driver core, debugfs, kref, kobject, and the sysfs kernel subsystems, Userspace I/O, and TTY layer.

What will be the next LTS kernel?

But in any event Greg Kroah-Hartman has decided to go ahead and declare Linux 6.6 as the newest LTS kernel. Kernel.org has been updated to reflect Linux 6.6 LTS. The current plan is for Linux 6.6 to be maintained until going end-of-life in December 2026: the same time Linux 6.1, 5.15, and 5.10 will reach end-of-life.

Android Security Bulletin—May 2024 (Published May 6, 2024)

The diagram above shows that kernel versions have been updated. Kernel version updates are dependent on the version of Android OS at the time of device launch. Please refer to the following link for details:

https://source.android.com/docs/security/bulletin/2024-05-01