Preface: Out-of-bounds writes, a common explanation, are the consequences of writing to memory outside the boundaries of the buffer or to invalid memory when the root cause is not sequential copying of too much data from a fixed starting position. This may include issues such as incorrect pointer arithmetic, access to invalid pointers due to incomplete initialization or memory deallocation.

Background: Arm Mali-G71 is the first high-end GPU to implement the Mali Bifrost architecture. Bifrost enables high-end mobile GPUs to provide additional computing performance. This additional performance is used to solve the increasingly complex problems of modern use cases such as VR and high-fidelity gaming.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations. Depending on the configuration of the Mali GPU Kernel Driver, and if the system’s memory is carefully prepared by the user, then this in turn could write to memory outside of buffer bounds.

Affected products:

Bifrost GPU Kernel Driver: All versions from r41p0 – r45p0

Valhall GPU Kernel Driver: All versions from r41p0 – r45p0

Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r45p0

Official details: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5643

This Qualcomm security bulletin was originally published on 1st January 2024.

Preface: One method of conducting these PDoS attacks is commonly referred to as phlashing. During such an attack, an attacker bricks a device or destroys firmware, rendering the device or an entire system useless. This is one method to exploit vulnerabilities and replace a device’s basic software with a corrupt firmware image.

Background: The ARM Trusted Firmware implements a subset of the Trusted Board Boot Requirements (TBBR) Platform Design Document (PDD) for ARM reference platforms. The TBB sequence starts when the platform is powered on and runs up to the stage where it hands-off control to firmware running in the normal world in DRAM. This is the cold boot path.

The ARM Trusted Firmware also implements the Power State Coordination Interface (PSCI) PDD as a runtime service. PSCI is the interface from normal world software to firmware implementing power management use-cases (for example, secondary CPU boot, hotplug and idle). Normal world software can access ARM Trusted Firmware runtime services via the ARM SMC (Secure Monitor Call) instruction.

Vulnerability details: Permanent DOS in Hypervisor while untrusted VM without PSCI support makes a PSCI call.

Vulnerability Type : CWE-476 NULL Pointer Dereference

My observation: I speculated that Linux initiate various CPU-centric power operations will be affected.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2024-bulletin.html

Preface: According to news in October 2023, experts speculated that commercial spyware exploited a security vulnerability in the Arm Mali GPU driver to compromise some people’s devices. The vulnerability was claimed to be a local attack. But how do attacker plant malware on a smartphone without remote access? Hard to say! Phishing and social engineering techniques may be involved.

Background: About four years ago, the mainstream GPUs are PowerVr, Mali, and Adreno (Qualcomm). Apple used a customized version of PowerVr in the early days. However, as Apple develops its own GPU, PowerVr software design now owned by Canyon Bridge Capital Partners. Mali is the graphics acceleration IP of ARM. Mali is actually ARM’s Mali series IP core.

The first version of the Mali microarchitecture is called Utgard. Later there were versions called Midgard (second generation), Bifrost (third generation), and Valhall (fourth generation). Valhall was launched in the second quarter of 2019. The main series are Mali-G57 and Mali-G77.

However, commercial spyware has exploited a security hole in Arm’s Mali GPU drivers to compromise some people’s devices, according to news from Oct 2023.

ARM decided last September (2023) not to disclose any details of CVE-2023-5091 to the public. The official announcement published on January 8, 2024 finally.

Vulnerability details: Use After Free vulnerability in Arm Ltd Valhall GPU Kernel Driver allows a local non-privileged user to make improper GPU processing operations to gain access to already freed memory. This issue affects Valhall GPU Kernel Driver: from r37p0 through r40p0.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5091

Preface: A2DP is a protocol supported on most Bluetooth Audio devices. Opus is open source , OPUS a2dp being introduced in Android 13.

Background: In Bluetooth, there is a possibility of code-execution due to a use after free. This could lead to paired device escalation of privilege in the privileged Bluetooth process with no additional execution privileges needed. User interaction is not needed for exploitation. Such design weakness published on 30th Oct, 2023. The CVE reference is CVE-2023-21361.

The advantages of using C++ for Android app development is its ability to create cross-platform apps. By writing platform-agnostic code in C++, you can reuse it for developing iOS apps using tools like Apple’s Xcode and Swift. This allows for efficient code sharing between Android and iOS platforms.

Vulnerability details: In a2dp_vendor_opus_decoder_decode_packet of a2dp_vendor_opus_decoder.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to paired device escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-40078

Preface: One action Apple has taken over the past few years is to harden the Safari WebContent (or “renderer”) process sandbox attack surface on iOS, most recently by removing the ability for WebContent to be exploited directly to the GPU process.

Background: App Sandbox provides protection to system resources and user data by limiting your app’s access to resources requested through entitlements.

Essentials – App Sandbox Entitlement

A Boolean value that indicates whether the app may use access control technology to contain damage to the system and user data if an app is compromised.

Key: com[.]apple[.]security[.]app-sandbox

Vulnerability details: An app may be able to break out of its sandbox. The issue was addressed with improved memory handling.

Impact: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-42914

Preface: Bluetooth is now a regular part of your mobile experience. It covers everything from audio to wireless headphones and speakers, pairing game controllers and keyboards, network connections, and even the occasional file transfer over the air.

Background: What is Bluetooth adapter in Android? The BluetoothAdapter lets you perform fundamental Bluetooth tasks, such as initiate device discovery, query a list of bonded (paired) devices, instantiate a BluetoothDevice using a known MAC address, and create a BluetoothServerSocket to listen for connection requests from other devices.

Vulnerability details: In callback_thread_event of com_android_bluetooth_btservice_AdapterService[.]cpp, there is a possible memory corruption due to a use after free. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: This vulnerability was named CVE-2023-40088 since 9th Aug 2023 and announced to public on 5th Dec 2023. The advisory is available at:

https://source.android.com/docs/security/bulletin/2023-12-01

https://nvd.nist.gov/vuln/detail/CVE-2023-40088

Preface: Das U-Boot (subtitled “the Universal Boot Loader” and often shortened to U-Boot. 

Background: Das U-Boot is an open-source boot loader used in embedded devices to perform various low-level hardware initialization tasks and boot the device’s operating system kernel. It is available for a number of computer architectures, including 68k, ARM, Blackfin, MicroBlaze, MIPS, Nios, SuperH, PPC, RISC-V and x86. 

Best practice: A bootloader design on the ARM platform is way different than what we have seen so far on the x86 platform. On the ARM platform, the minimalist bootloader design needs to implement the Trusted Board Boot (TBB) feature. The TBB feature allows the platform to be protected from malicious firmware attack by implementing a chain of trust (CoT) at each firmware level up to the normal world bootloader. Trusted Firmware (TF) implements a subset of the TBB requirements for ARM reference platform. 

Vulnerability details: In modify for next stage of fdt.rs, there is a possible way to render KASLR ineffective due to improperly used crypto.This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. 

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-40082