Preface: Smartphone is a digital world microcosm. We know that our digital world includes web services, repositories, virtual machines, high-speed networks, multi-core CPUs, and GPUs. But the average smartphone already includes the infrastructure components just mentioned. Therefore, the security level of smartphones is no less than that of enterprise servers, because this micro world is more strict than you think.

Background: Android 13 builds on the tablet optimizations introduced in Android 12 and the 12L feature drop—including optimizations for the system UI, better multitasking, and improved compatibility modes. AndroidManagerService is the most important service of Android. It is mainly responsible for the startup, switching, scheduling and management of application processes of four components. It plays the role of management process and scheduling module of the operating system.

ActivityManagerService is the process manage and dispatch center in java platform. Furthermore system_server is a system process, it will be included in ActivityManagerService manage scope.

What exactly did ActivityManagerService do when it was constructed? Established execution threads: ServiceThread, mUiHandler, sKillThread, CpuTracker.

Vulnerability details: CVE-2023-21266 could lead to local escalation of privilege with no additional execution privileges needed.

Affected Android versions: 11, 12, 12L, 13

Vulnerability Type: Elevation of privilege

Official announcement: Please refer to the link for details – https://source.android.com/docs/security/bulletin/2023-10-01

Preface: There are indications from Google Threat Analysis Group and Google Project Zero that CVE-2023-33106, CVE-2023-33107, CVE-2022-22071 and CVE-2023-33063 may be under limited, targeted exploitation. Patches for the issues affecting Adreno GPU and Compute DSP drivers have been made available, and OEMs have been notified with a strong recommendation to deploy security updates as soon as possible. Please contact your device manufacturer for more information on the patch status about specific devices.

Background: Qualcomm cDSP is a hardware acceleration unit on the Qualcomm platform specifically used for general computing. Compared with the host CPU, the DSP usually runs at a lower clock speed and provides more parallel instruction levels. This makes DSPs a better alternative to CPUs in terms of power consumption. Therefore, porting as many large computing-intensive tasks as possible to the DSP can reduce the overall power consumption of the device.

The Qualcomm Adreno 640 is a smartphone and tablet GPU that is integrated within the Qualcomm Snapdragon 855 SoC. The chip will be available from early 2019 and will be used mainly in high-end Android devices.

Vulnerability details:

Per announcement by vendor, the details of design weakness on those CVE items not published yet. But OEMs have been notified with a strong recommendation to deploy security updates as soon as possible. An limited information told that vulnerabilities affecting Adreno GPU and Compute DSP drivers have been made available.

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/product/publicresources/securitybulletin

Preface: Rather than processing tasks serially (sequentially) like a CPU, a GPU breaks up tasks and runs them in parallel. GPUs have many more cores than CPUs.

Background: The Roofline model is an intuitive visual performance model used to provide performance estimates of a given compute kernel or application running on multi-core, many-core, or accelerator processor architectures, by showing inherent hardware limitations, and potential benefit and priority of optimizations.

The kernel is memory bound, and the corresponding dot it close to L2 Bandwidth roof.

Ref: Suppose we have a mapping φ:Rn→Rm that brings our vectors in Rn to some feature space Rm. Then the dot product of x and y in this space is φ(x)Tφ(y). A kernel is a function k that corresponds to this dot product, i.e. k(x,y)=φ(x)Tφ(y)

Mali Offline Compiler is a command-line tool that you can use to compile all shaders and kernels from OpenGL ES, Vulkan and OpenCL.

Even though data is not organized in blocks in the source code, the compiler recognizes the pattern and optimizes access to matrix arrays.

Vulnerability details: A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn could give them access to already freed memory.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-34970

Preface: Double Free and Use After Free are Common IoT Security Weaknesses.

For example: Calling free() twice on the same value causes a memory leak. So, it is easy to encounter this design weakness.

Background: Arm Mali-G720, is designed on the Arm 5th Gen architecture to deliver improved performance while reducing memory bandwidth usage, power consumption, and CPU load. Even more powerful than its predecessor, the Mali-G715 GPU, Mali-G720 takes full advantage of advanced GPU technologies that can power immersive games and intelligent AI applications across a broad range of devices.

Vulnerability details: A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory.

Impact will occur on these specific products:

Midgard GPU Kernel  Driver: All versions from r12p0 – r32p0

Bifrost GPU Kernel Driver: All versions from r0p0 – r42p0

Valhall GPU Kernel Driver: All versions from r19p0 – r42p0

Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r42p0

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-4211

Preface: A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

Background: A video codec is software or hardware that compresses and decompresses digital video. The libvpx is a free software video codec library from Google and the Alliance for Open Media (AOMedia).

Vulnerability details: Heap buffer overflow in vp8 encoding in libvpx in Google Chrome prior to 117.0.5938.132 and libvpx 1.13.1 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Remedy: Upgrading to version 117.0.5938.132

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5217

Preface: The classes in the java. util. zip package support two widespread compression formats: GZIP and ZIP. Both of these are based on the ZLIB compression algorithm, which is discussed in RFC 1950, RFC 1951, and RFC 1952.

Background: Compression Ratio: Gzip generally achieves a higher compression ratio than Snappy. If storage space is a primary concern, Gzip may be the better choice. Speed: Snappy is designed for speed. If the speed of data processing is a primary concern, Snappy may be the better choice. The snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google.

Vulnerability details: The SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal error can occur.

Impact: All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable to this issue.

Remedy: A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4 release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from trusted sources.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-43642

Preface: In the virtio protocol, the host side provides emulation of the device, and the guest side is responsible for driving the device. The relationship between host and guest is the relationship between device and driver. We usually use the method of reading and writing temporary registers to control and drive physical devices, but for emulated devices in virtio, memory organized in the form of virtqueue is used.

Background: Specific to the network devices in virtio, the driver on the guest side is called “virtio-net”. On the host side, the early classic implementation used the QEMU, that is, the user mode program on the host side provides emulation of the device. Called “vhost-user”.

Like KVM, vhost-net cannot be used alone, but must be used with QEMU, because some setting information still needs to be given from QEMU in user mode.

Vulnerability details: A flaw was found in vringh_kiov_advance in drivers/vhost/vringh[.]c in the host side of a virtio ring in the Linux Kernel. This issue may result in a denial of service from guest to host via zero length descriptor.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-5158

Preface: Netfilter is an infrastructure; it is the basic API that the Linux 2.4 kernel offers for applications that want to view and manipulate network packets.

Background: It can not only block unwanted traffic but also block malicious software from infecting the system. In the Linux ecosystem, iptables is a popular firewall that interfaces with the netfilter framework on the Linux kernel. Most of the modern Linux systems come with these tools pre-built.

Tables and Chains in Iptables, inside each table of iptables, rules are further organized within separate “chains”. While the table represents the type of rules they are holding, the chains describe the netfilter hooks that trigger the rules. In short, chains determine when the rule will be evaluated.

One of the most popular CNI plugins implementing network policies, Calico, creates a virtual network interface on the nodes for each pod and uses Netfilter rules to enforce its firewall rules.

Ref: Calico has emerged as one of the most popular CNI plugins for Kubernetes cluster networking.

Vulnerability details: An array indexing vulnerability was found in the netfilter subsystem of the Linux kernel. A missing macro could lead to a miscalculation of the `h->nets` array offset, providing attackers with the primitive to arbitrarily increment/decrement a memory buffer out-of-bound. This issue may allow a local user to crash the system or potentially escalate their privileges on the system.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2023-42753

Preface: Xen is an open-source hypervisor that allows the simultaneous development, execution, and management of multiple virtual machines on one physical computer. Xen offers two types of virtualization: paravirtualization and full virtualization.

Background: XenServer is a Citrix product the company acquired from XenSource in 2007. Citrix’s XenServer provides 7 Network interface cards and 16 virtual disks.

The network I/O virtualization architecture in Xen can be a significant source of overhead for networking performance in guest domains. Xen provides each guest domain with a number of virtual network interfaces, which is used by the guest domain for all its network communications. Corresponding to each virtual interface in a guest domain, a `backend’ interface is created in the driver domain, which acts as the proxy for that virtual interface in the driver domain. All the backend interfaces in the driver domain (corresponding to the virtual interfaces) are connected to the physical NIC and to each other through a virtual network bridge.

Vulnerability details: The fix for XSA-423 added logic to Linux’es netback driver to deal with a frontend splitting a packet in a way such that not all of the headers would come in one piece. Unfortunately the logic introduced there didn’t account for the extreme case of the entire packet being split into as many pieces as permitted by the protocol, yet still being smaller than the area that’s specially dealt with to keep all (possible) headers together. Such an unusual packet would therefore trigger a buffer overrun in the driver.

Official announcement: For details, please refer to the link – https://xenbits.xenproject.org/xsa/advisory-423.html