Potential Risk of CVE

CVE-2025-21655: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period (21-01-2025)

Leave a comment

Preface: Is io_uring secure? io_uring has produced many security problems. Google has found it necessary to either completely forego io_uring or severely limit its use to trusted code.

Background: io_uring is an asynchronous I/O interface for the Linux kernel. An io_uring is a pair of ring buffers in shared memory that are used as queues between user space and the kernel: Submission queue (SQ): A user space process uses the submission queue to send asynchronous I/O requests to the kernel.

eventfd(2) is a Linux-specific synchronization mechanism. io_uring is capable of posting events on an eventfd instance whenever completions occur.

Vulnerability details: In the Linux kernel, the following vulnerability has been resolved: io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period io_eventfd_do_signal() is invoked from an RCU callback, but when dropping the reference to the io_ev_fd, it calls io_eventfd_free() directly if the refcount drops to zero. This isn’t correct, as any potential freeing of the io_ev_fd should be deferred another RCU grace period. Just call io_eventfd_put() rather than open-code the dec-and-test and free, which will correctly defer it another RCU grace period.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2025-21655

AI and ML, Potential Risk of CVE

CVE‑2024‑0146: A design weakness in the Virtual GPU Manager, where a malicious guest could cause memory corruption. (20-1-2025)

Leave a comment

CVE20240146: A design weakness in the Virtual GPU Manager, where a malicious guest could cause memory corruption. (20-1-2025)

Preface: In Kernel mode, the executing code has complete and unrestricted access to the underlying hardware. It can execute any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system.

If the destination buffer is not large enough, the function will write null characters to the destination buffer to ensure that the string is null-terminated, but this can lead to a buffer overflow if the null characters overwrite adjacent memory locations.

Background: NVIDIA vGPU software enables multiple virtual machines (VMs) to have simultaneous, direct access to a single physical GPU, using the same NVIDIA graphics drivers that are deployed on non-virtualized operating systems.
NVIDIA Virtual GPU (vGPU) enables multiple virtual machines (VMs) to have simultaneous, direct access to a single physical GPU, using the same NVIDIA graphics drivers that are deployed on non-virtualized operating systems. By doing this, NVIDIA vGPU provides VMs with unparalleled graphics performance, compute performance, and application compatibility, together with the cost-effectiveness and scalability brought about by sharing a GPU among multiple workloads.

Vulnerability details: NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause memory corruption. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, or data tampering.

Impact software products:

Citrix Hypervisor, VMware vSphere, Red Hat Enterprise Linux KVM, Ubuntu

Azure Local

Official announcement: Please refer to the link for details – https://nvidia.custhelp.com/app/answers/detail/a_id/5614/~/security-bulletin%3A-nvidia-gpu-display-driver—january-2025

AI and ML, Potential Risk of CVE

CVE-2024-53869: NVIDIA Unified Memory driver for Linux design weakness. A successful exploit of this vulnerability might lead to information disclosure. (16th Jan 2025)

Leave a comment

Preface: RAM and Unified Memory are essentially the same thing. Unified Memory is just RAM Built-in CPU chips. It’s unified with the CPU. So 128GB of RAM is adequate to 128GB of unified Memory.

Background: Nvidia designs graphics processing units (GPUs) for the gaming and professional markets, as well as system on a chip units (SoCs) for the mobile computing and automotive market. This page tracks Nvidia drivers, which provide support for their various GPU lineups and are available for Windows, Linux, Solaris, and FreeBSD.

Information leaks are not rare! In Linux kernel, Information leak vulnerabilities are the most prevalent type.Kernel Memory Sanitizer (KMSAN) discovered more than a hundred uninitialized data use bugs.

Vulnerability details:  NVIDIA Unified Memory driver for Linux contains a vulnerability where an attacker could leak uninitialized memory. A successful exploit of this vulnerability might lead to information disclosure.

Official announcement: Please refer to the link for details –

https://nvidia.custhelp.com/app/answers/detail/a_id/5614

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-11863, CVE-2024-11864 and CVE-2024-9413: Three different CVEs were discovered that expose the System Control Processor (SCP) to attack threats. (16th Jan 2025)

Leave a comment

Preface: SCMI is a message driven interface between an SCMI agent (client) and an SCMI host (server)

Background: SCP Firmware provides a software reference implementation for the System Control Processor (SCP) and Manageability Control Processor (MCP) components found in several Arm Compute Sub-Systems. Power Control System Architecture (PCSA) defines the concept of a System Control Processor (SCP), a specialized processor that abstracts power and system management tasks from the application processor.

A small area of SRAM is reserved for SCMI communication between application processors and SCP. Entity that sends commands to the platform using SCMI. For example, the OSPM running on an AP or an on-chip management controller.

Vulnerability details:

CVE-2024-9413 – The transport_message_handler function in SCP-Firmware release versions 2.11.0-2.15.0 does not properly handle errors, potentially allowing an Application Processor (AP) to cause a buffer overflow in System Control Processor (SCP) firmware.

CVE-2024-11863 and CVE-2024-11864 – Specifically crafted SCMI messages sent to an SCP running SCP-Firmware release versions up to and including 2.15.0 may lead to a Usage Fault and crash the SCP

Official announcement: For detail, please refer to link –

https://developer.arm.com/Arm%20Security%20Center/SCP-Firmware%20Vulnerability%20CVE-2024-11863-11864

AI and ML, Potential Risk of CVE

About CVE-2024-0135, CVE-2024-0136 & CVE-2024-0137 – NVIDIA Container Toolkit and NVIDIA GPU Operator contains an improper isolation vulnerability (13th Jan 2025)

Leave a comment

Preface: In software development, time-of-check to time-of-use (TOCTOU, TOCTTOU or TOC/TOU) is a class of software bugs caused by a race condition involving the checking of the state of a part of a system (such as a security credential) and the use of the results of that check.

Background: The NVIDIA container stack is architected so that it can be targeted to support any container runtime in the ecosystem. The components of the stack include:

-The NVIDIA Container Runtime (nvidia-container-runtime)

-The NVIDIA Container Runtime Hook (nvidia-container-toolkit / nvidia-container-runtime-hook)

-The NVIDIA Container Library and CLI (libnvidia-container1, nvidia-container-cli)

The components of the NVIDIA container stack are packaged as the NVIDIA Container Toolkit.

The NVIDIA Container Toolkit is a key component in enabling Docker containers to leverage the raw power of NVIDIA GPUs. This toolkit allows for the integration of GPU resources into your Docker containers.

Remark: The Podman command can be used with remote services using the –remote flag. Connections can be made using local unix domain sockets, ssh

Vulnerability details:

CVE-2024-0135 – NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to modification of a host binary. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

CVE-2024-0136 – NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code obtaining read and write access to host devices. This vulnerability is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.

CVE-2024-0137 – NVIDIA Container Toolkit contains an improper isolation vulnerability where a specially crafted container image could lead to untrusted code running in the host’s network namespace. This vulnerability is present only when the NVIDIA Container Toolkit is configured in a nondefault way. A successful exploit of this vulnerability may lead to denial of service and escalation of privileges.

Official announcement: Please refer to the vendor announcement for detail – https://nvidia.custhelp.com/app/answers/detail/a_id/5599

Potential Risk of CVE

CVE-2024-43064: Permissions, Privileges, and Access Controls issue in Automotive OS Platform (14-01-2025)

Leave a comment

Preface: QNX is also used in devices where failure is not an option. Fault tolerance was and is the biggest priority for the QNX operating system. A great example from the past is that the SpaceX Falcon rockets used the QNX Real-Time Operating System.

Background: An SMMU performs a task like that of an MMU in a PE. It translates addresses for DMA requests from system I/O devices before the requests are passed into the system interconnect. The SMMU only provides translation services for transactions from the client device, not for transactions to the client device. Transactions from the system or PE to the client device are managed by other means, for example, the PE MMUs. The role of an SMMU shows the role of an SMMU in a system.

Vulnerability details: Uncontrolled resource consumption when a driver, an application or a SMMU client tries to access the global registers through SMMU.

Official announcement: Please refer to the link for details – https://nvd.nist.gov/vuln/detail/CVE-2024-43064

Potential Risk of CVE

CVE-2024-45550 – Improper Validation of Array Index in DSP Services (13th Jan 2025)

Leave a comment

Preface: IOCTL handlers allow users to communicate with the driver via the ioctl syscall. This is a prime attack surface because the driver is going to be handling userland-provided data within kernel space.

Background: dxgkrnl is a driver for Hyper-V virtual compute devices, such as vGPU devices, which are projected to a Linux virtual machine (VM) by a Windows host. dxgkrnl works in context of WDDM (Windows Display Driver Model)for GPU or MCDM (Microsoft Compute Driver Model) for non-GPU devices.

WDDM/MCDM consists of the following components:

Graphics or Compute applications

A graphics or compute user mode API (for example OpenGL, Vulkan, OpenCL, OpenVINO, OneAPI, CUDA, DX12, …)

User Mode Driver (UMD), written by a hardware vendor

optional libdxg library helping UMD portability across Windows and Linux

dxgkrnl Linux kernel driver (this driver)

Kernel mode port driver on the Windows host (dxgkrnl.sys / dxgmms*.sys)

Kernel Mode miniport driver (KMD) on the Windows host, written by a hardware vendor running on the Windows host and interfacing with the hardware device.

Vulnerability details: Memory corruption occurs when invoking any IOCTL-calling application that executes all MCDM driver IOCTL calls.

Official announcement: Please refer to the link for details –

https://nvd.nist.gov/vuln/detail/CVE-2024-45550

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-43704: improper GPU system calls to gain access to the graphics buffers of a parent process. (10th Jan 2025)

Leave a comment

Preface: PowerVR is a division of Imagination Technologies (formerly VideoLogic) that develops hardware and software for 2D and 3D rendering, and for video encoding, decoding, associated image processing and DirectX, OpenGL ES, OpenVG, and OpenCL acceleration. 

Background: Imagination maintains DDKs for Android, Linux and Windows operating systems, ensuring they have access to the latest APIs and popular extensions.

To build the Android kernel and other kernel artifacts (modules, boot images, etc.), they provide a framework called “Kleaf”. • One part of Kleaf is the Driver Development Kit (DDK) which is used to build external modules.

Vulnerability details: Software installed and run as a non-privileged user may conduct improper GPU system calls to gain access to the graphics buffers of a parent process.

PVRSRVAcquireProcessHandleBase can cause psProcessHandleBase reuse when PIDs are reused, said imagination Technologies.

Official announcement: Please refer to the link for details –

https://source.android.com/docs/security/bulletin/2025-01-01

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-20154: Stack overflow in Modem (9th Jan 2024)

Leave a comment

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: Chipsets affected by this vulnerability: MT2735, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6833P, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6880, MT6880T, MT6880U, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791T, MT8795T, MT8797, MT8798

An example: The MediaTek MT8791T integrates Bluetooth, FM, WLAN, and GPS modules and is a highly integrated baseband platform that includes a modem and application processing subsystem to support LTE/5G/NR and C2K tablet applications. The chip integrates two Arm®Cortex-A78 cores running at up to 2.6 GHz, six Arm®Cortex-A55 cores running at up to 2.0 GHz, and a powerful multi-standard video codec. In addition, an extensive set of interfaces and connectivity peripherals for connecting cameras, touchscreen displays, and UFS/MMC/SD cards are included.

Vulnerability details: In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation.

Official announcement: Please refer to the link below for details –

https://corp.mediatek.com/product-security-bulletin/January-2025

Cell Phone (iPhone, Android, windows mobile), Potential Risk of CVE

CVE-2024-21464 – msm: ipa3: adding a preventive check for holb stats (8th JAN 2025)

Leave a comment

Preface: Vulnerability findings appear to have changed compared to five years ago. As a matter of fact, the trend of open source concept driven the a lot of details visible,   a bunch of vulnerabilities have accumulated in 2024, and the Android security advisory on January 2025 shows you what’s the actual status.

Manufacturers will have an easier time managing vulnerabilities because the patches released today were discovered by them months or a year ago.

Background: IPA Capabilities

● Presented by its driver as a network device

● Performs checksum offload, packet aggregation

○ Reduces processing and interrupt load on the main CPU

● Also implements integrated IPA filtering, routing, and NAT

○ These features are not supported by the upstream driver (yet!)

● Capable of operation independent while AP is asleep

○ Tethered operation (WiFi hotspot)

○ Requires much less power than operating AP

○ This mode is not supported upstream either

Vulnerability details: Memory corruption while processing IPA statistics, when there are no active clients registered.

[CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)]

In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer

Official announcement: Please refer to the link below for details –

https://source.android.com/docs/security/bulletin/2025-01-01

antihackingonline.com