In order to eliminate zero-day security vulnerabilities, Google’s “Project Zero” team of security specialists frequently criticises negligent businesses on its blog. Project Zero’s most recent article is a friendly-fire attempt at the Android and Pixel teams, accusing them of being too slow to address issues with the ARM GPU driver.
An in-the-wild Pixel 6 attack where flaws in the ARM GPU driver could allow a non-privileged user to get write access to read-only memory was described by Project Zero researcher Maddie Stone in June. The following three weeks were devoted to Jann Horn, a different Project Zero researcher, discovering similar flaws in the driver. According to the report, these issues might enable “native code execution in an app context for an attacker to obtain complete access to the system, bypassing Android’s permissions model and providing broad access to user data.”
According to Project Zero, ARM received reports of these flaws “in June and July 2022,” and in July and August “promptly” patched them by issuing a security bulletin (CVE-2022-36449) and making the updated source code available. However, these actively exploited flaws have not been fixed for users. Project Zero claims that even months after ARM resolved the vulnerabilities, Google and numerous Android OEMs are still failing to address the issue “All of our test equipment that made use of Mali is still susceptible to these problems. There is no reference to CVE-2022-36449 in any further security bulletins.”
Midgard, Bifrost, and Valhall, the last three generations of ARM GPU architectures, are just a few of the afflicted ARM GPUs. These devices range from 2016 smartphones to those that are now in production. Qualcomm chips don’t employ ARM GPUs, but Google’s Tensor SoC and Samsung’s Exynos SoC do, respectively, in the Pixel 6, 6a, and 7 and earlier foreign flagships like the Galaxy S21 (just not the Galaxy S22). We’re talking about millions of vulnerable Android phones from virtually every Android OEM since Mediatek’s SoCs are also all ARM GPU users.
Google responded to the Project Zero blog entry by stating to Engadget, “For Android and Pixel devices, the Arm-provided fix is presently being tested, and it will be made available in the upcoming weeks. To meet future SPL requirements, Android OEM partners will need to install the patch.”
The Project Zero researchers conclude their blog post by offering some counsel to their coworkers “The same advice that is given to users to patch as soon as possible when a release containing security fixes is made available also applies to suppliers and businesses. In these situations, reducing the “patch gap” as a vendor is perhaps more crucial because end users (or other vendors downstream) are preventing this action before they can benefit from the patch’s security features. Companies must maintain vigilance, continuously monitor upstream sources, and make every effort to deliver complete patches to users as quickly as possible.”