Google Project Zero security researchers have published an interesting article that analyzes a rather crucial aspect of fixing vulnerabilities in the Android ecosystem: the effect is called “patch gaps“, and in concrete terms it means that due to the many steps that it has to take, a user can wait even weeks and months to see it arrive on their device – thus inevitably remaining vulnerable.
The story is about GPU Mali, which are designed directly by Arm, and five vulnerabilities in their drivers. The flaws were all identified around June 2022 but are collected in only two CVE identifiers.
The details published by Google Project Zero security researchers are as follows:
- CVE-2022-33917 allows a user without special access privileges to perform unauthorized operations on the GPU which gains access to free sections of memory. The vulnerability affects Valhall kernel drivers version r29p0 to version r38p0.
- CVE-2022-36449 allows an unprivileged user to gain access to freed memory, write out of buffer bounds, and obtain sensitive memory mapping details. The vulnerable drivers are:
- Midgard architecture: r4p0 to r32p0
- Bifrost architecture: r0p0 to r38p0 and r39p0 before r38p1
- Valhall architecture: r19p0 to r38p0 and r39p0 before r38p1
Arm released fixes within days of Project Zero’s original notification: As of August, the corrected driver source code was available on the developer site. The problem is that in September Project Zero tried to check again on the test devices available and found that no one was safe yet. It is worth remembering at this point that Mali GPUs are used for example by MediaTek SoCs, Exynos (except for this year’s 2200 flagships, which use AMD-derived GPUs for the first time) and Google Tensor.
In short, it is true that the end user needs to apply security patches as soon as possible notes Project Zero, but this suggestion must also apply to producers: “Minimizing the patch gap as a vendor is even more important” at this early stage of the supply chain, say the researchers.
