It is pointed out that 'Mali GPU' used in many smartphones such as Samsung terminals and Pixel series has multiple vulnerabilities and patches have not been applied



It has been pointed out that the ARM GPU 'Mali', which is used in smartphones such as Google and Samsung, has multiple vulnerabilities such as those that may lead to kernel memory corruption. Google's security analyst team,

Project Zero , discovered the vulnerability and reported it to ARM in June and July 2022, and ARM responded to the fix, but the smartphone vendor released a security patch. It says it is not applied.

Project Zero: Mind the Gap
https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html



Mali security flaws affect millions of Samsung phones with Exynos - SamMobile
https://www.sammobile.com/news/mali-security-flaws-affect-millions-of-samsung-phones-exynos/

Google says Google and other Android manufacturers haven't patched security flaws | Engadget
https://www.engadget.com/google-arm-android-phones-security-flaw-mali-gpu-samsung-oppo-xiaomi-183029261.html

The vulnerability was discovered by Project Zero researcher Jan Horn. The trigger was that my colleague Maddy Stone gave a lecture at the security conference FIRST Conference 2022 held in June 2022, and gave an internal preview.

From the content of the lecture, Mr. Horn was concerned about the description of the vulnerability that relies on low-level memory management code, and started auditing Mali's driver. In three weeks, we found five vulnerabilities, including one that leads to kernel memory corruption and one that exposes physical memory addresses to user space .

Project Zero reported these five vulnerabilities to ARM in June-July 2022. ARM promptly responded in July and August, disclosing information as ' CVE-2022-36449 ' and releasing the corresponding patch.

Mali GPU Driver Vulnerabilities
https://developer.arm.com/Arm Security Center/Mali GPU Driver Vulnerabilities

However, when tested, the affected devices were still vulnerable to the problem. This is because vendors such as Google, Samsung, and Xiaomi have not provided patches, and Project Zero says, 'Companies remain vigilant, closely track upstream sources, and provide full patches to users as soon as possible.' We should do our best for it,” he said.

in Security, Posted by logc_nt