Project Zero alleges Google and Android manufacturers haven’t fixed vulnerabilities

POCO X2 OxygenOS 11

Although it was reported, a security hole was discovered by Google’s Project Zero team, and no company, including Google, has yet to release a security patch. The problems were already fixed by ARM back in July and August.

Ian Beer of Project Zero revealed in a blog post that one of the vulnerabilities eventually led to kernel memory corruption. One of them caused the physical memory address to be shown to userspace, and the other three “led to a physical page use-after-free scenario.”

Beer stated that a hacker may acquire complete access to a machine by circumventing Android’s permissions architecture and gaining “broad access” to a user’s data. The attacker could do this by forcing the kernel to use the same physical pages as page tables that had already been set.

The presentation highlighted an in-the-wild exploit targeting the Pixel 6 and using CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by a significant number of other Android devices. According to ARM’s advice, the vulnerability is as follows:

  • Title: Mali GPU Kernel Driver may elevate CPU RO pages to writable
  • CVE: CVE-2022-22706 (also reported in CVE-2021-39793)
  • Date of issue: 6th January 2022
  • Impact; A non-privileged user can get a write access to read-only memory pages [sic].

Jann Horn from Project Zero audited the ARM Mali GPU driver after hearing about an in-the-wild memory management issue. In three weeks, he discovered five more exploitable flaws (2325, 2327, 2331, 2333, and 2334).

  • One of these bugs (2334) caused kernel memory corruption, one (2331) leaked physical memory locations to userspace, and the other three (2325, 2327, 2333) caused physical page use-after-free.
  • An attacker could use these to view and write returned physical pages.
  • An attacker could get around Android’s permissions model and get to user data by making the kernel use these pages as page tables.

The five vulnerabilities were reported to ARM in June and July 2022. ARM resolved the problems in July and August 2022, posting the corrected driver source on their public developer website.

Three months after ARM corrected the faults, Project Zero’s test devices were still vulnerable. As of Tuesday, the flaws weren’t mentioned in Android makers’ security bulletins.

The post also notes that they’ve contacted Google, OPPO, Samsung, and Xiaomi about the delay. Certain Samsung smartphones are supposedly not affected due to the Snapdragon SoCs on their devices.

Google says that the fix provided by Arm is currently undergoing testing for Android and Pixel devices and will be delivered in the coming weeks. It added that Android OEM partners will be required to take the patch to comply with future SPL requirements.

In conclusion, Project Zero advises suppliers and companies to patch as early as possible after a vulnerability update release. Minimizing the “patch gap” as a vendor in these instances is perhaps more critical, as end users (or other vendors downstream) are blocking these actions before receiving the patch’s security advantages.

According to Ian Beer, Project Zero, on security patch updates, he said that;

Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.