Arm warned on Monday of active ongoing attacks targeting a vulnerability in device drivers for its Mali line of GPUs, which run on a host of devices, including Google Pixels and other Android handsets, Chromebooks, and hardware running Linux.
“A local non-privileged user can make improper GPU memory processing operations to gain access to already freed memory,” Arm officials wrote in an advisory. “This issue is fixed in Bifrost, Valhall and Arm 5th Gen GPU Architecture Kernel Driver r43p0. There is evidence that this vulnerability may be under limited, targeted exploitation. Users are recommended to upgrade if they are impacted by this issue.”
The advisory continued: “A local non-privileged user can make improper GPU processing operations to access a limited amount outside of buffer bounds or to exploit a software race condition. If the system’s memory is carefully prepared by the user, then this in turn could give them access to already freed memory.”
Getting access to system memory that’s no longer in use is a common mechanism for loading malicious code into a location an attacker can then execute. This code often allows them to exploit other vulnerabilities or to install malicious payloads for spying on the phone user. Attackers often gain local access to a mobile device by tricking users into downloading malicious applications from unofficial repositories. The advisory mentions drivers for the affected GPUs being vulnerable but makes no mention of microcode that runs inside the chips themselves.
The most prevalent platform affected by the vulnerability is Google’s line of Pixels, which are one of the only Android models to receive security updates on a timely basis. Google patched Pixels in its September update against the vulnerability, which is tracked as CVE-2023-4211. Google has also patched Chromebooks that use the vulnerable GPUs. Any device that shows a patch level of 2023-09-01 or later is immune to attacks that exploit the vulnerability. The device driver on patched devices will show as version r44p1 or r45p0.
CVE-2023-4211 is present in a range of Arm GPUs released over the past decade. The Arm chips affected are:
- Midgard GPU Kernel Driver: All versions from r12p0 – r32p0
- Bifrost GPU Kernel Driver: All versions from r0p0 – r42p0
- Valhall GPU Kernel Driver: All versions from r19p0 – r42p0
- Arm 5th Gen GPU Architecture Kernel Driver: All versions from r41p0 – r42p0
Devices believed to use the affected chips include the Google Pixel 7, Samsung S20 and S21, Motorola Edge 40, OnePlus Nord 2, Asus ROG Phone 6, Redmi Note 11, 12, Honor 70 Pro, RealMe GT, Xiaomi 12 Pro, Oppo Find X5 Pro, and Reno 8 Pro and some phones from Mediatek.
Arm also makes drivers for the affected chips available for Linux devices.
Little is currently known about the vulnerability, other than that Arm credited discovery of the active exploitations to Maddie Stone, a researcher in Google’s Project Zero team. Project Zero tracks vulnerabilities in widely used devices, particularly when they’re subjected to zero-day or n-day attacks, which refer to those targeting vulnerabilities for which there are no patches available or those that have very recently been patched.
Arm’s Monday advisory disclosed two additional vulnerabilities that have also received patches. CVE-2023-33200 and CVE-2023-34970 both allow a non-privileged user to exploit a race condition to perform improper GPU operations to access already freed memory.
All three vulnerabilities are exploitable by an attacker with local access to the device, which is typically achieved by tricking users into downloading applications from unofficial repositories.
It’s currently unknown what other platforms, if any, have patches available. Until this information can be tracked down, people should check with the manufacturer of their device. Sadly, many vulnerable Android devices receive patches months or even years after becoming available, if at all.