Security researcher from google (Project Zero ) warn that millions of android users are at risk due to a bug in its Graphics processing unit.
Title Mali GPU Kernel Driver may elevate CPU RO pages to writable
CVE CVE-2022-22706 (also reported in CVE-2021-39793)
Date of issue 6th January 2022
Impact A non-privileged user can get a write access to read-only memory pages
When google discover the number of problems in software used by end user google decided to form a full time team on this area and formed Project Zero team.
Project Zero team reported 5 issues to the ARM from June to July 2022 and ARM fix all those issue but team discovered that the test phone is still vulnerable .
“One of these issues (2334) lead to kernel memory corruption, one (2331) lead to physical memory addresses being disclosed to userspace and the remaining three (2325, 2327, 2333) lead to a physical page use-after-free condition. These would enable an attacker to continue to read and write physical pages after they had been returned to the system.
For example, by forcing the kernel to reuse these pages as page tables, an attacker with native code execution in an app context could gain full access to the system, bypassing Android's permissions model and allowing broad access to user data.” Researcher said in his blog post
No comments:
Post a Comment