ARM has uncovered and patched a security flaw within its kernel drivers for Mali GPUs. Once exploited, it allowed non-privileged local users to misuse GPU memory processing operations.
ARM Mali GPUs are being utilized in devices like smartphones, tablets, Chromebooks, smart TVs, digital set-top boxes (STBs), automotive infotainment systems, wearable devices, embedded systems, IoT devices, development boards, and gaming consoles. Devices that incorporate ARM Mali GPUs are the Apple iPhone 13, Samsung Galaxy S21 Ultra, Google Pixel 6 Pro, Amazon Fire TV Stick 4K Max, Roku Ultra, Nvidia Shield TV, Tesla Model 3 infotainment system, Apple Watch, Samsung Galaxy Watch 4, Raspberry Pi 4, and the Nintendo Switch.
An active exploitation, called CVE-2023-4211, was reported to be in effect, but the vulnerability does not carry a CVSS (Common Vulnerability Scoring System) score. A local non-privileged user could perform improper GPU memory operations, facilitating access to memory that has already been released. ARM noted in an advisory posted on October 2 that there is evidence of limited, targeted exploitation of this vulnerability. In the same advisory, ARM announced the correction of similar vulnerabilities identified in the same kernel driver family.
Patches implemented for three out of four affected versions
Embedded in a vast array of devices, the ARM's Mali series operates on a multitude of kernel driver variants across all devices. The recent vulnerability impacts four unique versions of these drivers, including the Midgard GPU Kernel Driver (versions r12p0 – r32p0), Bifrost GPU Kernel Driver (versions r0p0 – r42p0), Valhall GPU Kernel Driver (versions r19p0 – r42p0), and ARM 5th Gen GPU Architecture Kernel Driver (versions r41p0 – r42p0).
Only three of these vulnerable versions however, have been patched. “This issue is fixed in Bifrost, Valhall, and ARM 5th Gen GPU Architecture Kernel Driver r43p0,” announced ARM. Users were explicitly advised to upgrade if they found themselves impacted by the issue.
Google takes action for commonly affected devices
The discovery of these active exploitations was credited to Maddie Stone of Google's Threat Analysis Group, along with Jann Horn of Google Project Zero. Devices like Google Pixel and Chromebooks were affected most significantly as a result of this vulnerability. Both had received patching from Google separately as of September.
For those impacted, ARM has recommended software upgrades for the Midgard GPUs. Two additional patches for CVE-2023-33200 and CVE-2023-34970, capable of similar exploitation, were disclosed for Valhall and ARM 5th Gen GPU versions. As ARM continues to manage these vulnerabilities, many hope that industry efforts toward robust cyber security will catch up.
