Google has disclosed several security flaws for phones that have Mali GPUs, such as those with Exynos chipsets. The company’s Project Zero team says it flagged the problems to ARM (which produces the GPUs) back in the summer. ARM resolved the issues on its end in July and August. However, smartphone manufacturers including Samsung, Xiaomi, Oppo and Google itself hadn’t deployed patches to fix the vulnerabilities as of earlier this week, Project Zero said.
Researchers identified five new issues in June and July and promptly flagged them to ARM. “One of these issues led to kernel memory corruption, one led to physical memory addresses being disclosed to userspace and the remaining three led to a physical page use-after-free condition,” Project Zero’s Ian Beer wrote in a blog post. “These would enable an attacker to continue to read and write physical pages after they had been returned to the system.”
Beer noted that it would be possible for a hacker to gain full access to a system as they’d be able to bypass the permissions model on Android and gain “broad access” to a user’s data. The attacker could do so by forcing the kernel to reuse the afore-mentioned physical pages as page tables.
Project Zero found that, three months after ARM fixed these issues, all of the team’s test devices were still vulnerable to the flaws. As of Tuesday, the issues were not mentioned “in any downstream security bulletins” from Android manufacturers.
Engadget has contacted Google, Samsung, Oppo and Xiaomi to ask when they will deploy the fixes to their Android devices and why it has taken so long for them to do so. As SamMobile notes, Samsung’s Galaxy S22 series devices and the company’s Snapdragon-powered handsets aren’t affected by these vulnerabilities.