Google revealed a critical flaw in Qualcomm's Adreno GPU
Google Project Zero is one of the highly rated independent security teams in terms of expertise today. The group's findings are not only important to Google's products themselves, but can also contribute to alerting many large organizations and enterprises against the risk of a cyber security disaster. The case that just happened on Qualcomm's Adreno GPU can be used.
Specifically, the Project Zero team has just publicly revealed a security hole that exists in the Adreno GPU integrated on a Snapdragon chip, with a 'high' severity rating.
This is a vulnerability related to the way the GPU handles shared information. Essentially, the Adreno GPU driver associates a separate device architecture for each kernel graphics support layer (KGSL) class descriptor, which contains the page tables needed to context switching. This architecture is associated with the process ID (PID) of the process that calls it, but can be reused by other KGSL descriptors in the same process, potentially improving performance.
When the calling process (parent process) creates a child process, the following also inherits the native structure of the KGSL descriptor originally created for the parent process, rather than creating a new process. Essentially, this gives the child process - possibly a malicious attacker - access over subsequent GPU mappings, and penetrates the user's device.
In general, exploiting this vulnerability would require a very complex attack, in which the operator also has to be highly skilled. Project Zero experts said that in real-world situations, successfully exploiting the vulnerability would require an attacker to "repeat the PID and then trigger a timely process or restart the service." the system passed a 'crashes'.
All information on the vulnerability and related issues was reported to Qualcomm by Google Project Zero on September 15th. Accompanied by suggestions for remediation and a standard deadline of 90 days (to December 14) for Qualcomm to take steps to fix the problem, before everything goes public. On December 7, Qualcomm completed a fix and shared information separately with OEMs. Qualcomm also pledged to disclose more detailed information about the vulnerability in a public bulletin released in January 2021.
To authenticate, Google Project Zero analyzed the Qualcomm fix, and discovered that within the patch itself could create a new problem that could lead to privilege escalation attacks at the level. nuclear degree. Google continued to notify Qualcomm of its new findings on December 10, Qualcomm later responded that it was further investigating.
However, today is the deadline. In accordance with regulations, Project Zero has publicly announced the vulnerability in the Adreno GPU driver mentioned above. It is not clear why Qualcomm is not asking for an additional grace period to fix the bug. If so, the vulnerability details will not be included in the Google newsletter.
As it is now, the security bug is now public, meaning that Qualcomm is in a race against time to fix it as soon as possible before attackers figure out how to get the most out of it. .
You should read it
- Qualcomm Snapdragon 865 processor specifications leaked, 20% stronger than Snapdragon 855
- Detected critical zero-day vulnerability on Adobe Reader
- Detected extremely serious vulnerability in Hikvision security cameras
- Skype blocked the security hole
- Detecting Qualcomm CPU errors can cause private data on the phone to leak
- Apple Patches Zero-Day Vulnerability That Could Let iPhones, iPads, and MacBooks Get Hacked
- Apple releases iOS 14.4.2, iOS 12.5.2, and watchOS 7.3.3 updates that patch the critical zero-day vulnerability
- Not yet released, but iOS 13 has a security hole that bypasses the lock screen
- black hole, white hole, deep hole
- Google Chrome has a serious zero-day error, and hackers can execute malicious code at its fullest
- Google Project Zero reveals a serious privilege escalation vulnerability in Windows
- Discover the most bizarre black holes in the mysterious space universe
Maybe you are interested
What is A/B testing? What is the process of performing A/B Test?
How to Speed Up Your Content Creation Process While Ensuring Quality
Close-up of the birthing process of the venomous snake with the longest fangs in the world
Difference between ARM and Intel processors
How to use the Round function in Excel to round numbers and process data
Windows 11 24H2 Boosts Performance for AMD Ryzen Processors, But Not Intel