Vulnerabilities on smartphones using Mali GPU

The “Google Zero” project recently unveiled some critical vulnerabilities in the Mali driver: Project Zero: Mind the Gap
They have been fixed upstream (but have not been deployed yet, by major manufacturers).

What is the status regarding /e/ OS?

1 Like

not speaking for /e/ - but the TL;DR is, that every mali gpu user is currently vulnerable to this and customroms by virtue of being hostage to vendor kernels wait for vendors. You read the intro on the post

at the time of publication, these fixes have not yet made it downstream

they’re venting frustration at the vendors (Pixel, Samsung, Xiaomi, Oppo …). I’m going now on a vendor kernel rant bear with me…

Most maintainers import their kernel that has the gpu code included from vendor open sources pages (or get prebuilts from devices that received stockrom updates). To track every CVE or bug individually and apply patches is lots of work (but admittedly can be automated to a degree, see shoutout) - importing is easier and makes for compatible devices.

So if you use a device still in a support window, as soon as those .zips get dropped to the opensource pages of a vendor, they’ll be imported to maintained device and trickle down.

If you’re outside the support window but still actively maintained in LineageOS and/or /e/, maybe you’ll get a backport. There’s a guideline of “if the CVE makes the news, include patch” last I read.

To give you a feel for how often driver updates find their way into the build kernel, two examples:

samsung A5 (2016): android_kernel_samsung_universal7580/drivers/gpu/arm/midgard at lineage-18.1 · LineageOS/android_kernel_samsung_universal7580 · GitHub → 2018 → not sure if this one will see a patch

samsung S10: android_kernel_samsung_exynos9820/drivers/gpu/arm at lineage-19.1 · LineageOS/android_kernel_samsung_exynos9820 · GitHub → 2022, looks active, will probably receive a patch. Seems to be another build tree than what ARM puts out there though

If the device is out of the support window, maintainer will look to supported devices with a similar SoC and import - or as last resort could patch by handiwork.

There are other mali drivers like Mesas panfrost that don’t have this specific issue. I’m not aware though of an Android using them. One argument to have a device that can use mainline kernels and inlined gpu drivers or at least GKIs is no need to wait for vendors and just recompile.

But anyway, you’ll need a malicious app to exploit CVE-2022-33917 - if javascript/webgl on arbitrary pages can do it, I wouldn’t know really. There are so many CVEs in vendor kernels if you don’t go with supported branches, I’m not sure I care apart from the real bangers… @anon88181694 cares though :slight_smile: