Mastodawn

🇺🇦Nov 24, 2022

https://googleprojectzero.blogspot.com/2022/11/mind-the-gap.html has an interesting summary of ARM Mali security issue. Seemingly, this work finally closed a 0-day known and sold for some time that was never reported by that side of the market.

Go, #ProjectZero, Go.

Mind the Gap

By Ian Beer, Project Zero Note: The vulnerabilities discussed in this blog post (CVE-2022-33917) are fixed by the upstream vendor, but...

Show thread

Daniel Micay

@rene_mobile It won't really do much good if the vendors including Google don't ship the patches.

Google is 6 releases behind on the ARM Mali driver on Pixels and ARM does source code dumps so it would be extremely hard to backport individual changes.

It's not the only code that's not being kept properly updated. Pixel 6 is on Linux 5.10.107 and that's up to 5.10.155 upstream. It's strange to do all this work on finding vulnerabilities, hardening and making updates easier with Generic Kernel Images, etc. but then patches don't get shipped.

There's little follow through on the boring work on keeping things updated, only improving the infrastructure to do it, but then not taking advantage of it.

Show thread

Can Acar Nov 24, 2022

@DanielMicay @rene_mobile a lot of effort goes into propagating security fixes for both internal and external issues and making them available to our customers/partners. Fixing the bug is just the first step.

Show thread

Daniel Micay Nov 25, 2022

@canacar @rene_mobile

I think Google should be able to consistently update upstream code and should be able to integrate important updates within weeks in the worst case, not half a year or more.

If the Linux kernel fixes a remote code execution bug, they should have a release out for Pixels within a week not months. It literally takes them months to fix those issues while Chrome would do it in days. There are RCE bugs from October in the Linux kernel currently unfixed on Pixels. They'll eventually cherry-pick the patches or update to a new stable kernel.org release as part of a quarterly release with the patches. It's not included in QPR1 (December).

They also shouldn't need people to specifically report to them that a Mali driver release, Linux kernel release, SQLite release, etc. fixes vulnerabilities and they need to update it.

Also, Android's highly flawed security bulletin system isn't a valid excuse for Pixels having only monthly releases and taking 60+ days to get anything released even with extreme severity. Their testing process is completely broken because all they can do if they find serious issues in a new release is choose between releasing it anyway or missing the month's release...