Mali GPU Kernel Driver Allows Improper GPU Memory Processing Operations

Vulnerability

CVE-2023-34970 is a vulnerability in Arm Mali GPU drivers that allows a local non-privileged user to trigger improper GPU processing operations. This can result in accessing a limited amount of memory outside buffer bounds or exploiting a software race condition. The affected versions include various Mali GPU driver releases; details are available in the Arm security advisory [1].

Exploitation

An attacker with local non-privileged access to the system can carefully prepare the system's memory and then perform specific GPU processing operations. This may involve triggering a race condition or causing an out-of-bounds access. The attacker does not require any special permissions beyond local user access.

Impact

Successful exploitation allows the attacker to access already freed memory. This could lead to information disclosure of sensitive data or potentially be leveraged for privilege escalation, depending on the memory layout and system configuration.

Mitigation

Arm has released updated Mali GPU drivers that fix this vulnerability. Users should apply the latest driver updates from their device vendor. The advisory [1] provides details on the fixed versions and release dates.