The developers of the GrapheneOS project, which develops a secure fork of the AOSP (Android Open Source Project) codebase, have identified a vulnerability in the Bluetooth stack of the Android 14 platform, which could potentially lead to remote code execution. The problem is caused by accessing an already freed memory area (use-after-free) in the audio processing code transmitted via Bluetooth LE.
The vulnerability was identified due to the integration of additional protection into the hardened_malloc call, using the ARMv8.5 MTE extension (MemTag, Memory Tagging Extension), which allows you to bind tags to each memory allocation operation and organize a check for the correct use of pointers to block the exploitation of vulnerabilities caused by accessing already freed memory blocks , buffer overflows, calls before initialization, and use outside the current context.
The error has been appearing since the Android 14 QPR2 (Quarterly Platform Release) update, published in early March. In the main code base of the Android 14 platform, the MTE mechanism is available as an option and is not yet used by default, but in GrapheneOS it has already been enabled for additional protection, which made it possible to diagnose the error after updating to Android 14 QPR2. The bug caused a crash when using Samsung Galaxy Buds2 Pro Bluetooth headphones with firmware that enabled MTE-based protection. Analysis of the incident showed that the problem was related to accessing already freed memory in the Bluetooth LE handler, and not a failure due to MTE integration.
The vulnerability is fixed in GrapheneOS release 2024030900 and affects smartphone builds that do not include additional hardware protection based on the MTE extension (MTE is currently only enabled for Pixel 8 and Pixel 8 Pro devices). The vulnerability is reproduced on Google Pixel 8 smartphones running Android 14 QPR2. On Android for Pixel 8 series smartphones, MTE mode can be enabled in the developer settings (“Settings / System / Developer options /Memory Tagging Extensions”). Enabling MTE increases memory consumption by approximately 3%, but does not reduce performance.
Source: opennet.ru