Masu bincike daga Checkpoint sun gano lahani guda uku (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) a cikin firmware na kwakwalwan kwamfuta na MediaTek DSP, da kuma rauni a cikin MediaTek Audio HAL mai sarrafa sauti (CVE- 2021-0673). Idan an yi nasarar cin gajiyar raunin, maharin zai iya sauraren mai amfani daga aikace-aikacen da ba shi da gata na dandalin Android.
A cikin 2021, MediaTek yana lissafin kusan kashi 37% na jigilar kayayyaki na musamman don wayoyin hannu da SoCs (bisa ga sauran bayanan, a cikin kwata na biyu na 2021, rabon MediaTek tsakanin masu kera kwakwalwan DSP na wayoyin hannu shine 43%). Hakanan ana amfani da kwakwalwan kwamfuta na MediaTek DSP a cikin wayoyin hannu ta Xiaomi, Oppo, Realme da Vivo. MediaTek kwakwalwan kwamfuta, dangane da microprocessor tare da gine-ginen Tensilica Xtensa, ana amfani da su a cikin wayoyi don yin ayyuka kamar sauti, hoto da sarrafa bidiyo, a cikin ƙididdigewa don haɓaka tsarin gaskiya, hangen nesa na kwamfuta da koyo na inji, da kuma aiwatar da yanayin caji mai sauri.
A lokacin injiniyan juzu'i na firmware don kwakwalwan kwamfuta na MediaTek DSP dangane da dandamali na FreeRTOS, an gano hanyoyi da yawa don aiwatar da lamba a gefen firmware da samun iko akan ayyuka a cikin DSP ta hanyar aika buƙatun ƙira na musamman daga aikace-aikacen da ba su da gata don dandamalin Android. An nuna misalai na zahiri na harin akan wayar Xiaomi Redmi Note 9 5G sanye take da MediaTek MT6853 (Dimensity 800U) SoC. An lura cewa OEMs sun riga sun sami gyare-gyare don lahani a cikin sabunta firmware MediaTek na Oktoba.
Daga cikin hare-haren da za a iya aiwatarwa ta hanyar aiwatar da lambar ku a matakin firmware na guntu DSP:
- Haɓaka gata da ketarewar tsaro - ɗaukar bayanai a hankali kamar hotuna, bidiyo, rikodin kira, bayanan makirufo, bayanan GPS, da sauransu.
- Ƙin sabis da munanan ayyuka - toshe damar samun bayanai, kashe kariya mai zafi yayin caji mai sauri.
- Boye munanan ayyuka shine ƙirƙirar gabaɗayan ɓoyayyen ɓoyayyen ɓoyayyiyar ɓarna da ba za a iya cirewa wanda aka aiwatar a matakin firmware.
- Haɗa tags don waƙa da mai amfani, kamar ƙara alamar wayo zuwa hoto ko bidiyo don tantance ko bayanan da aka buga suna da alaƙa da mai amfani.
Har yanzu ba a bayyana cikakkun bayanai game da raunin da ke cikin MediaTek Audio HAL ba, amma sauran lahani guda uku a cikin firmware na DSP suna faruwa ne ta hanyar bincika iyakokin da ba daidai ba lokacin sarrafa saƙon IPI (Inter-Processor Interrupt) wanda direban audio_ipi audio_ipi ya aika zuwa DSP. Waɗannan matsalolin suna ba ku damar haifar da buffer mai sarrafawa a cikin ma'aikatan da firmware ke bayarwa, wanda a cikinsa aka ɗauki bayanai game da girman bayanan da aka canjawa wuri daga filin cikin fakitin IPI, ba tare da bincika ainihin girman da ke cikin ƙwaƙwalwar ajiya ba.
Don samun dama ga direba yayin gwaje-gwajen, an yi amfani da kiran ioctls kai tsaye ko ɗakin karatu /vendor/lib/hw/audio.primary.mt6853.so, waɗanda ba su da aikace-aikacen Android na yau da kullun. Duk da haka, masu bincike sun samo hanyar da za a iya aika umarni bisa ga yin amfani da zaɓuɓɓukan gyara da ake samu ga aikace-aikacen ɓangare na uku. Ana iya canza waɗannan sigogi ta hanyar kiran sabis na Android na AudioManager don kai hari kan ɗakunan karatu na MediaTek Aurisys HAL (libfvaudio.so), waɗanda ke ba da kira don yin hulɗa tare da DSP. Don toshe wannan aikin, MediaTek ya cire ikon amfani da umarnin PARAM_FILE ta hanyar AudioManager.
source: budenet.ru