Bafuputsi ba Checkpoint ba fumane likotsi tse tharo (CVE-2021-0661, CVE-2021-0662, CVE-2021-0663) ho firmware ea MediaTek DSP chips, hammoho le ho ba kotsing ho MediaTek Audio HAL audio layer (CVE- 2021- 0673). Haeba bofokoli bo ka sebelisoa ka katleho, mohlaseli a ka mamela mosebelisi ho tsoa ho sesebelisoa se sa sebetseng sa sethala sa Android.
Ka 2021, MediaTek e ikarabella bakeng sa hoo e ka bang 37% ea thomello ea li-chips tse khethehileng bakeng sa li-smartphones le SoCs (ho latela lintlha tse ling, karolong ea bobeli ea 2021, kabelo ea MediaTek har'a baetsi ba li-chips tsa DSP bakeng sa li-smartphones e ne e le 43%). Li-chips tsa MediaTek DSP li boetse li sebelisoa ho li-smartphones tse tummeng ke Xiaomi, Oppo, Realme le Vivo. Li-chips tsa MediaTek, tse ipapisitseng le microprocessor e nang le meralo ea Tensilica Xtensa, li sebelisoa ho li-smartphones ho etsa ts'ebetso e joalo ka audio, litšoantšo le video, ho komporo bakeng sa litsamaiso tsa nnete tse netefalitsoeng, pono ea komporo le ho ithuta ka mochini, hammoho le ho kenya ts'ebetsong mokhoa oa ho tjhaja ka potlako.
Nakong ea boenjineri ba morao-rao ba firmware bakeng sa li-chips tsa MediaTek DSP tse ipapisitseng le sethala sa FreeRTOS, ho ile ha khethoa mekhoa e mengata ea ho etsa khoutu ka lehlakoreng la firmware le ho fumana taolo holim'a ts'ebetso ho DSP ka ho romella likopo tse entsoeng ka mokhoa o ikhethileng ho tsoa lits'ebetsong tse se nang tokelo tsa sethala sa Android. Mehlala e sebetsang ea litlhaselo e ile ea bontšoa ho smartphone ea Xiaomi Redmi Note 9 5G e nang le MediaTek MT6853 (Dimensity 800U) SoC. Hoa hlokomeloa hore li-OEM li se li fumane litokiso bakeng sa bofokoli ho ntlafatso ea firmware ea Mphalane MediaTek.
Har'a litlhaselo tse ka etsoang ka ho kenya khoutu ea hau boemong ba firmware ba chip ea DSP:
- Keketseho ea menyetla le ts'ireletso - ho ts'oara data ka lekunutu joalo ka linepe, livideo, lirekoto tsa mohala, data ea maekrofono, data ea GPS, jj.
- Ho hana ts'ebeletso le liketso tse mpe - ho thibela phihlello ea tlhahisoleseling, ho thibela ts'ireletso ea mocheso o feteletseng nakong ea ho tjhaja ka potlako.
- Ho pata ts'ebetso e mpe ke ho theha likarolo tse mpe tse sa bonahaleng le tse ke keng tsa tlosoa tse bolailoeng boemong ba firmware.
- Ho hokela li-tag ho latela mosebelisi, joalo ka ho kenya li-tag tse bohlale setšoantšong kapa videong ho fumana hore na data e behiloeng e hokahane le mosebelisi.
Lintlha tsa ho ba kotsing ho MediaTek Audio HAL ha li e-so senoloe, empa likotsi tse ling tse tharo ho firmware ea DSP li bakoa ke ho hlahloba moeli o fosahetseng ha o sebetsana le melaetsa ea IPI (Inter-Processor Interrupt) e rometsoeng ke mokhanni oa audio_ipi ho DSP. Mathata ana a u lumella ho etsa hore buffer e laoloang e khaphatsehe ho bahlokomeli ba fanoeng ke firmware, moo tlhahisoleseding e mabapi le boholo ba data e fetisitsoeng e nkiloeng tšimong ka har'a pakete ea IPI, ntle le ho hlahloba boholo ba sebele bo teng mohopolong o arolelanoeng.
Ho fihlella mokhanni nakong ea liteko, li-call tsa ioctls tse tobileng kapa laeborari ea /vendor/lib/hw/audio.primary.mt6853.so, e sa fumaneheng lits'ebetsong tse tloaelehileng tsa Android, e sebelisitsoe. Leha ho le joalo, bafuputsi ba fumane mokhoa oa ho romela litaelo ho latela tšebeliso ea mekhoa ea ho lokisa liphoso e fumanehang ho likopo tsa batho ba bang. Mekhahlelo ena e ka fetoloa ka ho letsetsa tšebeletso ea Android ea AudioManager ho hlasela lilaebrari tsa MediaTek Aurisys HAL (libfvaudio.so), tse fanang ka mehala ho sebelisana le DSP. Ho thibela mosebetsi ona, MediaTek e tlositse bokhoni ba ho sebelisa taelo ea PARAM_FILE ka AudioManager.
Source: opennet.ru