CVE-2023-40085 - How a Small Bounds Check Bug in Android Can Spill Sensitive Data

CVE-2023-40085 is a security vulnerability discovered in the Android Open Source Project (AOSP), specifically in the file ShimConverter.cpp. This bug occurs because a bounds check is missing in the convertSubgraphFromHAL function, which can lead to an out-of-bounds read. In simple terms, this flaw can let a local attacker read memory that doesn't belong to them, revealing sensitive information.

Let’s break down how this works, show you where the bug happens, and go over how it could be exploited—even without any special privileges or user interaction.

Where’s The Bug? Understanding convertSubgraphFromHAL

The vulnerable code resides in a low-level component dealing with neural network operations. Here's a cleaned-up snippet similar to the vulnerable code found in ShimConverter.cpp:

// ShimConverter.cpp

Status ShimConverter::convertSubgraphFromHAL(const hal::Subgraph& halSubgraph) {
    // ... (setup code)

    const auto& operands = halSubgraph.operands;
    for (size_t i = ; i < halSubgraph.inputIndexes.size(); ++i) {
        auto operandIndex = halSubgraph.inputIndexes[i];
        // MISSING: if (operandIndex >= operands.size()) return error;
        const auto& operand = operands[operandIndex];
        // Do something with operand ...
    }

    // ... (rest of function)
}

What’s wrong?

Notice how inputIndexes comes from an external source and is used directly to index into the operands vector, but without checking if the index is valid. If a malicious app can control halSubgraph and stick in an out-of-bounds index, the code tries to access memory beyond what’s valid, possibly leaking confidential data.

Vulnerability Type: Out-of-bounds Read (Memory Disclosure)

- Impact: Local information disclosure. An unfriendly app could read portions of memory it shouldn’t be able to see.

Attack Vector: Local (a malicious app running on the device).

The Android security bulletin summed it up like this:

> "In convertSubgraphFromHAL of ShimConverter.cpp, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with no additional execution privileges needed."

Exploit Details: From Bug to Proof-of-Concept

Let’s look at how an attacker could take advantage. The exploit idea is simple: call into the affected code with a manipulated halSubgraph structure. Here’s a high-level proof of concept:

// Pseudo-exploit
hal::Subgraph maliciousSubgraph;
maliciousSubgraph.inputIndexes = {100}; // way beyond end
// ... operands only has 2 items
maliciousSubgraph.operands.resize(2);

// Now call vulnerable function
ShimConverter converter;
converter.convertSubgraphFromHAL(maliciousSubgraph);

// This triggers an out-of-bounds read from operands[100]

If attackers can get their payload delivered to the affected process (for example, via a crafted neural network model), they could read data from memory that isn’t theirs, such as credentials, tokens, or just random heap garbage—which might contain sensitive information.

Who is Affected?

This bug lives inside Android’s neural network components, in the NNAPI HAL shim. Devices running unpatched Android versions are vulnerable. Google patched this issue in October 2023 (see the security bulletin), and the change was committed here:

- AOSP Patch (see the added bounds checks)

How Was It Fixed?

Pretty straightforward: the patch just added the missing bounds check.

for (size_t i = ; i < halSubgraph.inputIndexes.size(); ++i) {
    auto operandIndex = halSubgraph.inputIndexes[i];
    if (operandIndex >= operands.size()) {
        // Handle error, don't access out-of-bounds memory!
        return error;
    }
    const auto& operand = operands[operandIndex];
    // ...
}

How Can You Protect Yourself?

- Update your device. The best protection is running an Android version with this bug fixed (October 2023 or later).
- Be careful with untrusted apps. Since the attack is local, apps you install could potentially exploit this until patched.
- Check with your vendor. Some Android phones get updates later than Google devices, so make sure your OEM rolled out the patch.

More Info and References

- Android Security Bulletin – October 2023, SYSTEM-308327995
- Upstream AOSP fix
- CVE details (will update as info emerges)

Final Thoughts

CVE-2023-40085 is a good lesson on why even small bounds check mistakes should not be ignored, especially in low-level code that might handle lots of user or app input. Stay up-to-date with software updates, and when you see a patch for your device, don’t put it off—one missing check is all it takes to spill what should be private.


Let us know if you want a deeper technical dive into Android's memory handling and security!

Timeline

Published on: 02/16/2024 19:15:08 UTC
Last modified on: 11/01/2024 16:35:03 UTC