cross-posted from: https://infosec.pub/post/18563178

Qualcomm has released security patches for a zero-day vulnerability in the Digital Signal Processor (DSP) service that impacts dozens of chipsets. […]

  • Possibly linux
    link
    fedilink
    English
    arrow-up
    6
    ·
    1 month ago

    If only Android was based on mainline Linux! Who am I joking, cost is way more important than security.

    Serious question though, can this be exploited via web assembly? Also is Lineage OS shipping patches? I know many devices have been abandoned by the vendors so it is entirely possible this will go unpatched in older devices

    • limerod@reddthat.comM
      link
      fedilink
      English
      arrow-up
      4
      ·
      1 month ago

      Also is Lineage OS shipping patches? I know many devices have been abandoned by the vendors so it is entirely possible this will go unpatched in older devices

      This is a vulnerability in a proprietary Qualcomm’s DSP. The patch will only be made available to OEMs. LineageOS cannot patch this vulnerability if the device itself is no longer receiving official updates.

      • ReversalHatchery@beehaw.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 month ago

        how and when is the DSP used, though?

        and what kind of code can take advantage of this? apps? javascript in browser apps? or a non-app system process with a specific privilege?

        • limerod@reddthat.comM
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 month ago

          DSP (Digital Signal Processor) is used anywhere where a digital signal is processed like audio, video, etc. When you play your favourite media its played by your processor’s DSP instead of your CPU saving battery. Speech recognition is another area where DSP is used for this.

          Nowadays, it does more than just play media. Including doing AI tasks on a NPU(Neural Processing Unit) like Object recognition, running LLM(Large Language Models) to generate pictures, suggest frequently used apps, etc.

          and what kind of code can take advantage of this? apps? javascript in browser apps? or a non-app system process with a specific privilege?

          As for code anything that processes signals can be accelerated by it.

          User code does not get privileged access to it. JavaScript is sanboxed but system processes in chrome and firefox can use it for media playback.

          For accelerated AI tasks on the NPU. It depends if the app developer leverage the specific neural SDK for Qualcomm, mediatek. Or use NNAPI API, or LiteRT

          It’s standard on most smartphones like the CPU, GPU. If you want you can ask perplexity.ai for specific info in it.

          I have given a short summary. But, there’s lot more you can read if interested.