Looks like we have a confirmation that Cellebrite uses memory corruptions in Linux kernel USB drivers to unlock Android phones. First 2 bugs seem easily discoverable by syzkaller/syzbot with a bit of extra descriptions. 3rd one is likely as well ⤵️ - ThreadSky

andreyknvl.bsky.social • 3 days ago

Looks like we have a confirmation that Cellebrite uses memory corruptions in Linux kernel USB drivers to unlock Android phones.

First 2 bugs seem easily discoverable by syzkaller/syzbot with a bit of extra descriptions. 3rd one is likely as well ⤵️

Reposted from GrapheneOS

securitylab.amnesty.org/latest/2025/...

Amnesty International’s Security Lab has a post about 3 vulnerabilities exploited by Cellebrite to extract data from locked Android devices. GrapheneOS blocked exploiting these vulnerabilities in multiple different ways. We also patched them much earlier.

Comments

andreyknvl.bsky.social•3 days ago

For CVE-2024-53104 (OOB write in uvc_parse_format), syzbot reaches uvc_parse_streaming — parent function of uvc_parse_format — but fails to get to the bug: syzkaller has no descriptions for streaming interface descriptors.

https://storage.googleapis.com/syzbot-assets/7efefb59364f/ci2-upstream-usb-c749f058.html#drivers%2fmedia%2fusb%2fuvc%2fuvc_driver.c:~:text=case%20UVC_VS_FORMAT_FRAME_BASED%3A%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ret%20%3D-,uvc_parse_format,-(dev%2C%20streaming%2C%20format

andreyknvl.bsky.social•3 days ago

Similarly for CVE-2024-53197 (OOB for Extigy and Mbox devices), syzbot even gets to snd_usb_mbox2_boot_quirk — the buggy function. But then fails to pass the descriptor size check due to no Mbox-specific descriptions.

https://storage.googleapis.com/syzbot-assets/7efefb59364f/ci2-upstream-usb-c749f058.html#sound%2fusb%2fquirks.c:~:text=device%20*/%0A%0Astatic%20int-,snd_usb_mbox2_boot_quirk,-(struct%20usb_device%20*dev

andreyknvl.bsky.social•3 days ago

Side note: syzkaller can't detect deep bugs in UVC drivers, as Dummy HCD/UDC doesn't support isochronous transfers, which are required for UVC. But the bugs above happen during initial stages of UVC device operation, so syzkaller can reach related code.

https://github.com/xairy/raw-gadget/issues/72

andreyknvl.bsky.social•3 days ago

Reaching code for CVE-2024-50302 (infoleak via Anton Touchpad) seems to require a bit more descriptions work: hid-multitouch.c is barely covered by syzbot. But the bug type is discoverable via KMSAN: it reports infoleaks over USB as kernel-usb-infoleak.

https://storage.googleapis.com/syzbot-assets/7efefb59364f/ci2-upstream-usb-c749f058.html#drivers%2fhid%2fhid-multitouch.c

andreyknvl.bsky.social•3 days ago

Considering that all these bugs lie just a bit beyond what syzkaller can currently cover, I wouldn't be surprised if they were found by extending syzkaller.

andreyknvl.bsky.social•3 days ago

If you're curios how USB fuzzing works in syzkaller, check out the linked doc. (I've also got a draft of an article with a lot more details going, hoping to finish it sooner or later.)

https://github.com/google/syzkaller/blob/master/docs/linux/external_fuzzing_usb.md

Posting Rules

Be respectful to others
No spam or self-promotion
Stay on topic
Follow Bluesky's terms of service

Comments

Posting Rules

Reply