OnePlus Assures Fix for OnePlus 3/3T Bootloader Vulnerability in Next OTA
Just yesterday, we highlighted a bootloader vulnerability that affected the OnePlus 3 and OnePlus 3T. This vulnerability made use of the fastboot mode on the device to toggle SELinux status from Enforcing to Permissive.
This state toggle can be done on both bootloader locked and bootloader unlocked devices. The issue was further complicated by the absence of an SELinux entry in the ‘About Phone’ screen, thus giving us no easy way to figure out if a device had been manipulated.
We had reached out to XDA Recognized Developer Sultanxda to shed some light on the issue:
The way that the “fastboot oem selinux <state>” command works is that it adds an extra argument onto the kernel command line when booting Linux. The extra argument comes in the form of “androidboot.selinux=<state>”, where <state> can be “permissive”. There’s where things get funny: “androidboot.<something>” arguments on the kernel command line are parsed by Android’s init. In a normal Android production build (a “user” build), the “androidboot.selinux” argument is totally ignored and selinux is always forced to enforcing.
So this bug is composed of two issues: One, users can make the bootloader pass a flag that would normally make selinux permissive on an engineering/debugging ROM build. And two, OnePlus modified Android’s init in order to honor the “androidboot.selinux” flag even for production ROM builds.
Sultanxda suggested a few ways to fix the issue. You can read up on the suggestions and more on the vulnerability in our original post.
OnePlus has responded to the existence of the vulnerability. The company has assured that the vulnerability will be patched for the OnePlus 3 and the OnePlus 3T. Both the devices will be receiving this patch as part of their next OTA update.
We value the quick response received from OnePlus. Here’s hoping that the next round of OTA arrives soon for both the devices!