Buffer overflow in msm_vidc debugfs driver core_info_read and inst_info_read (CVE-2017-8244)

Release Date: 
May 1, 2017
Advisory ID: 
QCIR-2017-00035-1
Summary: 

The following security vulnerabilities have been identified:

 
CVE-2017-8244

In core_info_read and inst_info_read variable "dbg_buf", "dbg_buf->curr" and "dbg_buf->filled_size" could be modified by different threads at the same time, but they are not protected with mutex or locks. Buffer overflow is possible on race conditions. "buffer->curr" itself could also be overwritten, which means that it may point to anywhere of kernel memory (for write).

Access Vector: Local
Security Risk: Medium
Vulnerability: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition

Affected Versions:
All Android releases from CAF using the Linux kernel.

Acknowledgement: 

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions: 

Initial revision 

Contact: 
security-advisory@quicinc.com