Buffer overflow vulnerability in wcnss_wlan_write (CVE-2016-5342)

Release Date: 
August 29, 2016
Advisory ID: 
QCIR-2016-00030-1
Summary: 

If wcnss_wlan_write is called with more data than was originally allocated, a buffer overflow occurs. The wcnss_service which is running in user space sends a 4-byte value to wcnss platform driver and it allocates a buffer with that size.

Later wcnss_service will send calibrated data using file write function on "/dev/wcnss_wlan" device node which never exceeds the allocated size, but as "/dev/wcnss_wlan" device node is open, any entity could write on this device node and write more data which results in buffer overflow.

Access Vector: Local
Security Risk: Medium
Vulnerability: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Affected versions

All Android releases from CAF using the following heads:

  • KitKat
  • Lollipop
  • Marshmallow
Patch: 

We advise customers to apply the following patches:

 

Individual Patches

Acknowledgement: 

We thank Chiachih Wu of C0RE Team for bringing this issue to our attention.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com