If wcnss_wlan_write is called with more data than was originally allocated, a buffer overflow occurs. The wcnss_service which is running in user space sends a 4-byte value to wcnss platform driver and it allocates a buffer with that size.
Later wcnss_service will send calibrated data using file write function on "/dev/wcnss_wlan" device node which never exceeds the allocated size, but as "/dev/wcnss_wlan" device node is open, any entity could write on this device node and write more data which results in buffer overflow.
Access Vector: Local Security Risk: Medium Vulnerability: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')Affected versions
All Android releases from CAF using the following heads:
We advise customers to apply the following patches:
We thank Chiachih Wu of C0RE Team for bringing this issue to our attention.