Multiple Vulnerabilities In MSM QDSP6 Audio Driver Allow Kernel Memory Corruption (CVE-2016-2064, CVE-2016-2065, CVE-2016-2066)

Release Date: 
June 6, 2016
Advisory ID: 
QCIR-2016-00010-3
Summary: 
CVE-2016-2064
  • The 'values' array is read in a loop using 'num_commands' as max bound. However, 'num_commands' is fully controlled by user-space and not checked against the actual size of the 'values' array. This could lead to buffer over-read.

Access Vector: Local
Security Risk: High
Vulnerability: CWE-129 (Improper Validation of Array Index)

Affected Versions:
All Android releases from CAF using the Linux kernel.

CVE-2016-2065
  • The 'updt_params' pointer is incremented in a loop and used for memory writes. However, there is no max bound check on the 'updt_params' pointer. So this could lead to kernel memory corruption.

Access Vector: Local
Security Risk: High
Vulnerability: CWE-129 (Improper Validation of Array Index)

Affected Versions:
All Android releases from CAF using the Linux kernel.

CVE-2016-2066
  • The unsigned 'idx' variable is cast to signed value before a check on the max bound. This allows a large value to pass this check and could lead to memory overflow.

Access Vector: Local
Security Risk: High
Vulnerability: CWE-192 (Integer Coercion Error)

Affected Versions:
All Android releases from CAF using the Linux kernel.

Patch: 

We advise customers to apply the following patches:

Individual Patches

  • https://us.codeaurora.org/cgit/quic/la/kernel/msm- 3.18/commit/?id=775fca8289eff931f91ff6e8c36cf2034ba59e88

  • Acknowledgement: 

    This issue has been reported to Google by an external researcher. We thank Google for bringing this issue to our attention. We also thank Seven Shen from Trend Micro Mobile Threat Research Team who discovered the issue independently.

    Revisions: 

    Initial revision 

    Revision 1.2 - The description field has been updated so each CVE has {Access Vector, Security Risk, Vulnerability, Affected Versions} fields.

    Revision 1.3 – Update acknowledgement section.

    Contact: 
    security-advisory@quicinc.com