The following security vulnerability has been identified in the acdb audio driver.
The acdb audio driver provides an ioctl system call interface to user space clients for communication. When processing arguments passed to the ioctl handler, a user space supplied size is used to copy as many bytes from user space to a local stack buffer without proper bounds checking. An application with access to the /dev/msm_acdb device file (audio or system group) can use this flaw to, e.g., elevate privileges.
Security Risk: medium
Vulnerability: CWE-121 (stack-based buffer overflow)
All Android releases from CAF using the Linux kernel from the following heads:
We advise customers to apply the following patch:
- releases that use sound/soc/msm/qdsp6v2/audio_acdb.c
- releases that use arch/arm/mach-msm/qdsp6v2/audio_acdb.c
This issue has been first disclosed by @fi01_IS01 in a public exploit. Qualcomm Innovation Center, Inc. (QuIC) additionally thanks Xuxian Jiang for reporting the issue and working with QuIC to help improve Android device security. He independently discovered this vulnerability.