Possible kernel information leak in QPNP Flash LED driver debugfs function (CVE-2016-10295)

Release Date: 
May 1, 2017
Advisory ID: 
QCIR-2017-00032-1
Summary: 

The following security vulnerabilities have been identified:

 
CVE-2016-10295

There is a possible race condition when debugfs files are concurrently accessed by multiple threads and shared file pointer may lead to improper data retrieval and hence possible kernel data leak.

Access Vector: Local
Security Risk: Medium
Vulnerability: CWE-200 Information Exposure

Affected Versions:
All Android releases from CAF using the Linux kernel.

Patch: 

We advise customers to apply the following patches:

Individual Patches

CVE-2016-10295:

Acknowledgement: 

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention. 

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com