The following security vulnerability has been identified in the framebuffer driver.
The framebuffer driver provides an mmap system call interface in order to map physical framebuffer memory to user space. When checking the memory range requested by a user space application to gain access to framebuffer memory, an integer overflow can occur. This allows an application with access to the framebuffer device file to map physical memory outside the framebuffer's memory into user space and therefore use this flaw to, e.g., escalate privileges.
Security Risk: high
Vulnerability: integer overflow (CWE-190)
All Android releases from CAF using the Linux kernel from the following heads:
This issue is originating from a code copy based on fbmem.c in the mainline Linux kernel. Third-parties making use of this code are encouraged to apply the fixes in:
We advise customers to apply the following patches for individual branches.
- msm-3*/jb*/ics* releases that use drivers/video/msm/mdss/mdss_fb.c (B-family):
- gb*/ics* releases that use drivers/video/msm/msm_fb.c (A-family):
- msm-3*/jb* releases that use drivers/video/msm/msm_fb.c (A-family):
This vulnerability has been disclosed by Dan Rosenberg as part of the "motochopper" exploit.