Integer overflow in range check when mapping framebuffer memory (CVE-2013-2596)

Release Date: 
July 8, 2013
Advisory ID: 

The following security vulnerability has been identified in the framebuffer driver.

The framebuffer driver provides an mmap system call interface in order to map physical framebuffer memory to user space. When checking the memory range requested by a user space application to gain access to framebuffer memory, an integer overflow can occur. This allows an application with access to the framebuffer device file to map physical memory outside the framebuffer's memory into user space and therefore use this flaw to, e.g., escalate privileges.

AccessVector: local
Security Risk: high
Vulnerability: integer overflow (CWE-190)

Affected versions:
All Android releases from CAF using the Linux kernel from the following heads:

  • msm-3.4
  • msm-3.0
  • jb_*
  • ics_*
  • gingerbread_*

This issue is originating from a code copy based on fbmem.c in the mainline Linux kernel. Third-parties making use of this code are encouraged to apply the fixes in:


We advise customers to apply the following patches for individual branches.

Individual Patches


This vulnerability has been disclosed by Dan Rosenberg as part of the "motochopper" exploit.


Initial revision