LK - Improper partition bounds checking when flashing sparse images (CVE-2015-0567)

Release Date: 
May 12, 2015
Advisory ID: 
QCIR-2015-00002-1
Summary: 

The following security vulnerability has been identified in the implementation of the Little Kernel (LK) bootloader.

CVE-2015-0567:
The Little Kernel (LK) application bootloader is not ensuring that write operations stay within partition boundaries when flashing sparse images via fastboot. This is possible because certain sparse chunk types allow adjusting the write destination offset past the partition boundary. This is a problem for additional custom image verification on top of the fastboot flash commands for certain partition names, while not doing so for others. This can lead to boot failures or the possibility of bypassing such verification routines.

Access Vector: local
Security Risk: high
Vulnerability: CWE-20 (improper input validation)

Affected versions
All active branches of Little Kernel on CAF are affected.

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks Lee Harrison and Michael Contreras for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com