LK - insufficient verification of tag_addr when loading device tree (CVE-2014-0974)

Release Date: 
July 23, 2014
Affected Projects: 
Advisory ID: 
CVE-2014-0974
Summary: 

The following security vulnerability has been identified in the implementation of the Little Kernel (LK) bootloader.

CVE-2014-0974:
When processing a boot image, under certain conditions LK will use a non-validated tag_addr as the target address for loading the device tree. Under such conditions a memory copy operation is executed using data from the image for the destination address, the data, and the length, which results in an arbitrary memory write. The ability to upload an arbitrary image to the phone and start its boot process is a requirement for the exploitation of this vulnerability.

Access Vector: local
Security Risk: medium
Vulnerability: CWE-20 (improper input validation)

Affected versions:
All active branches of the Little Kernel on CAF are affected.

Patch: 

We advise customers to apply the following patch:
https://www.codeaurora.org/cgit/quic/la/kernel/lk/commit/?h=master&id=5e...

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks Lee Harrison and Kang Li for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com