Loading of image data to memory locations based on untrusted header data in LK bootloader (CVE-2013-2598)

Release Date: 
September 6, 2013
Advisory ID: 
QCIR-2013-00007-1
Summary: 

The following security vulnerability has been identified in the implementation of the Little Kernel (LK) booloader for Android.

CVE-2013-2598:
The LK implementation performs basic tasks to start an operating system for the application processor. As part of that, it reads the Linux kernel and ramdisk from a boot or recovery image, loads it up to RAM based on the image header information, performs signature verification, and finally boots. Because of implicitly treating the header values that determine the load destination of the image as trusted, it was possible to load this image to arbitrary locations, including the memory of the LK application bootloader itself and thus overwrite, e.g., signature verification code.

Access Vector: local
Security Risk: critical
Vulnerability: improper input validation (CWE-20)

Affected versions
All Little Kernel (LK) bootloader implementations on CAF from the following heads:

  • master
  • jb*
  • ics*
Acknowledgement: 

This vulnerability has been disclosed by Dan Rosenberg via a post in the Azimuth Security blog.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com