Memory corruption in multiple camera drivers (CVE-2014-4321, CVE-2014-4324, CVE-2014-0975, CVE-2014-0976, CVE-2014-9409)

Release Date: 
February 18, 2015
Advisory ID: 
QCIR-2015-00001-1
Summary: 

The following security vulnerabilities have been identified in the QuIC-authored camera drivers.

CVE-2014-4321:
The MSM-ISP driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_isp_send_hw_cmd function uses the user-supplied values reg_offset, cmd_data_offset, and len as indices and lengths for read and write operations without boundary checks, making it possible for any local application with camera group privileges to, e.g., escalate privileges.

Access Vector: local
Security Risk: medium
Vulnerability: CWE-823 (Use of Out-of-range Pointer Offset)

CVE-2014-4324:
The MSM-ISP driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_isp_send_hw_cmd function implements range checks around the user-supplied values reg_offset, cmd_data_offset, and len, but fails to correctly check for integer overflow conditions during the respective arithmetic operations, making it possible for any local application with camera group privileges to, e.g., escalate privileges.

Access Vector: local
Security Risk: medium
Vulnerability: CWE-190 (Integer overflow or wraparound)

CVE-2014-0975:
The MSM-CSID driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_csid_lut function uses the user-supplied value cid as an index to a buffer for read and write operations without any boundary checks making it possible for any local application with camera group privileges to, e.g., escalate privileges.

Access Vector: local
Security Risk: medium
Vulnerability: CWE-823 (Use of Out-of-range Pointer Offset)

CVE-2014-0976:
The MSM-ISPIF driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_ispif_config function uses the user-supplied value vfe_intf as an index to a buffer for write operations with incomplete boundary checks, making it possible for any local application with camera group privileges to, e.g., escalate privileges.

Access Vector: local
Security Risk: medium
Vulnerability: CWE-823 (Use of Out-of-range Pointer Offset)

CVE-2014-9409:
The MSM-ISP driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_isp_send_hw_cmd function allocates a buffer with a user-supplied length. When executing the SET_UB_POLICY command, this buffer is expected to be at least four bytes long but this is never validated, thereby triggering a buffer over-read when it is dereferenced. When executing the CFG_MASK command, the offset is incorrectly checked when reading from the buffer. Both of these vulnerabilities leak back three bytes of kernel heap data to the user, making it possible for an attacker to bypass mitigations such as stack cookies.

Access Vector: local
Security Risk: low
Vulnerability: CWE-126 (Buffer Over-read)

Affected versions:
All Android releases from CAF using the Linux kernel.

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks nforest, wushi, Wen Xu and Liang Chen of Keen Team for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com