Multiple Issues in Camera Drivers (CVE-2014-9410, CVE-2015-0568)

Release Date: 
August 21, 2015
Advisory ID: 
QCIR-2015-00003-1
Summary: 

The following security vulnerabilities have been identified in the QuIC-authored camera drivers.

CVE-2014-9410:
The MSM-VFE31 driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the vfe31_proc_general function uses the user-supplied value cmd->id as an index to a buffer for read and write operations without any boundary checks.

Access Vector: local
Security Risk: high
Vulnerability: CWE-129 (Improper Validation of Array Index)

CVE-2015-0568:
The MSM-Camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_set_crop function frees a previously allocated buffer when an error is encountered while attempting to copy data from userspace. The error handling neglects to mark the buffer as being freed, leading to a use-after free vulnerability when the buffer is used again in subsequent ioctl calls.

Access Vector: local
Security Risk: high
Vulnerability: CWE-416 (Use After Free)

Affected versions
All Android releases from CAF using the Linux kernel.

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks Chiachih Wu, Yanfeng Wang, Jianqiang Zhao, Yuan-Tsung Lo, Xuxian Jiang of C0RE Team for reporting the related issues in CVE-2015-0568 and working with QuIC to help improve Android device security.

Qualcomm Innovation Center, Inc. (QuIC) thanks nforest, wushi, Wen Xu and Liang Chen of Keen Team for reporting the related issues in CVE-2014-9410 and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com