Multiple issues in DIAG/KGSL system call handling (CVE-2012-4220, CVE-2012-4221, CVE-2012-4222)

Advisory ID: 
QCIR-2012-00001-1
Release Date: 
November 15, 2012
Summary: 

Multiple security vulnerabilities have been discovered in the handling of the diagchar_ioctl() and kgsl_ioctl() system call parameters for the diagnostics (DIAG) and KGSL graphics kernel drivers for Android.

CVE-2012-4220:
When processing DIAG ioctl system call parameters, several untrusted pointers from user space are dereferenced and used for further computations without verification. A locally installed application, can use this flaw to conduct denial of service (DoS) attacks or execute arbitrary code in kernel context.

Access Vector: local
Security Risk: high
Vulnerability: untrusted pointer dereference (CWE-822)

CVE-2012-4221:
Several integer overflows in the processing of DIAG ioctl system call parameters allow a locally installed application to conduct denial of service (DoS) attacks or possibly execute arbitrary code in kernel context.

Access Vector: local
Security Risk: high
Vulnerability: integer overflow to buffer overflow (CWE-680)

CVE-2012-4222:
The KGSL graphics driver did not properly check command values passed to its ioctl system call handler. This can lead to a subsequent NULL pointer dereference. A locally installed application can use this to conduct denial of service attacks (device crash).

Access Vector: local
Security Risk: medium
Vulnerability: null pointer dereference (CWE-476)

Affected versions:
All Android releases from CAF prior to November 15, 2012 using the Linux kernel from the following heads:

  • msm-3.4
  • msm-3.0
  • jb_*
  • ics_*
  • gingerbread_*

Note:
Permission changes in ICS and Jelly Bean that restrict /dev/diag access to qcom_diag group mitigate CVE-2012-4220 and CVE-2012-4221

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks giantpune@gmail.com for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com