Uncontrolled memory mapping in camera driver (CVE-2013-2595)

Release Date: 
May 1, 2013
Advisory ID: 
QCIR-2013-00001-1
Summary: 

The following security vulnerability has been identified in the camera driver.

CVE-2013-2595:
The camera driver provides several interfaces to user space clients. The user space clients communicate to the kernel via syscalls such as ioctl or mmap. The camera driver provides an uncontrolled mmap interface that allows an application with access to the device file to map physical memory exceeding the camera driver's memory into user space. A locally installed, unprivileged application can use this flaw to escalate privileges.

Access Vector: local
Security Risk: high
Vulnerability: CWE-749 (exposed dangerous method or function)

Affected versions:
All Android releases from CAF prior to May 1, 2013 using the Linux kernel from the following heads:

  • msm-2.*
  • msm-3.*
  • jb*
  • ics*
  • gingerbread*

Note:
Customers that make active use of this interface, e.g., when using code from kernel branches prior to April 2012, are encouraged to use the below contact address for further information.

Patch: 

We advise customers to apply the following patches for individual branches.

Individual Patches

Acknowledgement: 

Qualcomm Innovation Center, Inc. (QuIC) thanks alephzain1@gmail.com for reporting the related issues and working with QuIC to help improve Android device security.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com