Buffer overflow in Adreno GPU MSM Driver (CVE-2016-2062)

Release Date:

April 28, 2016

Affected Projects:

Android for MSM Firefox OS for MSM QRD Android

Advisory ID:

QCIR-2016-00004-1

CVE ID(s):

CVE-2016-2062

Summary:

The Adreno GPU driver for the MSM Linux kernel contains a heap overflow in the IOCTL_KGSL_PERFCOUNTER_QUERY ioctl command. This results from an incorrect conversion to a signed type when calculating the minimum count value for the query option. This results in a negative integer being used to calculate the size of the buffer, which can result in an integer overflow and a small sized allocation on 32bit systems.

Access Vector: Local

Security Risk: High

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

https://codeaurora.org/cgit/quic/la/kernel/msm-3.18/commit/drivers/gpu/msm/adreno_perfcounter.c?id=27c95b64b2e4b5ff1288cbaa6e353dd803d71576

Acknowledgement:

Qualcomm Innovation Center, Inc. (QuIC) thanks Ben Hawkes of Google Project Zero for reporting the related issues and working with QuIC to help improve Android device security.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com