Buffer overflow in msm_vidc debugfs driver core_info_read and inst_info_read (CVE-2017-8244)

Release Date:

May 1, 2017

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2017-00035-1

CVE ID(s):

CVE-2017-8244

Summary:

The following security vulnerabilities have been identified: CVE-2017-8244 In core_info_read and inst_info_read variable "dbg_buf", "dbg_buf->curr" and "dbg_buf->filled_size" could be modified by different threads at the same time, but they are not protected with mutex or locks. Buffer overflow is possible on race conditions. "buffer->curr" itself could also be overwritten, which means that it may point to anywhere of kernel memory (for write). Access Vector: Local Security Risk: Medium Vulnerability: CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Affected Versions: All Android releases from CAF using the Linux kernel.

Access Vector: Local

Security Risk: Medium

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel

Patch:

We advise customers to apply the following patches:

Individual Patches

CVE-2017-8244:

• https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=f51b0f3b9da62e96b0167a3eb3376fca39fc7baf
• https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=01673e148223c10782b03c5485aff2a82b1900c4
• https://source.codeaurora.org/quic/la//kernel/msm-4.4/commit/?id=fe3bdd12315656347d1bca82d920b3df1a2b0e8a

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com