Buffer overflow vulnerability in wcnss_wlan_write (CVE-2016-5342)

Release Date:

August 29, 2016

Affected Projects:

Android for MSM Firefox OS for MSM QRD Android

Advisory ID:

QCIR-2016-00030-1

CVE ID(s):

CVE-2016-5342

Summary:

If wcnss_wlan_write is called with more data than was originally allocated, a buffer overflow occurs. The wcnss_service which is running in user space sends a 4-byte value to wcnss platform driver and it allocates a buffer with that size. Later wcnss_service will send calibrated data using file write function on "/dev/wcnss_wlan" device node which never exceeds the allocated size, but as "/dev/wcnss_wlan" device node is open, any entity could write on this device node and write more data which results in buffer overflow.

Access Vector: Local

Security Risk: Medium

Access Vector: Local

Affected Versions:

All Android releases from CAF using the following heads: KitKat, Lollipop, Marshmallow

Patch:

We advise customers to apply the following patches:

Individual Patches

CVE-2016-5342: https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=579e796cb089324c55e0e689a180575ba81b23d9

Acknowledgement:

We thank Chiachih Wu of C0RE Team for bringing this issue to our attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com