Elevation of Privilege Vulnerability in Performance Module (CVE-2016-3768)

Release Date:

July 6, 2016

Affected Projects:

Android for MSM Firefox OS for MSM QRD Android

Advisory ID:

QCIR-2016-00019-1

CVE ID(s):

CVE-2016-3768

Summary:

The following security vulnerabilities have been identified in QuIC-authored KGSL Linux Graphics Module. CVE-2016-3768 When a performance event in off state is enabled multiple times, it gets duplicated. After removal, some duplicated entries remain, leading to a possible use after free in the kernel.

Access Vector: Local

Security Risk: High

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patch:

Individual Patch

https://source.codeaurora.org/quic/la//kernel/msm/commit/?id=d75be03af111fb5a31eba82f665242e6d8b07008

Note: This issue is also described in the Android Public Security Bulletin for July 2016.

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com