security-advisory@quicinc.com
Integer overflow and signedness issue in camera JPEG engines (CVE-2013-4736)
Release Date:
August 29, 2013
Affected Projects:
Android for MSMFirefox OS for MSMQRD Android
Advisory ID:
QCIR-2013-00005-1
CVE ID(s):
Summary:
The following security vulnerability has been identified in the MSM JPEG engine drivers (Gemini JPEG encoder, Mercury JPEG decoder, Jpeg1.0 common encoder/decoder). CVE-2013-4736: The JPEG engines that are part of the camera driver provide an ioctl system call interface to user space clients for communication. When processing hardware commands ioctl calls, the drivers are incorrectly handling the number of commands included in the user space payload. This can lead to an integer overflow which subsequently results in the driver attempting to process hardware commands from out-of-bounds memory which can cause the kernel to crash. The same code also suffered from incorrectly treating the number of hardware commands as signed.
Access Vector: Local
Security Risk: Medium
Access Vector: Local
Affected Versions:
All Android releases from CAF using the Linux kernel from the following heads: msm-3.*, jb*, ics*, gingerbread*
Patch:
We advise customers to apply the following patches for individual branches.
Individual Patches
- msm-3*/jb* releases that use drivers/media/platform/msm/camera_{v1,v2}/{gemini,jpeg_10}:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=fab0bc54f4b70fd1d85300731822379a487d66ca5 - msm-3*/jb*/ics*/gingerbread* releases that use drivers/media/video/msm/{gemini,mercury,jpeg_10}:
https://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=8c5300aec8cd9882b89e9d169680221541da0d7fhttps://www.codeaurora.org/gitweb/quic/la/?p=kernel/msm.git;a=commit;h=81947189009afcfac17d1106101260c660421265
Acknowledgement:
Qualcomm Innovation Center, Inc. (QuIC) thanks alephzain1@gmail.com for reporting the related issues and working with QuIC to help improve Android device security.
Revisions:
Initial revision