Integer Overflow in MDSS Driver (CVE-2016-5344)

Release Date:

August 23, 2016

Affected Projects:

Android for MSM Firefox OS for MSM QRD Android

Advisory ID:

QCIR-2016-00031-1

CVE ID(s):

CVE-2016-5344

Summary:

Out-of-bound access in layer list in rotator and async update in MDSS software due to improper input validation. If large size is passed in, the size value overflows, allocating a too-small buffer that is later accessed out of bounds.

Access Vector: Local

Security Risk: Medium

Access Vector: Local

Affected Versions:

All Android releases from CAF using the following heads: KitKat, Lollipop, Marshmallow

Patch:

We advise customers to apply the following patches:

Individual Patches
CVE-2016-5344

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=1d2297267c24f2c44bd0ecb244ddb8bc880a29b7

Acknowledgement:

We thank Jianqiang Zhao (@jianqiangzhao) and pjf (weibo.com/jfpan) of IceSword Lab, Qihoo 360 for bringing this issue to our attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com