LK – Improper partition bounds checking when flashing sparse images (CVE-2015-0567)

Release Date:

May 12, 2015

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2015-00002-1

CVE ID(s):

CVE-2015-0567

Summary:

The following security vulnerability has been identified in the implementation of the Little Kernel (LK) bootloader. CVE-2015-0567: The Little Kernel (LK) application bootloader is not ensuring that write operations stay within partition boundaries when flashing sparse images via fastboot. This is possible because certain sparse chunk types allow adjusting the write destination offset past the partition boundary. This is a problem for additional custom image verification on top of the fastboot flash commands for certain partition names, while not doing so for others. This can lead to boot failures or the possibility of bypassing such verification routines.

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All active branches of Little Kernel on CAF are affected.

Patch:

We advise customers to apply the following patches:

https://www.codeaurora.org/cgit/quic/la/kernel/lk/commit/?h=master&id=34a67ddd51b31fa6ab17147bcfef057c9dd831e0

Acknowledgement:

Qualcomm Innovation Center, Inc. (QuIC) thanks Lee Harrison and Michael Contreras for reporting the related issues and working with QuIC to help improve Android device security.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com