LK – insufficient verification of tag_addr when loading device tree (CVE-2014-0974)

Release Date:

July 24, 2014

Affected Projects:

Android for MSM

Advisory ID:

CVE-2014-0974

CVE ID(s):

CVE-2014-0974

Summary:

The following security vulnerability has been identified in the implementation of the Little Kernel (LK) bootloader. CVE-2014-0974: When processing a boot image, under certain conditions LK will use a non-validated tag_addr as the target address for loading the device tree. Under such conditions a memory copy operation is executed using data from the image for the destination address, the data, and the length, which results in an arbitrary memory write. The ability to upload an arbitrary image to the phone and start its boot process is a requirement for the exploitation of this vulnerability.

Access Vector: Local
Security Risk: Medium
Access Vector: Local

Affected Versions:

All active branches of the Little Kernel on CAF are affected.

Patch:

We advise customers to apply the following patch:
https://www.codeaurora.org/cgit/quic/la/kernel/lk/commit/?h=master&id=5e…

Acknowledgement:

Qualcomm Innovation Center, Inc. (QuIC) thanks Lee Harrison and Kang Li for reporting the related issues and working with QuIC to help improve Android device security.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com