Missing access checks in put_user/get_user kernel API (CVE-2013-6282)

Release Date:

November 14, 2013

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2013-00010-1

CVE ID(s):

CVE-2013-6282

Summary:

The following security vulnerability has been identified in the Linux kernel API. CVE-2013-6282: The get_user and put_user API functions of the Linux kernel fail to validate the target address when being used on ARM v6k/v7 platforms. This functionality was originally implemented and controlled by the domain switching feature (CONFIG_CPU_USE_DOMAINS), which has been deprecated due to architectural changes. As a result, any kernel code using these API functions may introduce a security issue where none existed before. This allows an application to read and write kernel memory to, e.g., escalated privileges.

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel from the following heads: msm-3.4, jb*, ics*

Patch:

We advise customers to apply the following patches:
https://www.codeaurora.org/cgit/quic/la/kernel/msm/commit/?id=76565e3d786bed66f247c682bd9f591098522483

Acknowledgement:

This vulnerability is exploited in the wild and has been observed to be used in the public vroot exploit.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com