Missing validation of arguments when handling DAP set param ioctl in MSM QDSP6 sound driver (CVE‐2016‐2469)

Release Date:

June 22, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR‐2016‐00016‐1

CVE ID(s):

CVE-2016-2469

Summary:

The following security vulnerabilities have been identified in QuIC‐authored MSM QDSP6 sound driver code. CVE‐2016‐2469 The function msm_ds2_dap_set_param() dereferences an untrusted embedded user controlled pointer (dolby_data‐>data[j]) in a for loop when executing the SNDRV_DEVDEP_DAP_IOCTL_SET_PARAM ioctl. The loop bound for this for loop is also set to a user controlled value that can cause a buffer overflow.

Access Vector: Local

Security Risk: High

Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

• Fix untrusted pointer dereference (CWE‐822)
  https://source.codeaurora.org/quic/la//kernel/msm-3.10/commit/?id=e7369163162e7773bc887f7a264d6aa46cfcc665
• Fix buffer overflow (CWE‐120)
  https://source.codeaurora.org/quic/la//kernel/msm-3.18/commit/?id=84ab1187ad0d0476ea6eb5f636575cba3a1df317

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com