Multiple Issues in Camera Drivers (CVE-2014-9410, CVE-2015-0568)

Release Date:

August 21, 2015

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2015-00003-1

CVE ID(s):

CVE-2014-9410CVE-2015-0568

Summary:

The following security vulnerabilities have been identified in the QuIC-authored camera drivers. CVE-2014-9410: The MSM-VFE31 driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the vfe31_proc_general function uses the user-supplied value cmd->id as an index to a buffer for read and write operations without any boundary checks. Vulnerability: CWE-129 (Improper Validation of Array Index) --- CVE-2015-0568: The MSM-Camera driver provides an ioctl system call interface to user space clients for communication. When processing this communication, the msm_set_crop function frees a previously allocated buffer when an error is encountered while attempting to copy data from userspace. The error handling neglects to mark the buffer as being freed, leading to a use-after free vulnerability when the buffer is used again in subsequent ioctl calls. Vulnerability: CWE-416 (Use After Free)

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Acknowledgement:

Qualcomm Innovation Center, Inc. (QuIC) thanks Chiachih Wu, Yanfeng Wang, Jianqiang Zhao, Yuan-Tsung Lo, Xuxian Jiang of C0RE Team for reporting the related issues in CVE-2015-0568 and working with QuIC to help improve Android device security. Qualcomm Innovation Center, Inc. (QuIC) thanks nforest, wushi, Wen Xu and Liang Chen of Keen Team for reporting the related issues in CVE-2014-9410 and working with QuIC to help improve Android device security.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com