Multiple issues in DIAG/KGSL system call handling (CVE-2012-4220, CVE-2012-4221, CVE-2012-4222)

Release Date:

November 15, 2012

Affected Projects:

Android for MSMFirefox OS for MSMQRD AndroidSIMCOM QRD Android Project

Advisory ID:

QCIR-2012-00001-1

CVE ID(s):

CVE-2012-4220CVE-2012-4221CVE-2012-4222

Summary:

Multiple security vulnerabilities have been discovered in the handling of the diagchar_ioctl() and kgsl_ioctl() system call parameters for the diagnostics (DIAG) and KGSL graphics kernel drivers for Android. CVE-2012-4220: When processing DIAG ioctl system call parameters, several untrusted pointers from user space are dereferenced and used for further computations without verification. A locally installed application, can use this flaw to conduct denial of service (DoS) attacks or execute arbitrary code in kernel context. Security Risk: high Vulnerability: untrusted pointer dereference (CWE-822) --- CVE-2012-4221: Several integer overflows in the processing of DIAG ioctl system call parameters allow a locally installed application to conduct denial of service (DoS) attacks or possibly execute arbitrary code in kernel context. Security Risk: high Vulnerability: integer overflow to buffer overflow (CWE-680) --- CVE-2012-4222: The KGSL graphics driver did not properly check command values passed to its ioctl system call handler. This can lead to a subsequent NULL pointer dereference. A locally installed application can use this to conduct denial of service attacks (device crash). Security Risk: medium Vulnerability: null pointer dereference (CWE-476)

Access Vector: Local
Security Risk:
Access Vector: Local

Affected Versions:

All Android releases from CAF prior to November 15, 2012 using the Linux kernel from the following heads: msm-3.4, msm-3.0, jb_*, ics_*, gingerbread_*

Patch:

Note:
Permission changes in ICS and Jelly Bean that restrict /dev/diag access to qcom_diag group mitigate CVE-2012-4220 and CVE-2012-4221

We advise customers to apply the following patches:
https://www.codeaurora.org/patches/quic/la/.PATCH_17010_jweEF843feG.tar.gz

Individual Patches

Acknowledgement:

Qualcomm Innovation Center, Inc. (QuIC) thanks giantpune@gmail.com for reporting the related issues and working with QuIC to help improve Android device security.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com