Multiple issues in QDSP6v2 driver (CVE-2016-6693, CVE-2016-6694, CVE-2016-6695, CVE-2016-6696)

Release Date:

October 3, 2016

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2016-00049-1

CVE ID(s):

CVE-2016-6693CVE-2016-6694CVE-2016-6695CVE-2016-6696

Summary:

The following security vulnerabilities have been identified: CVE-2016-6693 A kernel information leak can happen when processing the SNDRV_DEVDEP_DAP_IOCTL_GET_PARAM ioctl command. This command copies data from a kernel space buffer to user space. The memory size for the kernel buffer is restricted. However, when copying the kernel data buffer a user controlled length parameter is used. It is not checked if this user controlled length parameter is greater than the memory size of the kernel buffer. Access Vector: Local Security Risk: High Vulnerability: CWE-20: Improper Input Validation Affected versions All Android releases from Code Aurora Forum using the Linux kernel. CVE-2016-6694 A kernel information leak can happen when processing the SNDRV_DEVDEP_DAP_IOCTL_GET_PARAM ioctl command. In the function msm_ds2_dap_get_param() params_value is allocated with the size params_length, i.e., DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM * sizeof(uint32_t). params_value is used as a parameter for adm_get_params(). However, the length value given to adm_get_params() is DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM * sizeof(uint32_t) + DOLBY_PARAM_PAYLOAD_SIZE * sizeof(uint32_t), which is greater than DOLBY_MAX_LENGTH_INDIVIDUAL_PARAM * sizeof(uint32_t). This greater length value is used to copy params_value to another memory buffer. This over-read can result in a kernel information leak. Access Vector: Local Security Risk: High Vulnerability: CWE-126: Buffer Over-read Affected versions All Android releases from Code Aurora Forum using the Linux kernel. CVE-2016-6695 An integer overflow can result in a buffer overflow when processing the SNDRV_DEVDEP_DAP_IOCTL_GET_VISUALIZER ioctl command. The function msm_ds2_dap_param_visualizer_control_get() makes use of a user controlled length value (set via set_param ioctl). This length value is used to compute the size of memory to be allocated for visualizer_data and adm_params. During these computations integer overflows can occur that result in an unintended smaller memory size for the allocated memory buffers. The size value used for the memory copy operation that uses the unintended small adm_params memory buffer is a significant greater non-overflowed params length value. Access Vector: Local Security Risk: High Vulnerability: CWE-680: Integer Overflow to Buffer Overflow Affected versions All Android releases from Code Aurora Forum using the Linux kernel. CVE-2016-6696 The user controlled length parameter dolby_data->length is of type int32_t. It can store a negative value. The check for the user controlled length value does not consider values smaller than and equal to 0. Hence, a negative value can bypass the check that is intended to ensure that the following copy_to_user operation copies the correct number of bytes to user space. Access Vector: Local Security Risk: High Vulnerability: CWE-20: Improper Input Validation Affected versions All Android releases from Code Aurora Forum using the Linux kernel.

Access Vector:
Security Risk:
Access Vector:

Affected Versions:

All Android releases from Code Aurora Forum using the Linux kernel.

Patch:

We advise customers to apply the following patches:

Individual Patches

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention. Qualcomm Innovation Center, Inc. (QuIC) also thanks Seven Shen from Trend Micro Mobile Threat Research Team (CVE-2016-6693, CVE-2016-6694, CVE-2016-6695) and Scott Bauer (CVE-2016-6693, CVE-2016-6696) for reporting the related issues independently and working with QuIC to improve Android device security.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com